{"id":49804,"date":"2022-12-19T21:28:00","date_gmt":"2022-12-19T21:28:00","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/darktortilla-malware-imposter-cisco-grammarly-phishing"},"modified":"2022-12-19T21:28:00","modified_gmt":"2022-12-19T21:28:00","slug":"sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/","title":{"rendered":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Researchers have spotted two phishing sites \u2014 one spoofing a Cisco webpage and the other masquerading as a Grammarly site \u2014 that threat actors are using to distribute a particularly pernicious piece of malware known as &#8220;DarkTortilla.&#8221;<\/p>\n<p>The .NET-based malware can be configured to deliver various payloads and is known for functions that make it <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/darktortilla-sophisticated-malware-rat-infections\" target=\"_blank\" rel=\"noopener\">extremely stealthy and persistent<\/a> on the systems it compromises.<\/p>\n<p>Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too \u2014 such as the operators of Babuk \u2014 have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.<\/p>\n<h2 class=\"regular-text\">DarkTortilla Delivery Via Phishing Sites<\/h2>\n<p>Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.<\/p>\n<p>Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named &#8220;GnammanlyInstaller.zip&#8221; when they click on the &#8220;Get Grammarly&#8221; button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system&#8217;s memory, where it executes a variety of malicious activities, Cyble said.<\/p>\n<p>The Cisco phishing site meanwhile looks like a download page for Cisco&#8217;s Secure Client VPN technology. But when a user clicks on the button to &#8220;order&#8221; the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.<\/p>\n<p>Cyble&#8217;s <a href=\"https:\/\/blog.cyble.com\/2022\/12\/16\/sophisticated-darktortilla-malware-spreading-via-phishing-sites\/\" target=\"_blank\" rel=\"noopener\">analysis of the payload<\/a> showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine\/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.<\/p>\n<p>Cyble&#8217;s researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system&#8217;s Startup folder and creates Run\/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named &#8220;system_update.exe&#8221; on the infected system and copies itself into the folder.<\/p>\n<h2 class=\"regular-text\">Sophisticated &amp; Dangerous Malware<\/h2>\n<p>DarkTortilla&#8217;s fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.<\/p>\n<p>&#8220;The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild,&#8221; Cyble researchers said in a Monday advisory. &#8220;The files downloaded from the phishing sites exhibit different infection techniques, indicating that the [threat actors] have a sophisticated platform capable of customizing and compiling the binary using various options.&#8221;<\/p>\n<p>DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks&#8217; Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.<\/p>\n<p>They also identified some adversaries using the malware in targeted attacks to deliver <a href=\"https:\/\/www.darkreading.com\/dr-tech\/google-releases-yara-rules-to-disrupt-cobalt-strike-abuse\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a> and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (<a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise\" target=\"_blank\" rel=\"noopener\">CVE-2021-34473<\/a>) last year.<\/p>\n<p>Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla&#8217;s main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/darktortilla-malware-imposter-cisco-grammarly-phishing\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/darktortilla-malware-imposter-cisco-grammarly-phishing\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-49804","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-19T21:28:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages\",\"datePublished\":\"2022-12-19T21:28:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/\"},\"wordCount\":693,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltf048335840fe7044\\\/63a0cfdcfd316a23f05bccae\\\/tortilla2-Sergio_Hayashi-Alamy.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/\",\"name\":\"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltf048335840fe7044\\\/63a0cfdcfd316a23f05bccae\\\/tortilla2-Sergio_Hayashi-Alamy.jpg\",\"datePublished\":\"2022-12-19T21:28:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltf048335840fe7044\\\/63a0cfdcfd316a23f05bccae\\\/tortilla2-Sergio_Hayashi-Alamy.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltf048335840fe7044\\\/63a0cfdcfd316a23f05bccae\\\/tortilla2-Sergio_Hayashi-Alamy.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/","og_locale":"en_US","og_type":"article","og_title":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-12-19T21:28:00+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages","datePublished":"2022-12-19T21:28:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/"},"wordCount":693,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/","url":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/","name":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg","datePublished":"2022-12-19T21:28:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltf048335840fe7044\/63a0cfdcfd316a23f05bccae\/tortilla2-Sergio_Hayashi-Alamy.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/sophisticated-darktortilla-malware-serves-imposter-cisco-grammarly-pages\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49804"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49804\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}