Tag: espionage

86 Attack Reports | 0 Vulnerabilities

Attack reports

Network devices compromised for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …
apt
espionage
china
adversary-in-the-middle
dns hijacking
slowstepper
software update hijacking
2025-11-19
littledaemon
edgestepper
network implant
daemoniclogistics
Published: November 19, 2025
Downloadable IOCs: 4

PlushDaemon compromises network devices for adversary-in-the-middle attacks

China-aligned threat actor PlushDaemon has been conducting espionage operations since 2018, targeting entities in China, Taiwan, Hong Kong, Cambodia, South Korea, the United States, and New Zealand. The group employs a custom backdoor called SlowStepper and uses a network implant named EdgeStepper …
apt
espionage
china
adversary-in-the-middle
dns hijacking
slowstepper
software update hijacking
2025-11-19
littledaemon
edgestepper
network implant
daemoniclogistics
Published: November 19, 2025
Downloadable IOCs: 7

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL,…
espionage
phishing
defense
lateral movement
privilege escalation
aerospace
custom malware
minibike
2025-11-18
dcsyncer.slick
third-party compromise
sightgrab
trusttrap
lightrail
deeproot
crashpad
twostroke
pollblend
ghostline
Published: November 18, 2025
Downloadable IOCs: 16

China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy

Chinese threat actors continue to target U.S. organizations involved in policy issues. A recent intrusion into a non-profit organization active in influencing U.S. government policy on international matters occurred in April 2025. The attackers, likely Chinese-based, used various techniques to esta…
espionage
china
persistence
CVE-2021-44228
dll sideloading
apt41
CVE-2017-9805
2025-11-07
dcsync
CVE-2022-26134
CVE-2017-17562
deed rat
policy influence
domain controllers
space pirates
kelp
Published: November 7, 2025
Linked vulnerabilities : CVE-2021-44228, CVE-2022-26134, CVE-2017-9805, CVE-2017-17562
Downloadable IOCs: 7

Crossed wires: a case study of Iranian espionage and attribution

This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Managemen…
espionage
phishing
credential harvesting
iranian threat actor
2025-11-05
rmm tools
attribution challenges
isl online
minibike
overlapping ttps
policy experts targeting
minijunk
pdqconnect
Published: November 5, 2025
Downloadable IOCs: 55

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting Central Asian nations, Russia, China, and Azerbaijan. Two main campaigns were identified: one focusing on Russia-Azerbaijan relations and another on China-Central Asia relations. The group uses various malware including Pow…
apt
espionage
powershell
russia
china
.net
reverse shell
central asia
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
2025-11-05
Published: November 5, 2025
Downloadable IOCs: 0

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used…
apt
espionage
powershell
russia
china
github
reverse shell
central asia
tajikistan
2025-11-03
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
Published: November 3, 2025
Downloadable IOCs: 33

DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant

Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, whi…
backdoor
obfuscation
espionage
comebacker
dprk
stealth
remote access tool
2025-11-03
blindingcan
httptroy
Published: November 3, 2025
Downloadable IOCs: 15

Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

A sophisticated campaign targeting Russian and Belarusian military personnel has been identified, using multi-stage infection chains and decoy documents. The attackers deploy OpenSSH and Tor bridges to establish covert remote access and lateral movement capabilities. The infection process involves …
obfuscation
espionage
powershell
russia
belarus
ssh
tor
military
2025-10-31
Published: October 31, 2025
Downloadable IOCs: 12

Warlock Ransomware: Old Actor, New Tricks?

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C frame…
espionage
ransomware
lockbit
warlock
2025-10-23
anylock
Published: October 23, 2025
Downloadable IOCs: 0

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and mili…
espionage
plugx
government
africa
gh0st rat
telecommunications
china chopper
middle east
chinese apt
asia
iis backdoor
2025-09-30
ntospy
specter
iiservercore
assemblyexecuter
net-star
database targeting
Published: September 30, 2025
Downloadable IOCs: 4

Updated Toneshell backdoor and novel SnakeDisk USB worm dropped

In mid-2025, China-aligned threat actor Hive0154 deployed new malware variants, including an updated Toneshell backdoor and a novel USB worm called SnakeDisk. Toneshell9 evades detection and supports C2 communication through local proxies. SnakeDisk only executes on devices in Thailand, propagating…
backdoor
espionage
china
toneshell
pubload
thailand
yokai
2025-09-11
usb worm
snakedisk
Published: September 11, 2025
Downloadable IOCs: 7

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core compone…
backdoor
apt
espionage
dll sideloading
keylogger
military
stowaway
fileless malware
2025-09-10
philippines
eggstremefuel
eggstremereflectiveloader
eggstreme
eggstremewizard
eggstremeloader
eggstremekeylogger
eggstremeagent
Published: September 10, 2025
Downloadable IOCs: 12

Malicious Campaign Targeting Diplomatic Assets

An Iranian-aligned spear-phishing campaign masquerading as Omani Ministry of Foreign Affairs communications targeted global government entities. The operation used compromised mailboxes to distribute malicious Word documents containing VBA macros. When executed, these macros decoded and deployed a …
espionage
iran
diplomacy
vba macros
spear-phishing
oman mfa
2025-09-03
sysprocupdate
Published: September 3, 2025
Downloadable IOCs: 1

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-sta…
espionage
social engineering
in-memory execution
2025-08-26
prc-nexus
canonstager
sogu.sec
digital signatures
staticplugin
captive portal
Published: August 26, 2025
Downloadable IOCs: 9

Pressure on Ukraine and Poland Continues

Recent analysis reveals two clusters of malicious archives targeting Ukraine and Poland since April 2025, linked to UAC-0057 (also known as UNC1151, FrostyNeighbor or Ghostwriter). The infection chains aim to collect system information and deploy implants for further exploitation, using readily ava…
espionage
cobalt strike
ukraine
poland
infrastructure
c++
vba macros
downloaders
c#
2025-08-20
slack
xls
Published: August 20, 2025
Downloadable IOCs: 0

Operation Cargotalon: Targeting Russian Aerospace Defense Using Eaglet Implant

UNG0901, a threat group targeting Russian aerospace and defense sectors, has been discovered conducting a spear-phishing campaign against the Voronezh Aircraft Production Association. The operation, dubbed 'CargoTalon', utilizes a custom DLL implant called EAGLET, which is disguised as a ZIP file c…
espionage
russia
defense
aerospace
spear-phishing
2025-07-24
dll implant
logistics
eaglet
head mare
Published: July 24, 2025
Downloadable IOCs: 16

Phish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting

Between March and June 2025, three Chinese state-sponsored threat actors conducted targeted phishing campaigns against the Taiwanese semiconductor industry. The campaigns targeted organizations involved in semiconductor manufacturing, design, testing, supply chain, and financial analysis. This acti…
espionage
phishing
cobalt strike
sparkrat
voldemort
2025-07-17
semiconductor
unk_droppitch
unk_sparkycarp
unk_fistbump
healthkick
Published: July 17, 2025
Downloadable IOCs: 54

Fog Ransomware: Unusual Toolset Used in Recent Attack

A financial institution in Asia was targeted by Fog ransomware in May 2025, using an atypical toolset including legitimate employee monitoring software and open-source pentesting tools. The attackers deployed Syteca, GC2, Adaptix, and Stowaway, which are uncommon in ransomware attacks. They remaine…
espionage
data theft
persistence
lateral movement
CVE-2024-40711
fog ransomware
fog
asia
2025-06-12
unusual toolset
employee monitoring software
financial institution
pentesting tools
2025-06-17
Published: June 17, 2025
Linked vulnerabilities : CVE-2024-40711 (CVSS 9.8)
Downloadable IOCs: 0

Operation Endgame 2.0

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos…
espionage
darkgate
ddos
danabot
malware-as-a-service
smokeloader
hijackloader
operation endgame
keylogger
targeted attacks
lumma
globeimposter
cactus
2025-05-23
Published: May 23, 2025
Downloadable IOCs: 9

Targets Tajikistan: New Macro Word Documents Phishing Tactics

From January to February 2025, a phishing campaign targeting Tajikistan was detected and attributed to TAG-110, a Russia-aligned threat actor. The campaign used Tajikistan government-themed documents as lures, shifting from previous tactics to macro-enabled Word template files for initial payload d…
espionage
phishing
government
cherryspy
hatvibe
pyplunderplug
logpie
2025-05-22
russia-aligned
tajikistan
Published: May 22, 2025
Downloadable IOCs: 6

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

Marbled Dust leverages zero-day in Output Messenger for regional espionage

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory tra…
backdoor
espionage
zero-day
golang
data exfiltration
iraq
dns hijacking
CVE-2025-27920
CVE-2025-27921
2025-05-12
omserverservice.exe
omserverservice.vbs
omclientservice.exe
kurdistan
output messenger
2025-05-13
directory traversal
om.vbs
Published: May 13, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8), CVE-2025-27921 (CVSS 6.1)
Downloadable IOCs: 3

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian cyber actors have been identified impersonating a German model agency in a suspected espionage operation. The attackers created a fraudulent website mimicking the authentic agency's branding and content, which triggers obfuscated JavaScript to capture detailed visitor information. This data…
espionage
phishing
social engineering
javascript
2025-05-07
data collection
Published: May 7, 2025
Downloadable IOCs: 3

Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key u…
espionage
spear-phishing
apt10
2025-05-01
sharphide
anel backdoor
Published: May 1, 2025
Downloadable IOCs: 36

BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries

This analysis examines BRICKSTORM, an espionage backdoor linked to China-nexus cluster UNC5221. It details newly identified Windows variants, expanding on previous Linux presence. The backdoor, used in long-term espionage campaigns, targets European industries of strategic interest to China. BRICKS…
backdoor
espionage
brickstorm
evasion techniques
china-nexus
file management
2025-04-16
network tunneling
european industries
Published: April 16, 2025
Downloadable IOCs: 4

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system kn…
espionage
china
persistence
medusa
backdoors
routers
process injection
gobrat
china-nexus
2025-03-12
CVE-2025-21590
reptile
tinyshell
pithook
network infrastructure
juniper
seaelf
busybox
ghosttown
2025-04-11
Published: April 11, 2025
Linked vulnerabilities : CVE-2025-21590 (CVSS 4.4), CVE-2022-41328, CVE-2025-22457 (CVSS 9.0)
Downloadable IOCs: 14

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that us…
backdoor
apt
espionage
persistence
multi-stage attack
cloud services
vmprotect
2025-02-27
sagerunex
evora
2025-04-04
lotus blossom
Published: April 4, 2025
Downloadable IOCs: 0

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)

A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along …
espionage
zero-day
vpn
remote code execution
edge devices
buffer overflow
china-nexus
spawnsloth
CVE-2025-22457
2025-04-04
brushfire
spawnsnare
trailblaze
ivanti connect secure
spawnwave
Published: April 4, 2025
Downloadable IOCs: 0

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMe…
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell
Published: March 25, 2025
Downloadable IOCs: 1

Operation FishMedley targeting governments, NGOs, and think tanks

ESET researchers have uncovered a global espionage operation called Operation FishMedley, conducted by the FishMonger APT group, which is operated by the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks across Asia, Europe, and the United States during 2022. The a…
apt
espionage
china
government
shadowpad
ngo
2025-03-21
spyder
sodamaster
think tank
i-soon
rpipecommander
Published: March 21, 2025
Downloadable IOCs: 12

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

Russian State Actors: Development in Group Attributions

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in…
espionage
apt28
CVE-2023-0669
CVE-2023-38831
whispergate
unc2589
apt29
CVE-2023-34362
fsb
apt44
gru
2025-03-08
turla
sabotage
svr
Published: March 8, 2025
Downloadable IOCs: 0

Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations

Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems.…
backdoor
apt
espionage
2025-02-27
squidoor
Published: February 27, 2025
Downloadable IOCs: 30

Chinese APT Target Royal Thai Police in Malware Campaign

A malware campaign targeting the Royal Thai Police has been identified, using seemingly legitimate FBI-related documents to deliver the Yokai backdoor. The attack, consistent with the Chinese APT group Mustang Panda, involves a RAR archive containing a shortcut file that executes ftp.exe to process…
apt
espionage
phishing
china
yokai
2025-02-26
Published: February 26, 2025
Downloadable IOCs: 0

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…
malware
espionage
north korea
cryptocurrency
beavertail
invisibleferret
remote work
2025-02-13
ottercookie
front companies
it workers
Published: February 13, 2025
Downloadable IOCs: 43

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

The ticket that doesn't exist: a new threat discovered - FakeTicketer

A new threat actor named FakeTicketer has been identified by F.A.C.C.T. Threat Intelligence, operating since June 2024 with a focus on espionage. The actor targets government officials and sports functionaries using malicious software disguised as tickets for Russian Premier League football matches…
espionage
rat
phishing
stealer
dropper
government
2025-01-22
sports
zagrebator
zagrebator.stealer
zagrebator.dropper
zagrebator.rat
Published: January 22, 2025
Downloadable IOCs: 0

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…
apt
espionage
powershell
government
golang
telegram
central asia
2025-01-21
yorotrooper
gservice.exe
xerox_scan17510875802718752175.exe
kyrgyzstan
resocks
Published: January 21, 2025
Downloadable IOCs: 12

Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer de…
espionage
gh0st rat
valleyrat
2025-01-20
pngplug
Published: January 20, 2025
Downloadable IOCs: 52

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…
apt
espionage
rat
south asia
defense sector
scheduled tasks
2024-12-17
turkey
miyarat
wmrat
alternate data streams
Published: December 17, 2024
Downloadable IOCs: 0

U.S. Organization in China Targeted by Attackers

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat
Published: December 6, 2024
Downloadable IOCs: 13

Snowblind: The Invisible Hand of Secret Blizzard

A Russian-based threat actor, Secret Blizzard, has infiltrated 33 command-and-control nodes of a Pakistani-based actor, Storm-0156. Over two years, Secret Blizzard leveraged this access to deploy malware into Afghan government networks and potentially acquired data from Pakistani operators' worksta…
espionage
2024-12-05
secret blizzard
crimsonrat
snowblind
Published: December 5, 2024
Downloadable IOCs: 0

Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage

The Russian state-sponsored threat actor Secret Blizzard has been observed compromising the infrastructure of Storm-0156, a Pakistan-based espionage group, to conduct their own espionage operations. Since November 2022, Secret Blizzard has used Storm-0156's backdoors to deploy their own malware on …
espionage
russia
2024-12-05
tinyturla
storm-0156
secret blizzard
Published: December 5, 2024
Downloadable IOCs: 0

TaxOff: You've Got a Backdoor...

A sophisticated threat group named TaxOff has been discovered targeting Russian government agencies. The group uses phishing emails with legal and financial themes to deliver the Trinper backdoor, a multithreaded C++ malware with advanced features. Trinper employs STL containers, custom serializati…
espionage
phishing
keylogging
2024-12-03
code injection
russian government
trinper backdoor
Published: December 3, 2024
Downloadable IOCs: 11

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Malware Spotlight: A Deep-Dive Analysis of WezRat

Check Point Research provides a comprehensive analysis of WezRat, a custom modular infostealer attributed to the Iranian cyber group Emennet Pasargad. The malware has been active for over a year, targeting organizations in multiple countries. WezRat's capabilities include executing commands, taking…
backdoor
espionage
phishing
infostealer
iran
modular
2024-11-14
wezrat
c&c
Published: November 14, 2024
Downloadable IOCs: 0

Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity

Check Point Research has been tracking ongoing activity of the WIRTE threat actor, associated with Hamas, despite the ongoing conflict in the region. The group continues to target entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia for espionage. WIRTE has expanded its oper…
apt
espionage
phishing
wiper
cyber-espionage
2024-11-12
middle east
ironwind
hamas
havoc demon
samecoin
Published: November 12, 2024
Downloadable IOCs: 90

Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT

APT36, also known as Transparent Tribe, is a Pakistan-based threat actor targeting Indian government and military entities. Their campaigns utilize ElizaRAT, a Windows Remote Access Tool that has evolved to enhance evasion techniques and C2 communication. Recent campaigns employ cloud services like…
espionage
rat
stealer
transparent tribe
apt36
cloud services
2024-11-04
apolostealer
Published: November 4, 2024
Downloadable IOCs: 23

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…
espionage
social engineering
android
data theft
trojan
financial fraud
remote access
craxsrat
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 0

Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives

A Russian hybrid espionage and influence operation, dubbed UNC5812, targets potential Ukrainian military recruits through a Telegram persona called 'Civil Defense'. The campaign delivers Windows and Android malware, including SUNSPINNER, PURESTEALER, and CRAXSRAT, while simultaneously spreading ant…
espionage
ukraine
influence
telegram
russian
recruitment
2024-10-28
military
pronsis loader
sunspinner
craxsrat
purestealer
Published: October 28, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …
espionage
ransomware
lockbit
hacktivism
ransomhub
qilin
data breach
2024-10-10
rhysida
critical infrastructure
united states
Published: October 10, 2024
Downloadable IOCs: 0

Kimsuky: A Gift That Keeps on Giving

This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file, leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks, modify registry keys for persistence, and establish communication…
espionage
north korea
kimsuky
2024-09-20
Published: September 20, 2024
Downloadable IOCs: 2

Threat Assessment: North Korean Threat Groups

This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
malware
espionage
cybercrime
northkorea
rats
comebacker
rustbucket
kandykorn
2024-09-10
collectionrat
fullhouse
poolrat
odicloader
objcshellz
pondrat
smoothoperator
Published: September 10, 2024
Downloadable IOCs: 58

The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'

Proofpoint researchers uncovered an unusual campaign delivering custom malware named "Voldemort". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets…
apt
espionage
cobalt strike
2024-09-02
tax authorities
voldemort
Published: September 2, 2024
Downloadable IOCs: 27

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…
malware
apt
espionage
phishing
iran
2024-08-21
powerstar
gorble
Published: August 21, 2024
Downloadable IOCs: 111

Strike Ready: Introducing the Bitter APT Group

The report provides an in-depth analysis of the Bitter APT Group, a threat actor primarily focusing on cyber espionage activities in South Asia. It details the group's tactics, techniques, and procedures, including their ability to bypass security technologies by leveraging obscure file formats and…
espionage
persistence
infostealers
backdoors
2024-08-19
olmapi32.dll
scm.exe
stom.jpg
sparrow.jpg
schs.exe
orpcbackdoor
figlio.exe
sstn.exe
payloads
searchapp.jpg
Published: August 19, 2024
Downloadable IOCs: 82

A Dive into Latest Campaign

Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
backdoor
loader
apt
espionage
cobalt strike
cybercrime
godzilla
stealthvector
2024-08-09
stealthreacher
megacmd
sneakcross
tailscale
rakshasa
Published: August 9, 2024
Downloadable IOCs: 30

APT Group Kimsuky Targets University Researchers

A report detailing an ongoing cyberattack campaign by the North Korean APT group Kimsuky, which is targeting university staff, researchers, and professors to conduct espionage and gather intelligence for the North Korean government. The group employs phishing tactics, compromised infrastructure, an…
apt
espionage
phishing
north korea
2024-08-09
universities
Published: August 9, 2024
Downloadable IOCs: 24

Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
espionage
botnet
cybercrime
proxy
2024-08-07
routers
ngioweb
sshdoor
Published: August 7, 2024
Downloadable IOCs: 64

Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic

Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
backdoor
espionage
exfiltration
cloud
2024-08-07
gogra
moontag
api
trojan.grager
onedrivetools
whipweave
Published: August 7, 2024
Downloadable IOCs: 20

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services

In recent times, there has been a notable rise in the exploitation of legitimate cloud services by threat actors, including nation-state groups. Attackers have realized the potential of these services to provide low-cost infrastructure, evading detection as communication to trusted platforms may no…
espionage
cloud
graphite
graphon
birdyclient
2024-08-07
gogra
grager
moontag
Published: August 7, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2024-21893
Downloadable IOCs: 20

North Korean Hacking Groups Stealing Construction and Machinery Sector Technologies: A Warning

South Korea's cybersecurity community, consisting of the National Intelligence Service, Prosecution Service, Police Agency, Defense Security Command, and Cyber Command, among others, warns of the risks posed by North Korean hacking groups' cyber attacks targeting the domestic construction and machi…
espionage
north korea
2024-08-06
trollagent
construction
cyber attack
machinery
dorarat
Published: August 6, 2024
Downloadable IOCs: 16

Fighting Ursa Luring Targets With Car for Sale

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
malware
backdoor
espionage
phishing
russia
headlace
2024-08-05
diplomats
Published: August 5, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 6

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
backdoor
espionage
exfiltration
persistence
lateral movement
2024-08-02
bitsloth
Published: August 2, 2024
Downloadable IOCs: 8

Analysis of Golang Payload and Information Theft Campaign

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…
malware
apt
espionage
pakistan
exfiltration
golang
2024-07-30
quasar
client.exe
winver.exe
Published: July 30, 2024
Downloadable IOCs: 8

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Umbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India

This report examines the convergence of tactics employed by Pakistani cyber threat groups, including Transparent Tribe, SideCopy, and RusticWeb, targeting Indian government entities and critical infrastructure. It uncovers overlaps in their infrastructure, tactics, and payloads, suggesting coordina…
apt
espionage
crimson rat
pakistan
action rat
reverse rat
india
disgomoji
2024-07-29
poseidon
geta rat
Published: July 29, 2024
Downloadable IOCs: 89

Array of malware used to gather intelligence for North Korea

Microsoft Threat Intelligence analyzes the activities of the North Korean threat actor Onyx Sleet, which conducts cyber espionage operations primarily targeting military, defense, and technology industries. The report covers Onyx Sleet's affiliations with other North Korean threat groups, its targe…
espionage
north korea
CVE-2021-44228
sliver
smalltiger
2024-07-29
dtrack
CVE-2023-27350
tigerrat
CVE-2023-42793
lighthand
validalpha
Published: July 29, 2024
Linked vulnerabilities : CVE-2023-42793, CVE-2021-44228, CVE-2023-46604, CVE-2023-22515, CVE-2023-27350
Downloadable IOCs: 24

New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns

An Iranian threat group known as MuddyWater, affiliated with the Ministry of Intelligence and Security, has significantly intensified its operations targeting Israel, Saudi Arabia, Turkey, Azerbaijan, India, and Portugal in recent months. The group consistently utilizes phishing campaigns originati…
espionage
muddywater
2024-07-15
bugsleep
Published: July 15, 2024
Downloadable IOCs: 50

We're not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

While cryptocurrency and blockchain have lost mainstream attention, cybercriminals continue to exploit these technologies through various scams like memecoins, rug pulls, and unregulated social media platforms. This report also highlights the SneakyChef threat actor's ongoing campaign targeting gov…
espionage
cryptocurrency
sugargh0st
spicerat
2024-06-28
Published: June 28, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 4

espionage group targets government agencies with and more infection techniques

A recently discovered threat actor, dubbed 'SneakyChef,' has been conducting an ongoing espionage campaign targeting government agencies across different regions, primarily utilizing the SugarGh0st malware. The group employs decoy documents impersonating government entities and infects victims thro…
apt
espionage
rat
phishing
government
sugargh0st
2024-06-24
spicerat
Published: June 24, 2024
Downloadable IOCs: 148

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Linked vulnerabilities : CVE-2023-20867, CVE-2022-41328, CVE-2022-22948, CVE-2023-34048, CVE-2022-42475
Downloadable IOCs: 39

North Korean based backdoor packs a punch

This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
backdoor
espionage
defense
northkorea
2024-06-21
nikigo
aerospace
nikihttp
Published: June 21, 2024
Downloadable IOCs: 20

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
backdoor
espionage
credential theft
keylogger
2024-06-20
coolclient
quickheal
rainyday
telecommunications
responder
Published: June 20, 2024
Downloadable IOCs: 47

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Cisco Talos is disclosing a new malware campaign called 'Operation Celestial Force' conducted by a Pakistani nexus of threat actors called 'Cosmic Leopard'. This multi-year operation has been targeting Indian entities and individuals since at least 2018, employing the use of GravityRAT (an Android …
espionage
surveillance
2024-06-14
targeted attacks
gravityrat
heavylift
Published: June 14, 2024
Downloadable IOCs: 142

Arid Viper poisons Android apps with AridSpy

ESET researchers identified five campaigns targeting Android users with trojanized apps that deploy multistage Android spyware called AridSpy. This malware, attributed with medium confidence to the Arid Viper APT group, focuses on user data espionage. AridSpy downloads additional payloads from its …
espionage
android
exfiltration
spyware
2024-06-14
aridspy
Published: June 14, 2024
Downloadable IOCs: 37

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolvin…
malware
apt
espionage
2024-05-23
.net
dustyexfiltool
2024-05-24
unfading sea haze
silentgh0st
translucentgh0st
sharpjshandler
Published: May 24, 2024
Downloadable IOCs: 47

Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages

BlackBerry discovered the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the Indian government, defense, and aerospace sectors. The group employed cross-platform programming languages, open-source tools, and abused web services for command-and-control and exfil…
apt
espionage
2024-05-24
transparent tribe
Published: May 24, 2024
Downloadable IOCs: 97

Sharp Dragon Expands Towards Africa and The Caribbean

Check Point Research has observed a significant shift in the activities and lures of Sharp Dragon, a Chinese threat actor, now targeting governmental organizations in Africa and the Caribbean. This expansion aligns with Sharp Dragon's known tactics of compromising email accounts to spread weaponize…
espionage
cobalt strike beacon
government
cyber
2024-05-23
CVE-2023-0669
expansion
caribbean
targeting
africa
Published: May 23, 2024
Linked vulnerabilities : CVE-2023-0669
Downloadable IOCs: 38

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
backdoor
apt
espionage
steganography
2024-05-16
2024-05-11
diplomacy
lunarweb
lunarmail
Published: May 16, 2024
Downloadable IOCs: 12

New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware

CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…
malware
espionage
android
pakistan
2024-05-03
2024-05-04
2024-05-05
2024-05-06
india
spynote
defense
craxs rat
Published: May 6, 2024
Downloadable IOCs: 3

Graph: Growing number of threats leveraging Microsoft API

An increasing number of cyber threats have adopted the use of the Microsoft Graph API to facilitate covert communications with command-and-control infrastructure hosted on Microsoft cloud services. This technique helps attackers blend in with legitimate traffic to cloud platforms and obtain infrast…
espionage
2024-05-03
graphican
ketrican
bs2005
graphite
bluelight
siestagraph
onedrivebirdyclient
graphon
birdyclient
Published: May 3, 2024
Downloadable IOCs: 10
Click here to see more Attack Reports