Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

Like us, cybercriminals enjoy the festive season and that can sometimes reflect in their malicious activities. In 2011 we saw a Zeus banking trojan Panel - a user interface for herding Zeus-infected machines - with a Christmas-themed background. This time Forcepoint Security Labs™ has noticed that the CryptXXX gang have started to offer Christmas discounts to victims who intend to pay ransom.

Also known as UltraCrypter, CryptXXX is one of the active ransomware families currently in the wild. Last June we reported CryptXXX as a malware payload originating from a compromised anime site that silently redirected to the Neutrino... Read more

First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history.

What is Locky?

Locky is a crypto-ransomware which aims to infect machines, encrypt sensitive information, and hold the data to ransom by requesting a payment to get the files decrypted.

Locky actors aim to make significant financial gain from successfully extorted users. There appear to be several different actors who utilise and distribute unique builds... Read more

What is Sledgehammer?

Operation Sledgehammer translated into Turkish is Balyoz Harekâtı, which was the name of a 2003 attempted military coup d'etat in Turkey. It’s also the name of a recent Distributed Denial of Service (DDoS) attack that targeted organizations with political affiliations that the attacker deems out of  line with Turkey’s current government. These organizations include the German Christian Democratic Party (CDU), The People’s Democratic Party of Turkey, the Armenian Genocide Archive and the Kurdistan Workers Party (PKK).

In our latest report, called Sledgehammer - The Gamification Of DDoS Attacks, we document... Read more

The Horse Pill rootkit was presented at Black Hat 2016 by Michael Leibowitz, a security engineer and member of the Red Team at Intel. Horse Pill is a proof-of-concept Linux rootkit that demonstrates two interesting techniques: 1. infecting systems via the initial ramdisk, and 2. deceiving system owners using container primitives. In this article we explore those techniques and how our product, Forcepoint Threat Protection for Linux, fares against them.

Initrd Infection

The initial ramdisk, or initrd, is a compressed archive containing files needed by a Linux system early in the boot process. The initrd is loaded into memory,... Read more

Back in 2012, we saw the first malware abuse to cloud-storage services in the form of an information-stealing trojan. The trojan collected Microsoft Word and Excel files from affected PCs, archived them, and then uploaded the archive to the file hosting website, SendSpace, so that it can be later accessed by the cybercriminals behind it. Fast forward to today, and the same abuse has become a de facto standard for many cybercriminals, perhaps primarily for spreading malware. Free cloud-storage services are used to host malware where the generated download links are sent to prospective victims as part of social engineering lure.... Read more


Forcepoint Security Labs™ recently encountered a strain of attacks that appear to target Pakistani nationals. We named the attack "BITTER" based on the network communication header used by the latest variant of remote access tool (RAT) used:

Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today. This post intends to share the results of our research.

Infection Vector

Spear-phishing emails are used to target prospective BITTER victims. The campaign predominantly used the older, relatively popular Microsoft Office exploit, CVE-... Read more

FREEMAN is a uniquely positioned security research project conducted by Forcepoint Security Labs™. It identifies unknown risks and threats that accompany a specific piece of abandonware commonly used by the security research community. We have released our research in the form of a whitepaper. A download link is provided below.

“What started out as a simple ‘what-if?’ activity, quite literally set-up from the back rows of a talk at Blackhat Europe in 2015, soon turned into a long-term data collection and analysis project. I cannot overstate the surprise felt when we first looked at the data collected. The sheer... Read more

On September 27, 2016 Forcepoint Security Labs noticed that the Russian boxing site allboxing[.]ru was compromised. The site is injected with code that attempts to silently redirect users to a third party website containing an exploit and a Russian banking trojan. The injected code employs several evasion tactics, and ensures that the redirect only occurs when there is significant user interaction on the website.

Hiding in Plain Sight

The site allboxing[.]ru is a very popular Russian boxing website receiving an estimated 3 million visitors per month.

One of the scripts being used by the website at hxxp://... Read more

Throughout September 2016 we have observed an actor sending malware to Canadian nationals by e-mail. Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.

E-mail Lures

The e-mails typically pretend to be from the Canada Revenue Agency (CRA) claiming that the individual has a tax payment outstanding.

The e-mails contain an MSG attachment with an embedded OLE object. This is not a technique we see very often and is challenging for security products to detect due to the complicated MSG format. When the user opens the MSG attachment... Read more

On September 1, 2016 a new trojan downloader became available to purchase on various Russian underground forums. Named "Quant Loader" by its creator, the downloader has already been used to distribute the Locky Zepto crypto-ransomware, and Pony (aka Fareit) malware families.

Locky Zepto & Pony E-mail Campaign

On September 12, 2016 Forcepoint Security Labs™ noticed an e-mail campaign which was typical of one we mainly see distributing the Locky or Dridex botnet 220 malware families. The e-mails themselves masqueraded as an invoice document like the one below.


The attached ZIP file contained a malicious... Read more