Tag: apt

145 Attack Reports | 0 Vulnerabilities

Attack reports

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like…
apt
discord
telegram
havoc
government targets
adaptixc2
2025-11-28
jlorat
tomiris powershell telegram backdoor
multi-language malware
tomiris c# reverseshell
tomiris c/c++ reverseshell
tomiris python telegram reverseshell
reverse shells
tomiris python discord reverseshell
tomiris c# telegram reverseshell
tomiris rust downloader
tomiris python filegrabber
distopia backdoor
tomiris go reversesocks
tomiris go reverseshell
tomiris rust reverseshell
tomiris c++ reversesocks
Published: November 28, 2025
Downloadable IOCs: 66

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…
apt
windows
credential theft
lateral movement
exploits
CVE-2023-38831
authentication
phantomcore
remcos rat
CVE-2024-43451
ntlm
vulnerabilities
CVE-2025-24054
CVE-2025-24071
CVE-2025-33073
2025-11-26
warzone
avemaria
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)
Downloadable IOCs: 4

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 5

Analysis of APT-C-26 (Lazarus) Group's Attack Campaign Using Remote IT Disguise to Deploy Monitoring Software

The report details an attack campaign by APT-C-26 (Lazarus), a highly active APT group targeting various industries globally. The group deployed a customized monitoring program with remote desktop control capabilities, likely used by remote IT personnel infiltrating target companies. The malware co…
apt
north korea
persistence
screen capture
remote desktop
2025-11-21
systemuiext.dll
winupdateservice.exe
remote it
monitorinstaller_update1.exe
monitoring software
Published: November 21, 2025
Downloadable IOCs: 0

New Tools and Techniques of ToddyCat APT

The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools a…
apt
tomberbil
powershell
data theft
browser
oauth
outlook
2025-11-21
email
xstreader
tcsectorcopy
sharptokenfinder
Published: November 21, 2025
Downloadable IOCs: 0

Network devices compromised for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …
apt
espionage
china
adversary-in-the-middle
dns hijacking
slowstepper
software update hijacking
2025-11-19
littledaemon
edgestepper
network implant
daemoniclogistics
Published: November 19, 2025
Downloadable IOCs: 4

PlushDaemon compromises network devices for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …
apt
espionage
china
adversary-in-the-middle
dns hijacking
slowstepper
software update hijacking
2025-11-19
littledaemon
edgestepper
network implant
daemoniclogistics
Published: November 19, 2025
Downloadable IOCs: 7

RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation…
apt
gh0st rat
driver abuse
2025-11-19
ppl abuse
wdac
thread-pool injection
chinese edr evasion
roningloader
Published: November 19, 2025
Downloadable IOCs: 14

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…
apt
rat
social engineering
android
remcosrat
quasarrat
spear-phishing
2025-11-10
rftrat
find hub
remote wipe
lilithrat
kakaotalk
endrat
google account
Published: November 10, 2025
Downloadable IOCs: 10

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting Central Asian nations, Russia, China, and Azerbaijan. Two main campaigns were identified: one focusing on Russia-Azerbaijan relations and another on China-Central Asia relations. The group uses various malware including Pow…
apt
espionage
powershell
russia
china
.net
reverse shell
central asia
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
2025-11-05
Published: November 5, 2025
Downloadable IOCs: 0

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used…
apt
espionage
powershell
russia
china
github
reverse shell
central asia
tajikistan
2025-11-03
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
Published: November 3, 2025
Downloadable IOCs: 33

New wave of cyberattacks by APT group Cloud Atlas on Russia's government sector

The APT group Cloud Atlas has launched a new wave of cyberattacks targeting Russia's defense industry. They are using stolen document templates from previously infected organizations to create malicious Microsoft Office files. The group cleans metadata from these documents to avoid revealing compro…
apt
2025-10-31
powershower
bec attacks
Published: October 31, 2025
Downloadable IOCs: 20

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…
apt
phishing
government
credential harvesting
south asia
military
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

Gamaredon X Turla collaboration

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks…
backdoor
apt
russia
ukraine
cyberespionage
fsb
2025-09-19
kazuar
pterographin
pterolnk
pteroeffigy
collaboration
pteroodd
pteropaste
pterostew
2025-09-27
Published: September 27, 2025
Downloadable IOCs: 0

How a new PlugX variant abuses DLL search order hijacking

A new campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new variant of PlugX. The campaign, active since 2022, shows overlaps between RainyDay and Turian backdoors, including the abuse of legitimate applications fo…
apt
plugx
rainyday
telecommunications
dll hijacking
manufacturing
chinese apt
2025-09-23
backdoordiplomacy
naikon
turian
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 53

Bookworm to Stately Taurus Using the Attribution Framework

This analysis examines the Bookworm malware family and its connection to the Chinese APT group Stately Taurus. Using a structured attribution framework, the study evaluates tactics, tooling, operational security, infrastructure, victimology and timelines to establish a high-confidence link between …
malware
apt
china
infrastructure
toneshell
pubload
southeast asia
bookworm
2025-09-25
victimology
attribution
Published: September 25, 2025
Downloadable IOCs: 0

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…
backdoor
apt
social engineering
powershell
russia
clickfix
2025-09-24
baitswitch
simplefix
Published: September 24, 2025
Downloadable IOCs: 0

Kimsuky Attack Disguised as Sex Offender Notification Information

In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypte…
apt
north korea
data exfiltration
cryptocurrency theft
spear-phishing
anti-vm
2025-09-24
browser hijacking
Published: September 24, 2025
Downloadable IOCs: 7

Nimbus Manticore Deploys New Malware Targeting Europe

The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes th…
obfuscation
apt
dll sideloading
telecommunications
spear-phishing
2025-09-22
Published: September 22, 2025
Downloadable IOCs: 81

Suspected APT-C-00 Delivers Havoc Trojan

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically o…
apt
persistence
trojan
dll sideloading
process hollowing
east asia
2025-09-22
havoc rat
Published: September 22, 2025
Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

AI-Driven Deepfake Military ID Fraud Campaign

The Kimsuky APT group has launched a sophisticated spear-phishing campaign using AI-generated deepfake military ID cards to target South Korean defense institutions. The attack impersonates military employee ID issuance processes and exploits ChatGPT to create convincing fake ID images. The malware…
obfuscation
apt
south korea
ai
autoit
chatgpt
spear-phishing
military
deepfake
2025-09-15
Published: September 15, 2025
Downloadable IOCs: 21

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core compone…
backdoor
apt
espionage
dll sideloading
keylogger
military
stowaway
fileless malware
2025-09-10
philippines
eggstremefuel
eggstremereflectiveloader
eggstreme
eggstremewizard
eggstremeloader
eggstremekeylogger
eggstremeagent
Published: September 10, 2025
Downloadable IOCs: 12

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…
apt
dropbox
powershell
russia
ukraine
cyberespionage
vbscript
2025-09-01
cloudflareworkers
devtunnels
Published: September 1, 2025
Downloadable IOCs: 11

Hunting Laundry Bear: Infrastructure Analysis Guide and Findings

This analysis explores the infrastructure of Laundry Bear, a Russian state-sponsored APT group active since April 2024, targeting NATO countries and Ukraine. The investigation expands on initial indicators, using advanced pivoting techniques to uncover additional domains and infrastructure. Key fin…
apt
infrastructure analysis
spear-phishing
russian threat actor
2025-08-29
domain typosquatting
ukraine targets
nato targets
Published: August 29, 2025
Downloadable IOCs: 0

Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System

The CISA Cybersecurity Advisory AA25-239A, issued jointly by U.S. and international cybersecurity and intelligence agencies, highlights a global cyber espionage campaign conducted by Chinese state-sponsored threat actors. These Advanced Persistent Threat (APT) groups have been targeting network inf…
apt
edge devices
2025-08-28
salt typhoon
Published: August 28, 2025
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2024-3400, CVE-2018-0171, CVE-2023-20273, CVE-2023-20198
Downloadable IOCs: 92

TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families, primarily targeting users across Eastern Asia. Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or …
apt
reconnaissance
targeted attacks
information theft
spear-phishing
cobeacon
2025-08-28
merlin
sogou zhuyin
gtelam
desfy
c6door
eastern asia
toshis
taoth
Published: August 28, 2025
Downloadable IOCs: 23

APT MuddyWater Targets CFOs with Multi-Stage Phishing & NetBird Abuse

A sophisticated spear-phishing campaign, likely linked to APT MuddyWater, is targeting CFOs and finance executives across multiple continents. The attackers use Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to deploy NetBird, …
apt
remote-access
finance
spear-phishing
multi-stage
vbs
firebase
2025-08-21
ateraagent
cfo
netbird
Published: August 21, 2025
Downloadable IOCs: 0

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
google drive
dropbox api
2025-08-19
Published: August 19, 2025
Downloadable IOCs: 0

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…
apt
ransomware
evasion
encryption
dll sideloading
aviation
middle east
network propagation
2025-08-12
charon
Published: August 12, 2025
Downloadable IOCs: 0

ToolShell: An all-you-can-eat buffet for threat actors

A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaini…
backdoor
apt
vulnerability
zero-day
exploitation
webshell
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-08-12
msil/webshell.js
china-aligned
Published: August 12, 2025
Linked vulnerabilities : CVE-2025-49704
Downloadable IOCs: 20

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

A new variant of RoKRAT malware used by APT37 has been identified, employing a two-stage encrypted shellcode injection method and steganography to conceal malicious code in image files. The malware uses shortcut files with embedded commands to execute its attack, distributed via compressed archives…
apt
dropbox
rokrat
cloud
injection
steganography
shellcode
edr
fileless
xor
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …
apt
powershell
shellcode
dll side-loading
cyber-espionage
turkey
defense industry
2025-07-23
vlc player
dropping elephant rat
Published: July 23, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 10

GhostContainer backdoor for Exchange servers

A sophisticated backdoor targeting Exchange servers of high-value organizations in Asia has been discovered. The malware, named GhostContainer, is a multi-functional backdoor that can be dynamically extended with additional modules. It leverages several open-source projects and employs various evas…
backdoor
apt
evasion
proxy
open-source
asia
2025-07-17
exchange
ghostcontainer
Published: July 17, 2025
Downloadable IOCs: 1

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
2025-07-16
hwp files
Published: July 16, 2025
Downloadable IOCs: 0

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading…
backdoor
apt
happydoor
information theft
multi-stage attack
2025-07-10
vmp
Published: July 10, 2025
Downloadable IOCs: 6

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scal…
apt
spearphishing
powershell
cloudflare tunnels
2025-07-04
Published: July 4, 2025
Downloadable IOCs: 53

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…
obfuscation
apt
south korea
lnk files
spear phishing
decoy documents
task scheduler
2025-06-18
python scripts
Published: June 18, 2025
Downloadable IOCs: 7

Warning Against Distribution of Malware Disguised as Research Papers

The Kimsuky group has launched a sophisticated phishing attack disguised as a request for paper review from a professor. The attack involves a password-protected HWP document with a malicious OLE object, which creates six files upon opening. When executed, these files perform various malicious acti…
apt
phishing
dropbox
anydesk
remote-access
social-engineering
ole
hwp
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 3

Analysis of the Triple Combo Threat of the Kimsuky Group

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.
apt
kimsuky
babyshark
powershell
shell
dll file
execution
appleseed
telegram
facebook
linkedin
vmprotect
2025-06-11
username
kimsuky group
flowerpower
golddragon
Published: June 11, 2025
Downloadable IOCs: 14

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday
Published: June 11, 2025
Downloadable IOCs: 40

Whispering in the dark

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse …
backdoor
apt
iran
cyberespionage
iis module
iraq
kurdistan
whisper
shahmaran
slippery snakelet
2025-06-10
reverse tunnel
rdat
primecache
laret
pinar
flog
Published: June 10, 2025
Downloadable IOCs: 12

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…
apt
phishing
xmrig
russia
data theft
crypto mining
2025-06-09
legitimate tools
cis
industrial targets
Published: June 9, 2025
Downloadable IOCs: 55

BladedFeline: Whispering in the dark

ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a ma…
backdoor
apt
oilrig
iis malware
2025-06-06
whisper
shahmaran
slippery snakelet
Published: June 6, 2025
Downloadable IOCs: 3

Newly identified wiper malware 'PathWiper' targets critical infrastructure in Ukraine

A destructive attack on Ukrainian critical infrastructure using a new wiper malware called 'PathWiper' has been observed. The attack, attributed to a Russia-nexus APT group, utilized a legitimate endpoint administration framework to deploy the wiper across connected endpoints. PathWiper overwrites …
apt
sandworm
wiper
2025-06-05
pathwiper
Published: June 5, 2025
Downloadable IOCs: 1

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…
apt
crimson rat
ares rat
ddos
cyber espionage
hacktivism
data exfiltration
spear phishing
operation sindoor
2025-06-04
hybrid warfare
website defacement
Published: June 4, 2025
Downloadable IOCs: 0

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…
backdoor
apt
persistence
botnet
ssh
stealth
authentication bypass
asus routers
CVE-2023-39780
2025-06-04
nvram
Published: June 4, 2025
Downloadable IOCs: 3

TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking

The TA-ShadowCricket group, formerly known as Shadow Force, has been active in the Asia-Pacific region since 2012, targeting Windows servers and MS-SQL servers. They operate an IRC server with over 2,000 affected IPs in 72 countries. The group uses various malware and tools, including Upm, SqlShell…
malware
apt
china
botnet
sqlshell
irc
windows servers
miner
ms-sql
2025-05-27
credentialstealer
maggiescan
detofin
upm
pemodifier
sqldoor
maggie
wgdrop
shaduser
asia-pacific
Published: May 27, 2025
Downloadable IOCs: 13

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…
backdoor
apt
sql injection
cobalt strike
dll sideloading
vulnerability exploitation
brute ratel
multi-industry targeting
CVE-2024-9047
CVE-2024-51378
CVE-2024-51567
china-nexus
CVE-2024-56145
vshell
CVE-2025-31324
2025-05-27
CVE-2021-22205
CVE-2024-27199
CVE-2024-27198
CVE-2017-9805
pulsepack
bypassboss
custom tools
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205
Downloadable IOCs: 185

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures

A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.
apt
sliver
webshell
china-nexus
vshell
snowlight
sap netweaver
azure ad
cve202531324
2025-05-14
unc5174
clsta0048
sta-0048
krustyloader
Published: May 14, 2025
Linked vulnerabilities : CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9380 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2024-21887, CVE-2023-46805, CVE-2024-1709, CVE-2023-46747, CVE-2024-36401, CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 61

Targeting Taiwan & Japan with DLL Implants

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads.…
apt
cobalt strike
dll sideloading
taiwan
multi-stage attack
japan
2025-05-12
google drive
isurus
pterois
dll implants
Published: May 12, 2025
Downloadable IOCs: 16

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage ser…
apt
rootkit
data exfiltration
2025-05-01
tesdat
simpoboxspy
moriya
krnrat
Published: May 1, 2025
Downloadable IOCs: 58

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent
Published: April 24, 2025
Downloadable IOCs: 0

Sophisticated backdoor mimicking secure networking software updates

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that dep…
backdoor
apt
russia
payload
c2 server
software updates
2025-04-22
targeted attack
secure networking
heur:trojan.win32.loader.gen
path substitution
vipnet
Published: April 22, 2025
Downloadable IOCs: 0

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger
Published: April 22, 2025
Downloadable IOCs: 0

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper
Published: April 18, 2025
Downloadable IOCs: 0

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modul…
apt
2025-04-17
ironhusky
mysterymonosnail
mysterysnail
Published: April 17, 2025
Linked vulnerabilities : CVE-2021-40449
Downloadable IOCs: 2

North Korean APT37 Mobile Spyware Discovered

A new Android spyware called KoSpy has been attributed to the North Korean group APT37 (ScarCruft). The malware, active since March 2022, targets Korean and English-speaking users by masquerading as utility apps. KoSpy uses a two-stage C2 infrastructure, retrieving initial configurations from Fireb…
apt
surveillance
north korea
android
spyware
konni
apt37
2025-04-12
scarcruft
kospy
Published: April 12, 2025
Downloadable IOCs: 0

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, execut…
apt
north korea
south korea
2025-04-12
dpkr
docswap
accessibility services
Published: April 12, 2025
Downloadable IOCs: 0

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customize…
apt
rat
phishing
dll side-loading
multi-platform
msi
spark rat
2025-04-08
xeno rat
curlback rat
Published: April 8, 2025
Downloadable IOCs: 28

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that us…
backdoor
apt
espionage
persistence
multi-stage attack
cloud services
vmprotect
2025-02-27
sagerunex
evora
2025-04-04
lotus blossom
Published: April 4, 2025
Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…
obfuscation
apt
phishing
south korea
keylogging
lnk file
data exfiltration
cryptocurrency theft
snakekeylogger
2025-04-04
vba script
Published: April 4, 2025
Downloadable IOCs: 0

The Espionage Toolkit: A Closer Look at its Advanced Techniques

Earth Alux, a China-linked APT group, is actively conducting cyberespionage attacks against key sectors in the APAC and Latin American regions. The group exploits vulnerable services in exposed servers to gain initial access and deploys web shells like GODZILLA. Their primary backdoor, VARGEIT, is …
apt
cyberespionage
godzilla
dll side-loading
latin america
2025-03-31
apac
vargeit
railsetter
masqloader
rsbinject
railload
cobeacon
Published: March 31, 2025
Downloadable IOCs: 0

Operation ForumTroll exploits zero-days in Google Chrome

In March 2025, a sophisticated malware campaign exploited a zero-day vulnerability in Google Chrome to infect targets. The attack, dubbed Operation ForumTroll, used personalized phishing emails with short-lived links to deliver malware. Kaspersky detected the exploit, reported it to Google, and an …
apt
phishing
zero-day
google chrome
2025-03-25
trojan.win64.convagent.gen
sandbox escape
trojan.win64.agent
CVE-2025-2783
Published: March 25, 2025
Downloadable IOCs: 0

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The a…
apt
espionage
china
government
shadowpad
ngo
2025-03-21
spyder
sodamaster
think tank
i-soon
rpipecommander
Published: March 21, 2025
Downloadable IOCs: 12

Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's Latest Backdoor

FIN7, a notorious cybercrime group, has developed a new Python-based backdoor called AnubisBackdoor. This sophisticated tool employs multi-stage attacks, encryption, and obfuscation techniques to evade detection. The malware is distributed through phishing campaigns and uses AES encryption with mul…
obfuscation
apt
phishing
python
encryption
2025-03-20
financial-crime
anubisbackdoor
hospitality-sector
Published: March 20, 2025
Downloadable IOCs: 0

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

Off the Beaten Path: Recent Unusual Malware

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight ev…
backdoor
apt
post-exploitation
bootkit
2025-03-14
iis backdoor
c++/cli
projectgeass
dixie-playing bootkit
grub
2025-03-17
Published: March 17, 2025
Downloadable IOCs: 7

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware…
backdoor
supply-chain
apt
targeted
2025-03-04
satellite
sosano
Published: March 4, 2025
Downloadable IOCs: 0

Astrill VPN: New IPs Publicly Released on VPN Service Heavily Used by North Korean Threat Actors

North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Reco…
apt
north korea
contagious interview
2025-03-01
astrill vpn
famous chollima
Published: March 1, 2025
Downloadable IOCs: 9

Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations

Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems.…
backdoor
apt
espionage
2025-02-27
squidoor
Published: February 27, 2025
Downloadable IOCs: 30

North Korean-Linked macOS Malware Targets Cryptocurrency Sector with RustDoor and Koi Stealer

A recent campaign attributed to North Korean threat actors has been identified, targeting macOS users in the cryptocurrency industry. The attackers employ sophisticated social engineering techniques, posing as recruiters to lure job-seeking software developers into downloading malicious software. T…
apt
macos
rust
2025-02-26
cryptocurrencies
koi stealer
studio helper
rustdoor c2
Published: February 26, 2025
Downloadable IOCs: 21

Erudite Mogwai Uses Custom Stowaway to Stealthily Advance Online

The Solar 4RAYS team discovered a malicious campaign targeting Russian IT organizations providing services to the government sector. They found a customized version of the open-source Stowaway proxy tool being used by the threat actor Erudite Mogwai (also known as Space Pirates). The attackers modi…
apt
2025-02-26
proxy tool
shadowpad light
luckystrike agent
stowaway
Published: February 26, 2025
Downloadable IOCs: 12

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

Chinese APT Target Royal Thai Police in Malware Campaign

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process…
apt
espionage
phishing
china
yokai
2025-02-26
Published: February 26, 2025
Downloadable IOCs: 0

Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers

Forescout reportead a cyber attack by the Silver Fox APT group on Philips DICOM medical imaging software. The attackers exploited vulnerabilities in the software to gain unauthorized access to sensitive patient data and hospital networks.
apt
healthcare
valleyrat
ics
ot
2025-02-25
silverfox
Published: February 25, 2025
Downloadable IOCs: 53

New wave of targeted attacks of the Angry Likho APT on Russian organizations

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt…
apt
russia
stealer
autoit
targeted attacks
2025-02-24
lumma trojan
Published: February 24, 2025
Downloadable IOCs: 30

Finance Report: Who Targets Financial Institutions?

This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophis…
apt
phishing
ransomware
cybercrime
ransomhub
edrkillshifter
rustbucket
goldpickaxe
financial sector
2025-02-20
catb
initial access brokers
jsoutprox
tradertraitor
golddigger
state-sponsored threats
goldkefu
tycoon 2fa
banking trojans
sneaky 2fa
golddiggerplus
Published: February 20, 2025
Downloadable IOCs: 0

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…
apt
phishing
credential theft
taiwan
spoofed domains
2025-02-05
fake download pages
163.com
netease
Published: February 5, 2025
Downloadable IOCs: 9

CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

A sophisticated cyberespionage campaign targeting high-value entities in South Asia, particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The o…
apt
plugx
cobalt strike
south asia
2025-01-30
Published: January 30, 2025
Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0)
Downloadable IOCs: 21

Tracking Adversaries: Ghostwriter APT Infrastructure

This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share …
apt
belarus
cobalt strike
ukraine
2025-01-24
Published: January 24, 2025
Linked vulnerabilities : CVE-2022-30190
Downloadable IOCs: 25

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…
apt
espionage
powershell
government
golang
telegram
central asia
2025-01-21
yorotrooper
gservice.exe
xerox_scan17510875802718752175.exe
kyrgyzstan
resocks
Published: January 21, 2025
Downloadable IOCs: 12

ANDROID MALWARE IN DONOT APT OPERATIONS

The DONOT APT group, serving Indian national interests, has deployed Android malware named 'Tanzeem' for intelligence gathering against internal threats. The malware, disguised as a chat application, exploits OneSignal, a customer engagement platform, for malicious purposes. It requests dangerous p…
apt
android
spyware
2025-01-21
Published: January 21, 2025
Downloadable IOCs: 6

Chinese Malware Delivery Websites

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, …
apt
credential theft
redline
gh0strat
valleyrat
lummastealer
malware delivery
2025-01-16
farfli
remote access trojans
chinese-speaking users
remkos rat
spoofed websites
hack-for-hire
Published: January 16, 2025
Downloadable IOCs: 526

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …
backdoor
apt
social engineering
data theft
c2 communication
2025-01-02
ipmsg
dll64.dll
loader1.dll
att_loader_dll.dll
weaponized installer
Published: January 2, 2025
Downloadable IOCs: 3

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…
apt
espionage
rat
south asia
defense sector
scheduled tasks
2024-12-17
turkey
miyarat
wmrat
alternate data streams
Published: December 17, 2024
Downloadable IOCs: 0

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…
backdoor
apt
ransomware
russia
lockbit
CVE-2023-38831
babuk
phantomcore
2024-12-11
hacktivist
boost.beast
Published: December 11, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 31

U.S. Organization in China Targeted by Attackers

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat
Published: December 6, 2024
Downloadable IOCs: 13

Leveraging Cloudflare Tunnels for GammaDrop Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…
apt
spearphishing
html smuggling
2024-12-05
gammadrop
obfuscation techniques
gammaload
cloudflare tunnels
russian state-sponsored
dns fast-fluxing
Published: December 5, 2024
Downloadable IOCs: 1

BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…
apt
spearphishing
html smuggling
2024-12-05
gammadrop
obfuscation techniques
gammaload
cloudflare tunnels
russian state-sponsored
dns fast-fluxing
Published: December 5, 2024
Downloadable IOCs: 0

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Beware of phishing attacks by APT-C-01 (Poison Ivy)

APT-C-01, known as Poison Ivy, is a persistent threat group targeting defense, government, technology, and education sectors since 2007. They specialize in phishing attacks, including watering hole and spear-phishing, using personalized bait content. Recent observations show the group creating fake…
apt
phishing
poison ivy
2024-12-03
sliver rat
Published: December 3, 2024
Downloadable IOCs: 7

Unveiling WolfsBane: Linux counterpart to Gelsevirine

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood …
linux
backdoor
apt
rootkit
persistence
cyberespionage
2024-11-22
wolfsbane
gelsevirine
project wood
firewood
Published: November 22, 2024
Downloadable IOCs: 41

Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella

Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-…
backdoor
apt
cobalt strike
credential theft
lodeinfo
noopdoor
CVE-2023-27997
china-nexus
2024-11-19
mirrorstealer
CVE-2023-45727
CVE-2023-28461
Published: November 19, 2024
Linked vulnerabilities : CVE-2023-3519, CVE-2023-27997, CVE-2023-45727, CVE-2023-28461, CVE-2013-3900, CVE-2023-3467, CVE-2023-3466
Downloadable IOCs: 7

Mind the (air) gap: GoldenJackal gooses government guardrails

ESET researchers uncovered two distinct toolsets used by the GoldenJackal APT group to breach air-gapped systems in government organizations. The first toolset, observed in 2019, included GoldenDealer for delivering executables via USB drives, GoldenHowl as a modular backdoor, and GoldenRobo for fi…
apt
cyberespionage
2024-11-17
jackalworm
goldenusbgo
goldenblacklist
goldenrobo
modular malware
goldendealer
goldendrive
goldenmailer
goldenace
goldenhowl
usb propagation
goldenpyblacklist
goldenusbcopy
air-gapped systems
Published: November 17, 2024
Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…
apt
powershell
pakistan
persistence
encryption
defense
lnk file
maritime
2024-11-15
stager
manufacturing
Published: November 15, 2024
Downloadable IOCs: 0

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…
apt
espionage
phishing
wiper
cyber-espionage
2024-11-12
middle east
ironwind
hamas
havoc demon
samecoin
Published: November 12, 2024
Downloadable IOCs: 90

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

Evasive Panda scouting cloud services

CloudScout is a post-compromise toolset used by Evasive Panda to target a Taiwanese government entity and religious organization between 2022 and 2023. The toolset can retrieve data from various cloud services using stolen web session cookies. It works with MgBot, Evasive Panda's malware framework,…
apt
china
cyberespionage
taiwan
mgbot
cloud services
2024-10-28
nightdoor
cookie theft
cloudscout
Published: October 28, 2024
Downloadable IOCs: 17

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Analyzing the Awaken Likho APT group implant: new tools and techniques

A new campaign by the Awaken Likho APT group targeting Russian government agencies and industrial enterprises was discovered in June 2024. The group has significantly changed its attack methods, now preferring the MeshCentral platform agent instead of UltraVNC for remote access. The implant is deli…
apt
phishing
meshagent
meshcentral
2024-10-07
Published: October 7, 2024
Downloadable IOCs: 0

Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access

A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
apt
python
cyber espionage
lnk file
github
2024-10-01
remote tunnel
unauthorized access
vs code
scheduled task
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

Analyzing the Newest Turla Backdoor

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
backdoor
apt
2024-09-27
Published: September 27, 2024
Downloadable IOCs: 5

Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental in…
apt
backdoors
stealers
2024-09-27
Published: September 27, 2024
Downloadable IOCs: 50

Attempted cyberattacks on military systems using mobile malware

The report details attempts by threat actors to compromise smartphones and tablets belonging to military personnel by distributing malicious APK files disguised as legitimate software for military systems like GRISELDA and "Eyes". The malware, named HYDRA and a modified version of "Eyes", was desig…
apt
2024-09-10
aurora
fakeapps
militarytargeting
datatheft
mdmbot
mcrat
hydraq
roarur
homeunix
hidraq
mobileattacks
9002 rat
homux
Published: September 10, 2024
Downloadable IOCs: 15

Chinese APT Abuses VSCode to Target Government in Asia

The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain …
apt
exfiltration
cyberespionage
shadowpad
poisonplug.shadow
toneshell
2024-09-09
credentialtheft
reverseshell
visualstudiocode
Published: September 9, 2024
Downloadable IOCs: 17

APT Lazarus: Eager Crypto Beavers, Video calls and Games

Group-ib explored the growing threats posed by the Lazarus Group's financially-driven campaign against developers. Group-ib examined their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, the…
apt
lazarus
2024-09-09
beavertail
civetq
Published: September 9, 2024
Downloadable IOCs: 85

Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders

A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
backdoor
apt
cobalt strike
persistence
steganography
vietnam
2024-09-03
dll side-loading
com hijacking
human rights
Published: September 3, 2024
Downloadable IOCs: 46

The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'

Proofpoint researchers uncovered an unusual campaign delivering custom malware named "Voldemort". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets…
apt
espionage
cobalt strike
2024-09-02
tax authorities
voldemort
Published: September 2, 2024
Downloadable IOCs: 27

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…
malware
apt
espionage
phishing
iran
2024-08-21
powerstar
gorble
Published: August 21, 2024
Downloadable IOCs: 111

CERT-UA Report: UAC-0198: Mass distribution of ANONVNC (MESHAGENT) among government organizations of Ukraine

According to the report, cyber operations related to the ongoing military conflict between Russia and Ukraine are ongoing. The report highlights the potential risks and threats posed by Russian state-sponsored actors, including the deployment of wiper malware, distributed denial-of-service (DDoS) a…
apt
data leaks
ddos
2024-08-13
wiper malware
Published: August 13, 2024
Downloadable IOCs: 26

A Dive into Latest Campaign

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
backdoor
loader
apt
espionage
cobalt strike
cybercrime
godzilla
stealthvector
2024-08-09
stealthreacher
megacmd
sneakcross
tailscale
rakshasa
Published: August 9, 2024
Downloadable IOCs: 30

APT Group Kimsuky Targets University Researchers

A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, an…
apt
espionage
phishing
north korea
2024-08-09
universities
Published: August 9, 2024
Downloadable IOCs: 24

MirrorFace Attack against Japanese Organisations

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attac…
malware
apt
2024-08-02
lodeinfo
noopdoor
ttp
Published: August 2, 2024
Linked vulnerabilities : CVE-2022-1388
Downloadable IOCs: 27

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

Analysis of Golang Payload and Information Theft Campaign

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…
malware
apt
espionage
pakistan
exfiltration
golang
2024-07-30
quasar
client.exe
winver.exe
Published: July 30, 2024
Downloadable IOCs: 8

Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India

This report examines the convergence of tactics employed by Pakistani cyber threat groups, including Transparent Tribe, SideCopy, and RusticWeb, targeting Indian government entities and critical infrastructure. It uncovers overlaps in their infrastructure, tactics, and payloads, suggesting coordina…
apt
espionage
crimson rat
pakistan
action rat
reverse rat
india
disgomoji
2024-07-29
poseidon
geta rat
Published: July 29, 2024
Downloadable IOCs: 89

Analysis of Suspected APT Attack Activities by “Silver Fox”

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
malware
obfuscation
apt
phishing
cybercrime
winos
2024-07-10
updatedll
Published: July 10, 2024
Downloadable IOCs: 7

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform
Published: July 8, 2024
Downloadable IOCs: 28

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
malware
apt
powershell
2024-06-19
poison ivy
poisonivy
geocities
encodedpayload
breut
darkmoon
Published: June 19, 2024
Downloadable IOCs: 5

Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. …
apt
CVE-2017-11882
2024-06-13
keylogger
Published: June 13, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 0

APT Attacks Using Cloud Storage

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
apt
dropbox
powershell
cloud
2024-06-11
xenorat
Published: June 11, 2024
Downloadable IOCs: 1

SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)

This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but la…
apt
meterpreter
2024-06-11
mimikatz
durianbeacon
multirdp
webbrowserpassview
smalltiger
Published: June 11, 2024
Downloadable IOCs: 19

Operation ControlPlug: Targeted attack campaign using MSC files

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
malware
stealthy
apt
plugx
campaign
2024-06-06
korplug
kaba
tvt
destroyrat
thoper
sogu
Published: June 6, 2024
Downloadable IOCs: 14

Hellhounds: Operation Lahat

A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source proj…
apt
russia
2024-05-28
operation lahat
Published: May 28, 2024
Downloadable IOCs: 73

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolvin…
malware
apt
espionage
2024-05-23
.net
dustyexfiltool
2024-05-24
unfading sea haze
silentgh0st
translucentgh0st
sharpjshandler
Published: May 24, 2024
Downloadable IOCs: 47

Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

BlackBerry discovered the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the Indian government, defense, and aerospace sectors. The group employed cross-platform programming languages, open-source tools, and abused web services for command-and-control and exfil…
apt
espionage
2024-05-24
transparent tribe
Published: May 24, 2024
Downloadable IOCs: 97

APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)

A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associ…
apt
kimsuky
northkorea
2024-05-21
Published: May 21, 2024
Downloadable IOCs: 46

Master of Puppets: Uncovering the pro-Russian influence campaign

The DoppelGänger campaign is an ongoing influence operation attributed to Russian entities Structura and the Social Design Agency. Its primary goal is to diminish support for Ukraine and foster divisions within supporting nations. It targets audiences in several Western countries through a network …
apt
2024-05-21
disinformation
influence
Published: May 21, 2024
Downloadable IOCs: 588

Analysis of APT attack cases targeting domestic companies using Dora RAT (Andariel Group)

AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies, construction firms, and educational institutions. The attackers employed backdoors, keyl…
apt
infostealer
2024-05-20
dora rat
nestdoor
openvpn attack
Published: May 20, 2024
Downloadable IOCs: 10

Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups

At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
apt
cybercrime
2024-05-20
asp
viewstate
telco
Published: May 20, 2024
Downloadable IOCs: 9

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
backdoor
apt
espionage
steganography
2024-05-16
2024-05-11
diplomacy
lunarweb
lunarmail
Published: May 16, 2024
Downloadable IOCs: 12

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

Untangling Iran's APT42 Operations

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.
apt
2024-05-03
iran
cyber espionage
CVE-2021-44228
nicecurl
tamecat
Published: May 3, 2024
Downloadable IOCs: 160

Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access tro…
apt
lnk
rokrat
cloud
korea
Published: April 29, 2024
Downloadable IOCs: 3

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…
apt
cobalt strike
ukraine
malicious document
cobalt strike beacon
zero-day
CVE-2017-8570
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports