Tag: apt

105 Attack Reports | 0 Vulnerabilities

Attack reports

Analysis of the Triple Combo Threat of the Kimsuky Group

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.
apt
kimsuky
babyshark
powershell
shell
dll file
execution
appleseed
telegram
facebook
linkedin
vmprotect
2025-06-11
username
kimsuky group
flowerpower
golddragon
Published: June 11, 2025
Downloadable IOCs: 14

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday
Published: June 11, 2025
Downloadable IOCs: 40

Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse …
backdoor
apt
iran
cyberespionage
iis module
iraq
kurdistan
whisper
shahmaran
slippery snakelet
2025-06-10
reverse tunnel
rdat
primecache
laret
pinar
flog
Published: June 10, 2025
Downloadable IOCs: 12

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…
apt
phishing
xmrig
russia
data theft
crypto mining
2025-06-09
legitimate tools
cis
industrial targets
Published: June 9, 2025
Downloadable IOCs: 55

BladedFeline: Whispering in the dark

ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a ma…
backdoor
apt
oilrig
iis malware
2025-06-06
whisper
shahmaran
slippery snakelet
Published: June 6, 2025
Downloadable IOCs: 3

Newly identified wiper malware 'PathWiper' targets critical infrastructure in Ukraine

A destructive attack on Ukrainian critical infrastructure using a new wiper malware called 'PathWiper' has been observed. The attack, attributed to a Russia-nexus APT group, utilized a legitimate endpoint administration framework to deploy the wiper across connected endpoints. PathWiper overwrites …
apt
sandworm
wiper
2025-06-05
pathwiper
Published: June 5, 2025
Downloadable IOCs: 1

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…
apt
crimson rat
ares rat
ddos
cyber espionage
hacktivism
data exfiltration
spear phishing
operation sindoor
2025-06-04
hybrid warfare
website defacement
Published: June 4, 2025
Downloadable IOCs: 0

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…
backdoor
apt
persistence
botnet
ssh
stealth
authentication bypass
asus routers
CVE-2023-39780
2025-06-04
nvram
Published: June 4, 2025
Downloadable IOCs: 3

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell…
malware
apt
china
botnet
sqlshell
irc
windows servers
miner
ms-sql
2025-05-27
credentialstealer
maggiescan
detofin
upm
pemodifier
sqldoor
maggie
wgdrop
shaduser
asia-pacific
Published: May 27, 2025
Downloadable IOCs: 13

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…
backdoor
apt
sql injection
cobalt strike
dll sideloading
vulnerability exploitation
brute ratel
multi-industry targeting
CVE-2024-9047
CVE-2024-51378
CVE-2024-51567
china-nexus
CVE-2024-56145
vshell
CVE-2025-31324
2025-05-27
CVE-2021-22205
CVE-2024-27199
CVE-2024-27198
CVE-2017-9805
pulsepack
bypassboss
custom tools
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205
Downloadable IOCs: 185

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.
apt
sliver
webshell
china-nexus
vshell
snowlight
sap netweaver
azure ad
cve202531324
2025-05-14
unc5174
clsta0048
sta-0048
krustyloader
Published: May 14, 2025
Linked vulnerabilities : CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9380 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2024-21887, CVE-2023-46805, CVE-2024-1709, CVE-2023-46747, CVE-2024-36401, CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 61

Targeting Taiwan & Japan with DLL Implants

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads.…
apt
cobalt strike
dll sideloading
taiwan
multi-stage attack
japan
2025-05-12
google drive
isurus
pterois
dll implants
Published: May 12, 2025
Downloadable IOCs: 16

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage ser…
apt