Tag: cyber espionage

20 Attack Reports | 0 Vulnerabilities

Attack reports

Hundreds of thousands of rubles for your secrets: cyber spies disguise themselves as recruiters

Cybercriminals impersonating a real company are sending fake job descriptions to employees of targeted organizations. The attackers, known as Squid Werewolf, are offering substantial sums of money, potentially hundreds of thousands of rubles, in exchange for sensitive information. This sophisticate…
phishing
social engineering
impersonation
cyber espionage
2025-03-12
fake job offers
recruitment scam
Published: March 12, 2025
Downloadable IOCs: 6

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys…
ukraine
cyber espionage
dcrat
apt44
2025-02-12
backorder
kalambur
gru
dark crystal rat
kms activators
backorder loader
software piracy
Published: February 12, 2025
Downloadable IOCs: 35

Cyber Espionage Operation Expanding from Central Asia

An active cyber-espionage campaign by UAC-0063 is targeting organizations in Central Asia and Europe, including government entities and diplomatic missions. The group exploits previously compromised victims by weaponizing exfiltrated documents to deliver HATVIBE malware. They use sophisticated tool…
government targets
cyber-espionage
central asia
hatvibe
2025-01-29
downexpyer
weaponized documents
pyplunderplug
logpie
Published: January 29, 2025
Downloadable IOCs: 0

Unmasking the Shadow of PoisonPlug's Obfuscator

Since 2022, cyber espionage operations utilizing POISONPLUG.SHADOW have been tracked, employing a custom obfuscating compiler called ScatterBrain. This evolved version of ScatterBee targets entities in Europe and Asia Pacific. POISONPLUG.SHADOW, a variant of the POISONPLUG modular backdoor, uses ad…
cyber espionage
poisonplug.shadow
2025-01-29
poisonplug
poisonplug.deed
scatterbee
scatterbrain
Published: January 29, 2025
Downloadable IOCs: 2

Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations

A cyber espionage campaign targeting Central Asian countries, particularly Kazakhstan's external relations, has been uncovered. The campaign, attributed to the Russia-aligned intrusion set UAC-0063, uses a sophisticated infection chain called Double-Tap to deliver the HATVIBE and CHERRYSPY malware.…
apt28
cyber espionage
2025-01-13
kazakhstan
cherryspy
diplomatic
central asia
double-tap
hatvibe
Published: January 13, 2025
Downloadable IOCs: 12

Forges Recruitment Sites, Launches Attacks on Aerospace and Semiconductor Industries in Multiple Countries

In this analysis, researchers have uncovered a malicious campaign orchestrated by APT35, a threat group believed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC) of Iran. The group has been observed using forged recruitment sites and corporate sites to target the aerospace and sem…
cyber espionage
targeted attacks
middle east
2024-12-04
signedconnection.exe
semiconductor industry
secur32.dll
aerospace industry
qt5core.dll
msvcp.dll
Published: December 4, 2024
Downloadable IOCs: 12

China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike

A Chinese state-sponsored threat group, TAG-112, has compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript in the sites, spoofing a TLS certificate error to trick visitors into downloading a disguised security certificate. This campaign highl…
state-sponsored
cobalt strike
cyber-espionage
2024-11-13
china-nexus
tibetan websites
joomla vulnerabilities
tls certificate spoofing
evasive panda
tag-102
Published: November 13, 2024
Downloadable IOCs: 19

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…
apt
espionage
phishing
wiper
cyber-espionage
2024-11-12
middle east
ironwind
hamas
havoc demon
samecoin
Published: November 12, 2024
Downloadable IOCs: 90

Analysis of Cyber Reconnaissance Activities Behind APT37 Threats

The report analyzes the covert cyber reconnaissance activities of the state-sponsored APT37 group targeting South Korea. The group uses spear-phishing emails with malicious LNK files to deploy the RoKRAT malware, collecting sensitive information from victims' devices. The attackers employ various t…
north korea
rokrat
cyber espionage
reconnaissance
spear-phishing
lnk files
2024-11-06
web beacons
Published: November 6, 2024
Linked vulnerabilities : CVE-2022-41128
Downloadable IOCs: 20

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan

A sophisticated cyber espionage campaign dubbed Operation Cobalt Whisper has been uncovered, targeting various industries in Hong Kong and Pakistan. The threat actor focuses on the defense sector, engineering researchers, and key entities in these regions, using tailored lures related to electrotec…
cobalt strike
pakistan
cyber espionage
vbscript
lnk files
2024-10-24
engineering
hong kong
defense sector
Published: October 24, 2024
Downloadable IOCs: 0

Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)

A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data fr…
vulnerability
zero-day
exploitation
fortigate
CVE-2024-47575
2024-10-24
fortimanager
cyber-espionage
configuration-exfiltration
network-security
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 4

Advanced Cyberattacks Against UAE and Gulf Regions

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escal…
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae
Published: October 14, 2024
Linked vulnerabilities : CVE-2024-30088 (CVSS 7.0)
Downloadable IOCs: 17

People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations

PRC-linked cyber actors have compromised thousands of Internet-connected devices to create a botnet for malicious activities. Integrity Technology Group, a PRC-based company with government links, has controlled a botnet of over 260,000 devices since mid-2021. The botnet uses Mirai-based malware to…
china
ddos
iot
botnet
cyber espionage
mirai
CVE-2024-29973
CVE-2024-4577
CVE-2024-5217
routers
CVE-2023-3519
CVE-2023-46604
CVE-2023-46747
2024-10-02
CVE-2023-43478
CVE-2023-3852
CVE-2023-36844
network compromise
CVE-2024-29269
CVE-2023-36542
CVE-2023-35885
CVE-2024-21762
CVE-2023-38035
CVE-2023-35843
CVE-2023-37582
CVE-2023-38646
CVE-2023-50386
CVE-2023-47218
Published: October 2, 2024
Linked vulnerabilities : CVE-2024-29973 (CVSS 9.8), CVE-2024-4577 (CVSS 9.8), CVE-2024-5217, CVE-2021-44228, CVE-2023-46604, CVE-2023-22515, CVE-2022-26134, CVE-2022-42475, CVE-2022-1388, CVE-2023-22527, CVE-2023-3519, CVE-2023-27997, CVE-2023-46747, CVE-2023-43478, CVE-2023-37582, CVE-2023-36542, CVE-2023-35885, CVE-2023-35843, CVE-2023-35081, CVE-2023-34960, CVE-2023-34598, CVE-2023-3368, CVE-2023-33510, CVE-2023-30799, CVE-2023-28365, CVE-2023-26469, CVE-2023-23333, CVE-2022-3590, CVE-2022-40881, CVE-2022-20707, CVE-2021-46422, CVE-2021-45511, CVE-2021-36260, CVE-2021-28799, CVE-2021-1473, CVE-2021-1472, CVE-2020-4450, CVE-2020-35391, CVE-2020-3451, CVE-2019-12168, CVE-2019-11829, CVE-2018-18852, CVE-2017-7876, CVE-2019-19824, CVE-2024-29269, CVE-2021-20090, CVE-2015-7450, CVE-2022-31814, CVE-2023-38035, CVE-2019-17621, CVE-2023-36844, CVE-2022-30525, CVE-2023-28771, CVE-2023-47218, CVE-2023-50386, CVE-2024-21762, CVE-2023-4166, CVE-2023-3852, CVE-2023-38646, CVE-2023-27524, CVE-2023-24229, CVE-2023-25690, CVE-2020-3452, CVE-2019-7256, CVE-2020-8515, CVE-2020-15415
Downloadable IOCs: 169

Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access

A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
apt
python
cyber espionage
lnk file
github
2024-10-01
remote tunnel
unauthorized access
vs code
scheduled task
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

SilentSelfie: Revealing a major campaign against Kurdish websites

A large-scale cyber espionage campaign targeting Kurdish websites was uncovered, involving 25 compromised sites using four variants of malicious scripts. The attacks ranged from simple location tracking to prompting users to install malicious Android apps. Despite lacking sophisticated techniques, …
cyber espionage
2024-09-25
watering hole
android malware
kurdish
silentselfie
location tracking
rojava
Published: September 25, 2024
Downloadable IOCs: 0

People's Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action

This advisory outlines the tactics, techniques, and procedures employed by the state-sponsored cyber group APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. The group, believed to be associated with the People's Republic of China's Ministry of State Security, has…
china
cyber espionage
2024-07-09
leviathan
apt40
kryptonite panda
gingham typhoon
bronze mohawk
Published: July 9, 2024
Linked vulnerabilities : CVE-2021-34473, CVE-2021-44228, CVE-2021-31207, CVE-2021-26084, CVE-2021-34523
Downloadable IOCs: 0

Appearance of Kimsuky group's new backdoor (HappyDoor)

Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
backdoor
north korea
kimsuky
cyber espionage
2024-07-01
appleseed
information stealing
happydoor
Published: July 1, 2024
Downloadable IOCs: 16

Kimsuky Deploys TRANSLATEXT Chrome Extension

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser sc…
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension
Published: June 28, 2024
Downloadable IOCs: 10

Untangling Iran's APT42 Operations

APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.
apt
2024-05-03
iran
cyber espionage
CVE-2021-44228
nicecurl
tamecat
Published: May 3, 2024
Downloadable IOCs: 160
Click here to see more Attack Reports