Tag: south asia

8 Attack Reports | 0 Vulnerabilities

Attack reports

Tracking FileFix, Shadow Vector, and SideWinder

This intelligence report details collaborative research between Acronis Threat Research Unit and VirusTotal on three emerging cyber threats. FileFix, a variant of ClickFix, uses malicious websites to trick victims into running commands copied to their clipboard. Shadow Vector targets Colombian user…
yara
CVE-2017-0199
CVE-2017-11882
virustotal
clickfix
south asia
svg
colombia
filefix
2025-11-10
clipboard manipulation
shadow vector
document-based attacks
Published: November 10, 2025
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 16

Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia

APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware…
apt
phishing
government
credential harvesting
south asia
military
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

Confucius Espionage: From Stealer to Backdoor

The Confucius group, a long-running cyber-espionage actor operating in South Asia, has evolved its tactics from document stealers to Python-based backdoors. Recent campaigns showcase the group's adaptability and growing sophistication, targeting government agencies, military organizations, and crit…
obfuscation
pakistan
south asia
lnk files
python backdoor
cyber-espionage
2025-10-03
anondoor
wooperstealer
Published: October 3, 2025
Downloadable IOCs: 0

Operation Sea Elephant: The Dying Walrus Wandering the Indian Ocean

The CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM softw…
steganography
keylogging
south asia
usb propagation
file stealing
2025-04-10
sogou_pinyinupdater.exe
scientific espionage
tericerit.exe
srclogsys.exe
cachestore.exe
github api
konlinesetupupdate_xa.exe
ocean research
windowassistance.exe
huaweihisuiteservice64.exe
filecoauthx86.exe
aliyun_updater64.exe
youdaogui.exe
mscleanup64.exe
windowsfilters.exe
qaxreporter.exe
Published: April 10, 2025
Downloadable IOCs: 0

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

A sophisticated cyberespionage campaign targeting high-value entities in South Asia, particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The o…
apt
plugx
cobalt strike
south asia
2025-01-30
Published: January 30, 2025
Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0)
Downloadable IOCs: 21

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task…
apt
espionage
rat
south asia
defense sector
scheduled tasks
2024-12-17
turkey
miyarat
wmrat
alternate data streams
Published: December 17, 2024
Downloadable IOCs: 0

Credential Phishing Pages Mimicking Legitimate Webmail Login Portals

Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, inclu…
china
government
2024-09-18
south asia
domain spoofing
credential phishing
Published: September 18, 2024
Downloadable IOCs: 20
Click here to see more Attack Reports