Tag: spear-phishing

67 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks

The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evad…
rokrat
south korea
steganography
dll side-loading
spear-phishing
ole
hwp
cloud infrastructure
2025-12-22
Published: December 22, 2025
Downloadable IOCs: 0

BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

A spear phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism was discovered in September 2025. The attack, attributed to BlindEagle, utilized a compromised email account within the organization to bypass security controls. The campaign emplo…
powershell
dcrat
discord
spear phishing
2025-12-17
Published: December 17, 2025
Downloadable IOCs: 24

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant d…
process injection
c2 communication
spear-phishing
adaptixc2
2025-12-03
employee bonus lure
duperunner
russian corporate
Published: December 3, 2025
Downloadable IOCs: 12

Operation Hanoi Thief: Vietnam APT

A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVES…
vietnam
spear-phishing
information-stealer
dll-sideloading
2025-11-28
it-professionals
lotusharvest
browser-credentials
recruiters
Published: November 28, 2025
Downloadable IOCs: 4

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 9

State-Sponsored Remote Wipe Tactics Targeting Android Devices

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They co…
apt
rat
social engineering
android
remcosrat
quasarrat
spear-phishing
2025-11-10
rftrat
find hub
remote wipe
lilithrat
kakaotalk
endrat
google account
Published: November 10, 2025
Downloadable IOCs: 10

Lazarus Group targets Aerospace and Defense with new Comebacker variant

This analysis details a recent espionage campaign by the DPRK-nexus threat actor Lazarus Group targeting the aerospace and defense sectors. The campaign employs a new variant of the Comebacker backdoor, showcasing the actor's ongoing refinement of their malware arsenal. The attackers use highly spe…
backdoor
north korea
defense
aerospace
comebacker
dprk
c2 communication
spear phishing
decryption
2025-11-10
Published: November 10, 2025
Downloadable IOCs: 15

Update on Attacks by Threat Group APT-C-60

APT-C-60 continues to target Japan and East Asia with spear-phishing attacks impersonating job seekers. The attack flow has evolved, now directly attaching malicious VHDX files to emails. The malware, including Downloader1, Downloader2, and SpyGlace, has been updated with new features and communica…
rc4
github
spyglace
com hijacking
spear-phishing
recruitment
east asia
vhdx
2025-11-05
downloader1
downloader2
Published: November 5, 2025
Downloadable IOCs: 31

Eye of the Storm: Analyzing DarkCloud's Latest Capabilities

eSentire's Threat Response Unit detected a spear-phishing campaign targeting a manufacturing customer, attempting to deliver the DarkCloud information-stealing malware. The malware, distributed through a malicious zip archive, has undergone significant updates including a VB6 rewrite and enhanced e…
exfiltration
information stealer
evasion techniques
spear-phishing
darkcloud
2025-09-29
crypto-wallet targeting
vb6
Published: September 29, 2025
Downloadable IOCs: 0

Kimsuky Attack Disguised as Sex Offender Notification Information

In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypte…
apt
north korea
data exfiltration
cryptocurrency theft
spear-phishing
anti-vm
2025-09-24
browser hijacking
Published: September 24, 2025
Downloadable IOCs: 7

Nimbus Manticore Deploys New Malware Targeting Europe

The Iranian threat actor Nimbus Manticore has expanded its operations, targeting defense, telecommunications, and aviation sectors in Western Europe. The group uses sophisticated spear-phishing techniques, impersonating HR recruiters to lure victims to fake career portals. Their toolset includes th…
obfuscation
apt
dll sideloading
telecommunications
spear-phishing
2025-09-22
Published: September 22, 2025
Downloadable IOCs: 81

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

AI-Driven Deepfake Military ID Fraud Campaign

The Kimsuky APT group has launched a sophisticated spear-phishing campaign using AI-generated deepfake military ID cards to target South Korean defense institutions. The attack impersonates military employee ID issuance processes and exploits ChatGPT to create convincing fake ID images. The malware…
obfuscation
apt
south korea
ai
autoit
chatgpt
spear-phishing
military
deepfake
2025-09-15
Published: September 15, 2025
Downloadable IOCs: 21

Windows Targeted with Rust Backdoor and Python Loader

APT37, a North Korean threat actor, has been observed using new tactics and tools in recent campaigns. They have deployed a Rust-based backdoor named Rustonotto, alongside the existing PowerShell-based Chinotto malware and FadeStealer. The group utilizes Windows shortcut files and help files as ini…
surveillance
data exfiltration
spear phishing
code injection
2025-09-08
chinotto
fadestealer
rust backdoor
rustonotto
Published: September 8, 2025
Downloadable IOCs: 1

Operation BarrelFire: Targeting Kazakhstan Oil & Gas

A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, whi…
powershell
infrastructure
spear-phishing
kazakhstan
central asia
russian threat actor
dll injection
amsi bypass
oil and gas
2025-09-04
2025-09-05
downshell
Published: September 5, 2025
Downloadable IOCs: 14

Malicious Campaign Targeting Diplomatic Assets

An Iranian-aligned spear-phishing campaign masquerading as Omani Ministry of Foreign Affairs communications targeted global government entities. The operation used compromised mailboxes to distribute malicious Word documents containing VBA macros. When executed, these macros decoded and deployed a …
espionage
iran
diplomacy
vba macros
spear-phishing
oman mfa
2025-09-03
sysprocupdate
Published: September 3, 2025
Downloadable IOCs: 1

CTI Analysis: Malicious Email Campaign

An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Micros…
anti-analysis
reconnaissance
spear-phishing
2025-09-02
vba macro
diplomatic targets
iran-nexus
oman mfa
Published: September 2, 2025
Downloadable IOCs: 15

Sindoor Dropper: New Phishing Campaign

A sophisticated phishing campaign targeting Indian organizations has been uncovered, utilizing spear-phishing techniques reminiscent of Operation Sindoor. The campaign employs a Linux-focused infection method using weaponized .desktop files, a tactic previously associated with APT36. When executed,…
linux
obfuscation
phishing
meshagent
apt36
spear-phishing
2025-09-02
sindoor
Published: September 2, 2025
Downloadable IOCs: 14

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

Hunting Laundry Bear: Infrastructure Analysis Guide and Findings

This analysis explores the infrastructure of Laundry Bear, a Russian state-sponsored APT group active since April 2024, targeting NATO countries and Ukraine. The investigation expands on initial indicators, using advanced pivoting techniques to uncover additional domains and infrastructure. Key fin…
apt
infrastructure analysis
spear-phishing
russian threat actor
2025-08-29
domain typosquatting
ukraine targets
nato targets
Published: August 29, 2025
Downloadable IOCs: 0

TOATH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents

The TAOTH campaign leveraged an abandoned Sogou Zhuyin IME update server and spear-phishing operations to deliver multiple malware families, primarily targeting users across Eastern Asia. Attackers employed sophisticated infection chains, such as hijacked software updates and fake cloud storage or …
apt
reconnaissance
targeted attacks
information theft
spear-phishing
cobeacon
2025-08-28
merlin
sogou zhuyin
gtelam
desfy
c6door
eastern asia
toshis
taoth
Published: August 28, 2025
Downloadable IOCs: 23

APT36: Targets Indian BOSS Linux Systems with Weaponized AutoStart Files

APT36, a Pakistan-based threat actor, is conducting a cyber-espionage campaign against Indian Government entities, targeting BOSS Linux systems with weaponized .desktop files. The group uses spear-phishing emails to deliver malicious payloads, exploiting the Linux environment to maintain persistent…
pakistan
persistence
india
government
spear-phishing
cyber-espionage
elf
boss linux
2025-08-23
.desktop files
Published: August 23, 2025
Downloadable IOCs: 0

Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates i…
allakore rat
financial fraud
credential theft
drive-by download
systembc
spear-phishing
geofencing
2025-08-21
mexico
Published: August 21, 2025
Downloadable IOCs: 0

APT MuddyWater Targets CFOs with Multi-Stage Phishing & NetBird Abuse

A sophisticated spear-phishing campaign, likely linked to APT MuddyWater, is targeting CFOs and finance executives across multiple continents. The attackers use Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to deploy NetBird, …
apt
remote-access
finance
spear-phishing
multi-stage
vbs
firebase
2025-08-21
ateraagent
cfo
netbird
Published: August 21, 2025
Downloadable IOCs: 0

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
google drive
dropbox api
2025-08-19
Published: August 19, 2025
Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted an…
obfuscation
data theft
exfiltration
persistence
autoit
process hollowing
spear phishing
2025-07-30
vip keylogger
Published: July 30, 2025
Downloadable IOCs: 1

Targeted attacks leverage accounts on popular online platforms as C2 servers

A sophisticated cyberattack campaign targeted the Russian IT industry and other entities globally in late 2024. The attackers used social media profiles and popular websites to deliver payload information, bypassing detection methods. They employed spear phishing emails with malicious RAR archives,…
cobalt strike
cobalt strike beacon
shellcode
targeted attacks
social media
c2 communication
spear phishing
dll hijacking
2025-07-30
api obfuscation
Published: July 30, 2025
Downloadable IOCs: 2

Operation Cargotalon: Targeting Russian Aerospace Defense Using Eaglet Implant

UNG0901, a threat group targeting Russian aerospace and defense sectors, has been discovered conducting a spear-phishing campaign against the Voronezh Aircraft Production Association. The operation, dubbed 'CargoTalon', utilizes a custom DLL implant called EAGLET, which is disguised as a ZIP file c…
espionage
russia
defense
aerospace
spear-phishing
2025-07-24
dll implant
logistics
eaglet
head mare
Published: July 24, 2025
Downloadable IOCs: 16

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
2025-07-16
hwp files
Published: July 16, 2025
Downloadable IOCs: 0

Applications of Snake Keylogger in Geopolitics: Abuse of Trusted Java Utilities in Cybercriminal Activities

A new phishing campaign using Snake Keylogger, a Russian-origin stealer, has been discovered targeting various victims including corporations, governments, and individuals. The campaign uses spear-phishing emails offering petroleum products, with malicious attachments exploiting the legitimate jsad…
credential theft
dll sideloading
java
keylogger
geopolitical
maas
snake keylogger
spear-phishing
2025-07-06
petroleum
Published: July 6, 2025
Downloadable IOCs: 0

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…
social engineering
powershell
clickfix
quasarrat
spear-phishing
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 40

Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

The cyber-espionage group UAC-0226 has significantly evolved its GIFTEDCROOK malware from a basic browser data stealer to a robust intelligence-gathering tool. Three versions were identified between April-June 2025, with the latest iterations capable of exfiltrating a wide range of sensitive docume…
ukraine
data exfiltration
telegram
geopolitical
spear-phishing
cyber-espionage
2025-06-27
giftedcrook
Published: June 27, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3)
Downloadable IOCs: 11

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…
obfuscation
apt
south korea
lnk files
spear phishing
decoy documents
task scheduler
2025-06-18
python scripts
Published: June 18, 2025
Downloadable IOCs: 7

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate prog…
privilege-escalation
ransomware-as-a-service
spear-phishing
2025-06-13
file-wiping
anubis
ecies-encryption
sphinx
Published: June 13, 2025
Downloadable IOCs: 0

APT 41: Threat Intelligence Report and Malware Analysis

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanes…
state-sponsored
china
cyberespionage
spear-phishing
google calendar
plusdrop
2025-06-10
plusinject
Published: June 10, 2025
Downloadable IOCs: 10

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services a…
north korea
rokrat
south korea
lnk files
spear phishing
CVE-2022-41128
national security
2025-06-06
fileless attacks
cloud c2
Published: June 6, 2025
Downloadable IOCs: 1

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…
apt
crimson rat
ares rat
ddos
cyber espionage
hacktivism
data exfiltration
spear phishing
operation sindoor
2025-06-04
hybrid warfare
website defacement
Published: June 4, 2025
Downloadable IOCs: 0

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media,…
ukraine
cyberespionage
nato
spear phishing
evilginx
critical sectors
CVE-2025-27920
2025-05-27
azurehound
stolen credentials
russia-affiliated
cloud abuse
Published: May 27, 2025
Downloadable IOCs: 3

Operation Sindoor: Anatomy of a High-Stakes Cyber Siege

Operation Sindoor, a coordinated cyber campaign targeting India's critical sectors, involved state-sponsored APT activity and hacktivist operations. The attack utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, employed advanced …
crimson rat
pakistan
ares rat
ddos
cyber espionage
india
hacktivism
apt36
spear phishing
2025-05-23
operation sindoor
Published: May 23, 2025
Downloadable IOCs: 8

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal cre…
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism
Published: May 3, 2025
Downloadable IOCs: 3

Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key u…
espionage
spear-phishing
apt10
2025-05-01
sharphide
anel backdoor
Published: May 1, 2025
Downloadable IOCs: 36

Uyghur Diaspora Group Targeted with Remote Surveillance Malware

Senior members of the World Uyghur Congress (WUC) were targeted by a sophisticated spear phishing campaign aimed at deploying surveillance malware. The attack, discovered in March 2025, involved a trojanized version of a legitimate Uyghur language text editor. The malware enabled remote surveillanc…
surveillance
remote access
spear phishing
2025-04-28
uyghur
trojanized application
uyghureditpp backdoor
Published: April 28, 2025
Downloadable IOCs: 0

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…
ransomware
india
spear-phishing
pyinstaller
2025-02-12
job offer
tech sector
discord bot
xelera
memz
Published: February 12, 2025
Downloadable IOCs: 4

Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. T…
powershell
rokrat
spear-phishing
2025-02-05
pcloud
ole
file-less
hwp
k messenger
Published: February 5, 2025
Downloadable IOCs: 0

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rog…
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes
Published: December 17, 2024
Downloadable IOCs: 421

Analysis report on recent phishing attacks by APT-C-48 (CNC)

APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF f…
spear-phishing
anti-vm
2024-12-03
anti-debugging
apt-c-48
Published: December 3, 2024
Downloadable IOCs: 5

Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024

A spear-phishing campaign targeting Japan since June 2024 has been identified, featuring the reemergence of the ANEL backdoor, previously used by APT10 until 2018. The campaign, attributed to Earth Kasha, targets individuals in political organizations, research institutions, and international relat…
backdoor
noopdoor
spear-phishing
apt10
uac bypass
2024-11-27
japan
roamingmouse
anelldr
uppercut
anel
Published: November 27, 2024
Downloadable IOCs: 6

New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation …
shellcode
dll side-loading
spear-phishing
2024-11-06
rust trojan
governmental targets
tromas
mst files
apt-q-31
msi abuse
Published: November 6, 2024
Downloadable IOCs: 0

Analysis of Cyber Reconnaissance Activities Behind APT37 Threats

The report analyzes the covert cyber reconnaissance activities of the state-sponsored APT37 group targeting South Korea. The group uses spear-phishing emails with malicious LNK files to deploy the RoKRAT malware, collecting sensitive information from victims' devices. The attackers employ various t…
north korea
rokrat
cyber espionage
reconnaissance
spear-phishing
lnk files
2024-11-06
web beacons
Published: November 6, 2024
Linked vulnerabilities : CVE-2022-41128
Downloadable IOCs: 20

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targeting Brazil With Astaroth Malware

Water Makara, a threat actor group, is targeting enterprises in Brazil with a spear phishing campaign using the Astaroth banking malware. The attackers employ obfuscated JavaScript to bypass security defenses, often impersonating official tax documents to trick users. The campaign primarily affects…
brazil
lnk files
2024-10-15
astaroth
spear phishing
domain generation algorithm
tax documents
obfuscated javascript
banking malware
Published: October 15, 2024
Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…
social engineering
sugargh0st rat
reconnaissance
chatgpt
spear-phishing
2024-10-14
threat actors
cyber operations
openai
Published: October 14, 2024
Downloadable IOCs: 1

CHARMING KITTEN

Since June 2024, the Iran-nexus actor CHARMING KITTEN has been creating new network infrastructure for credential phishing, targeting individuals perceived as threats to the Iranian regime. The actor's infrastructure, known as Cluster B, uses domains with specific characteristics like similar TLDs,…
iran
infrastructure
domain registration
2024-10-04
spear-phishing
credential phishing
mint sandstorm
ta453
apt42
Published: October 4, 2024
Downloadable IOCs: 11

MDR in Action: Preventing The More_eggs Backdoor From Hatching

A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
backdoor
malware-as-a-service
2024-10-01
spear-phishing
skid
more_eggs
vision one
spicyomelette
terra loader
recruitment
golden chickens
mdr
Published: October 1, 2024
Downloadable IOCs: 10

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability …
cobalt strike
geoserver
2024-09-20
spear-phishing
ripcoy
eagledoor
Published: September 20, 2024
Downloadable IOCs: 29
Click here to see more Attack Reports