Tag: spear-phishing

35 Attack Reports | 0 Vulnerabilities

Attack reports

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…
social engineering
powershell
clickfix
quasarrat
spear-phishing
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 40

Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

The cyber-espionage group UAC-0226 has significantly evolved its GIFTEDCROOK malware from a basic browser data stealer to a robust intelligence-gathering tool. Three versions were identified between April-June 2025, with the latest iterations capable of exfiltrating a wide range of sensitive docume…
ukraine
data exfiltration
telegram
geopolitical
spear-phishing
cyber-espionage
2025-06-27
giftedcrook
Published: June 27, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3)
Downloadable IOCs: 11

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…
obfuscation
apt
south korea
lnk files
spear phishing
decoy documents
task scheduler
2025-06-18
python scripts
Published: June 18, 2025
Downloadable IOCs: 7

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate prog…
privilege-escalation
ransomware-as-a-service
spear-phishing
2025-06-13
file-wiping
anubis
ecies-encryption
sphinx
Published: June 13, 2025
Downloadable IOCs: 0

APT 41: Threat Intelligence Report and Malware Analysis

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanes…
state-sponsored
china
cyberespionage
spear-phishing
google calendar
plusdrop
2025-06-10
plusinject
Published: June 10, 2025
Downloadable IOCs: 10

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services a…
north korea
rokrat
south korea
lnk files
spear phishing
CVE-2022-41128
national security
2025-06-06
fileless attacks
cloud c2
Published: June 6, 2025
Downloadable IOCs: 1

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…
apt
crimson rat
ares rat
ddos
cyber espionage
hacktivism
data exfiltration
spear phishing
operation sindoor
2025-06-04
hybrid warfare
website defacement
Published: June 4, 2025
Downloadable IOCs: 0

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media,…
ukraine
cyberespionage
nato
spear phishing
evilginx
critical sectors
CVE-2025-27920
2025-05-27
azurehound
stolen credentials
russia-affiliated
cloud abuse
Published: May 27, 2025
Downloadable IOCs: 3

Operation Sindoor: Anatomy of a High-Stakes Cyber Siege

Operation Sindoor, a coordinated cyber campaign targeting India's critical sectors, involved state-sponsored APT activity and hacktivist operations. The attack utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, employed advanced …
crimson rat
pakistan
ares rat
ddos
cyber espionage
india
hacktivism
apt36
spear phishing
2025-05-23
operation sindoor
Published: May 23, 2025
Downloadable IOCs: 8

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal cre…
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism
Published: May 3, 2025
Downloadable IOCs: 3

Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key u…
espionage
spear-phishing
apt10
2025-05-01
sharphide
anel backdoor
Published: May 1, 2025
Downloadable IOCs: 36

Uyghur Diaspora Group Targeted with Remote Surveillance Malware

Senior members of the World Uyghur Congress (WUC) were targeted by a sophisticated spear phishing campaign aimed at deploying surveillance malware. The attack, discovered in March 2025, involved a trojanized version of a legitimate Uyghur language text editor. The malware enabled remote surveillanc…
surveillance
remote access
spear phishing
2025-04-28
uyghur
trojanized application
uyghureditpp backdoor
Published: April 28, 2025
Downloadable IOCs: 0

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…
ransomware
india
spear-phishing
pyinstaller
2025-02-12
job offer
tech sector
discord bot
xelera
memz
Published: February 12, 2025
Downloadable IOCs: 4

Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. T…
powershell
rokrat
spear-phishing
2025-02-05
pcloud
ole
file-less
hwp
k messenger
Published: February 5, 2025
Downloadable IOCs: 0

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rog…
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes
Published: December 17, 2024
Downloadable IOCs: 421

Analysis report on recent phishing attacks by APT-C-48 (CNC)

APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF f…
spear-phishing
anti-vm
2024-12-03
anti-debugging
apt-c-48
Published: December 3, 2024
Downloadable IOCs: 5

Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024

A spear-phishing campaign targeting Japan since June 2024 has been identified, featuring the reemergence of the ANEL backdoor, previously used by APT10 until 2018. The campaign, attributed to Earth Kasha, targets individuals in political organizations, research institutions, and international relat…
backdoor
noopdoor
spear-phishing
apt10
uac bypass
2024-11-27
japan
roamingmouse
anelldr
uppercut
anel
Published: November 27, 2024
Downloadable IOCs: 6

New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation …
shellcode
dll side-loading
spear-phishing
2024-11-06
rust trojan
governmental targets
tromas
mst files
apt-q-31
msi abuse
Published: November 6, 2024
Downloadable IOCs: 0

Analysis of Cyber Reconnaissance Activities Behind APT37 Threats

The report analyzes the covert cyber reconnaissance activities of the state-sponsored APT37 group targeting South Korea. The group uses spear-phishing emails with malicious LNK files to deploy the RoKRAT malware, collecting sensitive information from victims' devices. The attackers employ various t…
north korea
rokrat
cyber espionage
reconnaissance
spear-phishing
lnk files
2024-11-06
web beacons
Published: November 6, 2024
Linked vulnerabilities : CVE-2022-41128
Downloadable IOCs: 20

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targeting Brazil With Astaroth Malware

Water Makara, a threat actor group, is targeting enterprises in Brazil with a spear phishing campaign using the Astaroth banking malware. The attackers employ obfuscated JavaScript to bypass security defenses, often impersonating official tax documents to trick users. The campaign primarily affects…
brazil
lnk files
2024-10-15
astaroth
spear phishing
domain generation algorithm
tax documents
obfuscated javascript
banking malware
Published: October 15, 2024
Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…
social engineering
sugargh0st rat
reconnaissance
chatgpt
spear-phishing
2024-10-14
threat actors
cyber operations
openai
Published: October 14, 2024
Downloadable IOCs: 1

CHARMING KITTEN

Since June 2024, the Iran-nexus actor CHARMING KITTEN has been creating new network infrastructure for credential phishing, targeting individuals perceived as threats to the Iranian regime. The actor's infrastructure, known as Cluster B, uses domains with specific characteristics like similar TLDs,…
iran
infrastructure
domain registration
2024-10-04
spear-phishing
credential phishing
mint sandstorm
ta453
apt42
Published: October 4, 2024
Downloadable IOCs: 11

MDR in Action: Preventing The More_eggs Backdoor From Hatching

A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
backdoor
malware-as-a-service
2024-10-01
spear-phishing
skid
more_eggs
vision one
spicyomelette
terra loader
recruitment
golden chickens
mdr
Published: October 1, 2024
Downloadable IOCs: 10

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability …
cobalt strike
geoserver
2024-09-20
spear-phishing
ripcoy
eagledoor
Published: September 20, 2024
Downloadable IOCs: 29
Click here to see more Attack Reports