SecuriTricks

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

A Chinese-nexus advanced persistent threat actor, UAT-9686, is actively targeting Cisco AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager. The campaign, ongoing since late November 2025, exploits non-standard configurations to execute system-level commands and deploy a pers…

backdoor

apt

Published: December 17, 2025

Downloadable IOCs: 4

A new campaign by the ForumTroll APT group

The ForumTroll APT group has launched a new targeted phishing campaign against Russian political scientists, exploiting plagiarism reports as bait. The attackers used sophisticated techniques, including a well-prepared domain and personalized emails, to deliver the Tuoni framework malware. This cam…

Published: December 17, 2025

Downloadable IOCs: 1

Russian APT actor phishes the Baltics and the Balkans

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The ph…

Published: December 16, 2025

Downloadable IOCs: 0

Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack

The Chinese APT group Silver Fox has launched an SEO poisoning campaign targeting Chinese-speaking users, impersonating Microsoft Teams. The campaign uses a modified ValleyRAT loader with Cyrillic elements to mislead attribution. Silver Fox aims to conduct espionage and financial fraud, posing a si…

Published: December 10, 2025

Downloadable IOCs: 37

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like…

tomiris powershell telegram backdoor

multi-language malware

tomiris c# reverseshell

tomiris c/c++ reverseshell

tomiris python telegram reverseshell

reverse shells

tomiris python discord reverseshell

tomiris c# telegram reverseshell

tomiris rust downloader

tomiris python filegrabber

distopia backdoor

tomiris go reversesocks

tomiris go reverseshell

tomiris rust reverseshell

tomiris c++ reversesocks

Published: November 28, 2025

Downloadable IOCs: 66

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…

Published: November 26, 2025

Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)

Downloadable IOCs: 3

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…

Published: November 26, 2025

Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)

Downloadable IOCs: 4

Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software

The report details an attack campaign by APT-C-26 (Lazarus), a highly active APT group targeting various industries globally. The group deployed a customized monitoring program with remote desktop control capabilities, likely used by remote IT personnel infiltrating target companies. The malware co…

monitorinstaller_update1.exe

monitoring software

Published: November 21, 2025

Downloadable IOCs: 0

New Tools and Techniques of ToddyCat APT

The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools a…

Published: November 21, 2025

Downloadable IOCs: 0

Network devices compromised for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …

apt

espionage

china

adversary-in-the-middle

dns hijacking

slowstepper

software update hijacking

Published: November 19, 2025

Downloadable IOCs: 4

PlushDaemon compromises network devices for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …

apt

espionage

china

adversary-in-the-middle

dns hijacking

slowstepper

software update hijacking

Published: November 19, 2025

Downloadable IOCs: 7

RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation…

thread-pool injection

chinese edr evasion

roningloader

Published: November 19, 2025

Downloadable IOCs: 14

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…

Published: November 10, 2025

Downloadable IOCs: 10

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting Central Asian nations, Russia, China, and Azerbaijan. Two main campaigns were identified: one focusing on Russia-Azerbaijan relations and another on China-Central Asia relations. The group uses various malware including Pow…

Published: November 5, 2025

Downloadable IOCs: 0

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used…

Published: November 3, 2025

Downloadable IOCs: 33

New wave of cyberattacks by APT group Cloud Atlas on Russia's government sector

The APT group Cloud Atlas has launched a new wave of cyberattacks targeting Russia's defense industry. They are using stolen document templates from previously infected organizations to create malicious Microsoft Office files. The group cleans metadata from these documents to avoid revealing compro…

Published: October 31, 2025

Downloadable IOCs: 20

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…

apt

phishing

government

credential harvesting

south asia

military

2025-10-06

Published: October 6, 2025

Downloadable IOCs: 0

Gamaredon X Turla collaboration

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks…

Published: September 27, 2025

Downloadable IOCs: 0

How a new PlugX variant abuses DLL search order hijacking

A new campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new variant of PlugX. The campaign, active since 2022, shows overlaps between RainyDay and Turian backdoors, including the abuse of legitimate applications fo…

Published: September 25, 2025

Downloadable IOCs: 53

Bookworm to Stately Taurus Using the Attribution Framework

This analysis examines the Bookworm malware family and its connection to the Chinese APT group Stately Taurus. Using a structured attribution framework, the study evaluates tactics, tooling, operational security, infrastructure, victimology and timelines to establish a high-confidence link between …

Published: September 25, 2025

Downloadable IOCs: 0

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…

Published: September 24, 2025

Downloadable IOCs: 0

Kimsuky Attack Disguised as Sex Offender Notification Information

In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypte…

Published: September 24, 2025

Downloadable IOCs: 7

Nimbus Manticore Deploys New Malware Targeting Europe

The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes th…

Published: September 22, 2025

Downloadable IOCs: 81

Suspected APT-C-00 Delivers Havoc Trojan

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically o…

Published: September 22, 2025

Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …

Published: September 16, 2025

Downloadable IOCs: 5

AI-Driven Deepfake Military ID Fraud Campaign

The Kimsuky APT group has launched a sophisticated spear-phishing campaign using AI-generated deepfake military ID cards to target South Korean defense institutions. The attack impersonates military employee ID issuance processes and exploits ChatGPT to create convincing fake ID images. The malware…

Published: September 15, 2025

Downloadable IOCs: 21

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core compone…

eggstremereflectiveloader

Published: September 10, 2025

Downloadable IOCs: 12

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…

Published: September 1, 2025

Downloadable IOCs: 11

Hunting Laundry Bear: Infrastructure Analysis Guide and Findings

This analysis explores the infrastructure of Laundry Bear, a Russian state-sponsored APT group active since April 2024, targeting NATO countries and Ukraine. The investigation expands on initial indicators, using advanced pivoting techniques to uncover additional domains and infrastructure. Key fin…

apt

infrastructure analysis

Published: August 29, 2025

Downloadable IOCs: 0

Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

The CISA Cybersecurity Advisory AA25-239A, issued jointly by U.S. and international cybersecurity and intelligence agencies, highlights a global cyber espionage campaign conducted by Chinese state-sponsored threat actors. These Advanced Persistent Threat (APT) groups have been targeting network inf…

Published: August 28, 2025

Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2024-3400, CVE-2018-0171, CVE-2023-20273, CVE-2023-20198

Downloadable IOCs: 92

TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families, primarily targeting users across Eastern Asia. Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or …

Published: August 28, 2025

Downloadable IOCs: 23

APT MuddyWater Targets CFOs with Multi-Stage Phishing & NetBird Abuse

A sophisticated spear-phishing campaign, likely linked to APT MuddyWater, is targeting CFOs and finance executives across multiple continents. The attackers use Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to deploy NetBird, …

Published: August 21, 2025

Downloadable IOCs: 0

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…

Published: August 19, 2025

Downloadable IOCs: 0

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…

Published: August 12, 2025

Downloadable IOCs: 0

ToolShell: An all-you-can-eat buffet for threat actors

A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaini…

Published: August 12, 2025

Linked vulnerabilities : CVE-2025-49704

Downloadable IOCs: 20

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

A new variant of RoKRAT malware used by APT37 has been identified, employing a two-stage encrypted shellcode injection method and steganography to conceal malicious code in image files. The malware uses shortcut files with embedded commands to execute its attack, distributed via compressed archives…

Published: August 7, 2025

Downloadable IOCs: 0

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …

dropping elephant rat

Published: July 23, 2025

Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)

Downloadable IOCs: 10

GhostContainer backdoor for Exchange servers

A sophisticated backdoor targeting Exchange servers of high-value organizations in Asia has been discovered. The malware, named GhostContainer, is a multi-functional backdoor that can be dynamically extended with additional modules. It leverages several open-source projects and employs various evas…

Published: July 17, 2025

Downloadable IOCs: 1

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …

Published: July 16, 2025

Downloadable IOCs: 0

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading…

Published: July 10, 2025

Downloadable IOCs: 6

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scal…

Published: July 4, 2025

Downloadable IOCs: 53

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…

Published: June 19, 2025

Downloadable IOCs: 18

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…

Published: June 18, 2025

Downloadable IOCs: 7

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…

Published: June 18, 2025

Downloadable IOCs: 3

Analysis of the Triple Combo Threat of the Kimsuky Group

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.

Published: June 11, 2025

Downloadable IOCs: 14

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …

Published: June 11, 2025

Downloadable IOCs: 40

Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse …

Published: June 10, 2025

Downloadable IOCs: 12

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…

Published: June 9, 2025

Downloadable IOCs: 55

BladedFeline: Whispering in the dark

ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a ma…

Published: June 6, 2025

Downloadable IOCs: 3

Newly identified wiper malware 'PathWiper' targets critical infrastructure in Ukraine

A destructive attack on Ukrainian critical infrastructure using a new wiper malware called 'PathWiper' has been observed. The attack, attributed to a Russia-nexus APT group, utilized a legitimate endpoint administration framework to deploy the wiper across connected endpoints. PathWiper overwrites …

Published: June 5, 2025

Downloadable IOCs: 1

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…

Published: June 4, 2025

Downloadable IOCs: 0

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…

authentication bypass

Published: June 4, 2025

Downloadable IOCs: 3

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell…

Published: May 27, 2025

Downloadable IOCs: 13

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…

vulnerability exploitation

brute ratel

multi-industry targeting

Published: May 27, 2025

Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205

Downloadable IOCs: 185

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…

Published: May 14, 2025

Downloadable IOCs: 3

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.

Published: May 14, 2025

Linked vulnerabilities : CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9380 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2024-21887, CVE-2023-46805, CVE-2024-1709, CVE-2023-46747, CVE-2024-36401, CVE-2025-31324 (CVSS 10.0)

Downloadable IOCs: 61

Targeting Taiwan & Japan with DLL Implants

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads.…

Published: May 12, 2025

Downloadable IOCs: 16

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…

apt

credential harvesting

critical infrastructure

Published: May 6, 2025

Downloadable IOCs: 35

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage ser…

Published: May 1, 2025

Downloadable IOCs: 58

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…

apt

supply chain

south korea

vulnerability exploitation

Published: April 24, 2025

Downloadable IOCs: 0

Sophisticated backdoor mimicking secure networking software updates

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that dep…

heur:trojan.win32.loader.gen

path substitution

vipnet

Published: April 22, 2025

Downloadable IOCs: 0

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…

Published: April 22, 2025

Downloadable IOCs: 0

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…

Published: April 18, 2025

Downloadable IOCs: 0

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modul…

Published: April 17, 2025

Linked vulnerabilities : CVE-2021-40449

Downloadable IOCs: 2

North Korean APT37 Mobile Spyware Discovered

A new Android spyware called KoSpy has been attributed to the North Korean group APT37 (ScarCruft). The malware, active since March 2022, targets Korean and English-speaking users by masquerading as utility apps. KoSpy uses a two-stage C2 infrastructure, retrieving initial configurations from Fireb…

Published: April 12, 2025

Downloadable IOCs: 0

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, execut…

accessibility services

Published: April 12, 2025

Downloadable IOCs: 0

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…

Published: April 10, 2025

Downloadable IOCs: 0

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…

Published: April 8, 2025

Downloadable IOCs: 28

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that us…

Published: April 4, 2025

Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…

Published: April 4, 2025

Downloadable IOCs: 0

The Espionage Toolkit: A Closer Look at its Advanced Techniques

Earth Alux, a China-linked APT group, is actively conducting cyberespionage attacks against key sectors in the APAC and Latin American regions. The group exploits vulnerable services in exposed servers to gain initial access and deploys web shells like GODZILLA. Their primary backdoor, VARGEIT, is …

Published: March 31, 2025

Downloadable IOCs: 0

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an …

trojan.win64.convagent.gen

sandbox escape

trojan.win64.agent

CVE-2025-2783

Published: March 25, 2025

Downloadable IOCs: 0

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The a…

Published: March 21, 2025

Downloadable IOCs: 12

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…

Published: March 20, 2025

Downloadable IOCs: 0

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…

Published: March 18, 2025

Downloadable IOCs: 851

Off the Beaten Path: Recent Unusual Malware

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight ev…

dixie-playing bootkit

grub

2025-03-17

Published: March 17, 2025

Downloadable IOCs: 7

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…

Published: March 10, 2025

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 38

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware…

Published: March 4, 2025

Downloadable IOCs: 0

Astrill VPN: New IPs Publicly Released on VPN Service Heavily Used by North Korean Threat Actors

North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Reco…

Published: March 1, 2025

Downloadable IOCs: 9

Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations

Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems.…

Published: February 27, 2025

Downloadable IOCs: 30

North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. T…

Published: February 26, 2025

Downloadable IOCs: 21

Erudite Mogwai Uses Custom Stowaway to Stealthily Advance Online

The Solar 4RAYS team discovered a malicious campaign targeting Russian IT organizations providing services to the government sector. They found a customized version of the open-source Stowaway proxy tool being used by the threat actor Erudite Mogwai (also known as Space Pirates). The attackers modi…

Published: February 26, 2025

Downloadable IOCs: 12

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…

Published: February 26, 2025

Downloadable IOCs: 0

Chinese APT Target Royal Thai Police in Malware Campaign

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process…

Published: February 26, 2025

Downloadable IOCs: 0

Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers

Forescout reportead a cyber attack by the Silver Fox APT group on Philips DICOM medical imaging software. The attackers exploited vulnerabilities in the software to gain unauthorized access to sensitive patient data and hospital networks.

Published: February 25, 2025

Downloadable IOCs: 53

New wave of targeted attacks of the Angry Likho APT on Russian organizations

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt…

Published: February 24, 2025

Downloadable IOCs: 30

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…

initial access brokers

jsoutprox

tradertraitor

golddigger

state-sponsored threats

Published: February 20, 2025

Downloadable IOCs: 0

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…

Published: February 5, 2025

Downloadable IOCs: 9

CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

A sophisticated cyberespionage campaign targeting high-value entities in South Asia, particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The o…

Published: January 30, 2025

Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0)

Downloadable IOCs: 21

Tracking Adversaries: Ghostwriter APT Infrastructure

This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share …

Published: January 24, 2025

Linked vulnerabilities : CVE-2022-30190

Downloadable IOCs: 25

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …

Published: January 22, 2025

Downloadable IOCs: 0

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…

xerox_scan17510875802718752175.exe

kyrgyzstan

resocks

Published: January 21, 2025

Downloadable IOCs: 12

ANDROID MALWARE IN DONOT APT OPERATIONS

The DONOT APT group, serving Indian national interests, has deployed Android malware named 'Tanzeem' for intelligence gathering against internal threats. The malware, disguised as a chat application, exploits OneSignal, a customer engagement platform, for malicious purposes. It requests dangerous p…

Published: January 21, 2025

Downloadable IOCs: 6

Chinese Malware Delivery Websites

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, …

remote access trojans

chinese-speaking users

remkos rat

spoofed websites

hack-for-hire

Published: January 16, 2025

Downloadable IOCs: 526

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…

Published: January 9, 2025

Downloadable IOCs: 3

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …

Published: January 2, 2025

Downloadable IOCs: 3

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…

alternate data streams

Published: December 17, 2024

Downloadable IOCs: 0

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…

Published: December 11, 2024

Linked vulnerabilities : CVE-2023-38831

Downloadable IOCs: 31

U.S. Organization in China Targeted by Attackers

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…

Published: December 6, 2024

Downloadable IOCs: 13

Leveraging Cloudflare Tunnels for GammaDrop Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…

obfuscation techniques

gammaload

cloudflare tunnels

russian state-sponsored

dns fast-fluxing

Published: December 5, 2024

Downloadable IOCs: 1

BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…

obfuscation techniques

gammaload

cloudflare tunnels

russian state-sponsored

dns fast-fluxing

Published: December 5, 2024

Downloadable IOCs: 0

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …

Published: December 4, 2024

Linked vulnerabilities : CVE-2023-27532

Downloadable IOCs: 20

Beware of phishing attacks by APT-C-01 (Poison Ivy)

APT-C-01, known as Poison Ivy, is a persistent threat group targeting defense, government, technology, and education sectors since 2007. They specialize in phishing attacks, including watering hole and spear-phishing, using personalized bait content. Recent observations show the group creating fake…

Published: December 3, 2024

Downloadable IOCs: 7

Unveiling WolfsBane: Linux counterpart to Gelsevirine

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood …

Published: November 22, 2024

Downloadable IOCs: 41

Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella

Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-…

Published: November 19, 2024

Linked vulnerabilities : CVE-2023-3519, CVE-2023-27997, CVE-2023-45727, CVE-2023-28461, CVE-2013-3900, CVE-2023-3467, CVE-2023-3466

Downloadable IOCs: 7

Mind the (air) gap: GoldenJackal gooses government guardrails

ESET researchers uncovered two distinct toolsets used by the GoldenJackal APT group to breach air-gapped systems in government organizations. The first toolset, observed in 2019, included GoldenDealer for delivering executables via USB drives, GoldenHowl as a modular backdoor, and GoldenRobo for fi…

Published: November 17, 2024

Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…

Published: November 15, 2024

Downloadable IOCs: 0

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…

Published: November 12, 2024

Downloadable IOCs: 90

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…

Published: November 8, 2024

Downloadable IOCs: 0

Evasive Panda scouting cloud services

CloudScout is a post-compromise toolset used by Evasive Panda to target a Taiwanese government entity and religious organization between 2022 and 2023. The toolset can retrieve data from various cloud services using stolen web session cookies. It works with MgBot, Evasive Panda's malware framework,…

Published: October 28, 2024

Downloadable IOCs: 17

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…

Published: October 23, 2024

Linked vulnerabilities : CVE-2024-4947

Downloadable IOCs: 2

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …

backdoor loader module

stealerbot

rtf exploit

Published: October 15, 2024

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 158

Analyzing the Awaken Likho APT group implant: new tools and techniques

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is deli…

Published: October 7, 2024

Downloadable IOCs: 0

Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access

A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…

Published: October 1, 2024

Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893

Downloadable IOCs: 7

Analyzing the Newest Turla Backdoor

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …

backdoor

apt

2024-09-27

Published: September 27, 2024

Downloadable IOCs: 5

Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental in…

Published: September 27, 2024

Downloadable IOCs: 50

Attempted cyberattacks on military systems using mobile malware

The report details attempts by threat actors to compromise smartphones and tablets belonging to military personnel by distributing malicious APK files disguised as legitimate software for military systems like GRISELDA and "Eyes". The malware, named HYDRA and a modified version of "Eyes", was desig…

Published: September 10, 2024

Downloadable IOCs: 15

Chinese APT Abuses VSCode to Target Government in Asia

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain …

Published: September 9, 2024

Downloadable IOCs: 17

APT Lazarus: Eager Crypto Beavers, Video calls and Games

Group-ib explored the growing threats posed by the Lazarus Group's financially-driven campaign against developers. Group-ib examined their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, the…

Published: September 9, 2024

Downloadable IOCs: 85

Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…

Published: September 3, 2024

Downloadable IOCs: 46

The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'

Proofpoint researchers uncovered an unusual campaign delivering custom malware named "Voldemort". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets…

Published: September 2, 2024

Downloadable IOCs: 27

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…

Published: August 21, 2024

Downloadable IOCs: 111

CERT-UA Report: UAC-0198: Mass distribution of ANONVNC (MESHAGENT) among government organizations of Ukraine

According to the report, cyber operations related to the ongoing military conflict between Russia and Ukraine are ongoing. The report highlights the potential risks and threats posed by Russian state-sponsored actors, including the deployment of wiper malware, distributed denial-of-service (DDoS) a…

Published: August 13, 2024

Downloadable IOCs: 26

A Dive into Latest Campaign

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…

Published: August 9, 2024

Downloadable IOCs: 30

APT Group Kimsuky Targets University Researchers

A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, an…

Published: August 9, 2024

Downloadable IOCs: 24

MirrorFace Attack against Japanese Organisations

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attac…

Published: August 2, 2024

Linked vulnerabilities : CVE-2022-1388

Downloadable IOCs: 27

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…

Published: August 2, 2024

Linked vulnerabilities : CVE-2018-0824

Downloadable IOCs: 13

Analysis of Golang Payload and Information Theft Campaign

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…

Published: July 30, 2024

Downloadable IOCs: 8

Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India

This report examines the convergence of tactics employed by Pakistani cyber threat groups, including Transparent Tribe, SideCopy, and RusticWeb, targeting Indian government entities and critical infrastructure. It uncovers overlaps in their infrastructure, tactics, and payloads, suggesting coordina…

Published: July 29, 2024

Downloadable IOCs: 89

Analysis of Suspected APT Attack Activities by “Silver Fox”

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…

Published: July 10, 2024

Downloadable IOCs: 7

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…

Published: July 8, 2024

Downloadable IOCs: 28

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…

Published: June 24, 2024

Downloadable IOCs: 148

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…

Published: June 19, 2024

Downloadable IOCs: 5

Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. …

Published: June 13, 2024

Linked vulnerabilities : CVE-2017-11882

Downloadable IOCs: 0

APT Attacks Using Cloud Storage

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…

Published: June 11, 2024

Downloadable IOCs: 1

SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)

This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but la…

Published: June 11, 2024

Downloadable IOCs: 19

Operation ControlPlug: Targeted attack campaign using MSC files

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…

Published: June 6, 2024

Downloadable IOCs: 14

Hellhounds: Operation Lahat

A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source proj…

Published: May 28, 2024

Downloadable IOCs: 73

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolvin…

Published: May 24, 2024

Downloadable IOCs: 47

Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

BlackBerry discovered the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the Indian government, defense, and aerospace sectors. The group employed cross-platform programming languages, open-source tools, and abused web services for command-and-control and exfil…

Published: May 24, 2024

Downloadable IOCs: 97

APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)

A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associ…

Published: May 21, 2024

Downloadable IOCs: 46

Master of Puppets: Uncovering the pro-Russian influence campaign

The DoppelGänger campaign is an ongoing influence operation attributed to Russian entities Structura and the Social Design Agency. Its primary goal is to diminish support for Ukraine and foster divisions within supporting nations. It targets audiences in several Western countries through a network …

Published: May 21, 2024

Downloadable IOCs: 588

Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)

AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies, construction firms, and educational institutions. The attackers employed backdoors, keyl…

Published: May 20, 2024

Downloadable IOCs: 10

Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups

At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…

Published: May 20, 2024

Downloadable IOCs: 9

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…

Published: May 16, 2024

Downloadable IOCs: 12

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…

Published: May 15, 2024

Downloadable IOCs: 21

Untangling Iran's APT42 Operations

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.

Published: May 3, 2024

Downloadable IOCs: 160

Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access tro…

Published: April 29, 2024

Downloadable IOCs: 3

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…

Published: April 29, 2024

Downloadable IOCs: 6

Tag: apt

Attack reports

DeedRAT: Unpacking a Modern Backdoor's Playbook

The HoneyMyte APT now protects malware with a kernel-mode rootkit

Silver Fox Targeting India Using Tax Themed Phishing Lures

Evasive Panda APT poisons DNS requests to deliver MgBot

Evasive SideWinder APT Campaign Detected

Cloud Atlas activity in the first half of 2025: what changed

Attempts to sniff out governmental affairs in Southeast Asia and Japan

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

A new campaign by the ForumTroll APT group

Russian APT actor phishes the Baltics and the Balkans

Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

How NTLM is being abused in 2025 cyberattacks

Water APT Multi-Stage Attack Uncovered

Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software

New Tools and Techniques of ToddyCat APT

Network devices compromised for adversary-in-the-middle attacks

PlushDaemon compromises network devices for adversary-in-the-middle attacks

RONINGLOADER: DragonBreath's New Path to PPL Abuse

State-Sponsored Remote Wipe Tactics Targeting Android Devices

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

New wave of cyberattacks by APT group Cloud Atlas on Russia's government sector

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

Gamaredon X Turla collaboration

How a new PlugX variant abuses DLL search order hijacking

Bookworm to Stately Taurus Using the Attribution Framework

Updates Arsenal with BAITSWITCH and SIMPLEFIX

Kimsuky Attack Disguised as Sex Offender Notification Information

Nimbus Manticore Deploys New Malware Targeting Europe

Suspected APT-C-00 Delivers Havoc Trojan

August 2025 APT Attack Trends Report

AI-Driven Deepfake Military ID Fraud Campaign

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

Hunting Laundry Bear: Infrastructure Analysis Guide and Findings

Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

APT MuddyWater Targets CFOs with Multi-Stage Phishing & NetBird Abuse

July 2025 APT Attack Trends Report (South Korea)

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

ToolShell: An all-you-can-eat buffet for threat actors

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

GhostContainer backdoor for Exchange servers

June 2025 APT Attack Trends Report (South Korea)

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Inside the BlueNoroff Web3 macOS Intrusion Analysis

May 2025 APT Group Trends (South Korea)

Warning Against Distribution of Malware Disguised as Research Papers

Analysis of the Triple Combo Threat of the Kimsuky Group

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Whispering in the dark

APT carries out attacks with data theft and crypto miner deployment

BladedFeline: Whispering in the dark

Newly identified wiper malware 'PathWiper' targets critical infrastructure in Ukraine

Operation Sindoor – Anatomy of a Digital Siege

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

Custom Arsenal Developed to Target Multiple Industries

April 2025 Threat Trend Report on APT Attacks (South Korea)

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

Targeting Taiwan & Japan with DLL Implants

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

Lazarus APT updates its toolset in watering hole attacks

Sophisticated backdoor mimicking secure networking software updates

APT Group Profiles - Larva-24005

Two sides of the same coin

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

North Korean APT37 Mobile Spyware Discovered

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

March 2025 APT Group Trends (South Korea)

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

APT Targets South Korea with Deceptive PDF Lures

The Espionage Toolkit: A Closer Look at its Advanced Techniques

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage