Tag: spear-phishing

19 Attack Reports | 0 Vulnerabilities

Attack reports

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Downloadable IOCs: 38

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures…
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication
Published: February 14, 2025
Downloadable IOCs: 0

XELERA Ransomware Campaign: Fake Food Corporation of India Job Offers Targeting Tech Aspirants

A newly discovered ransomware campaign is targeting tech job aspirants in India using fake Food Corporation of India job offers. The XELERA ransomware, written in Python and packed with PyInstaller, is distributed through spear-phishing emails containing malicious Word documents. The infection chai…
ransomware
india
spear-phishing
pyinstaller
2025-02-12
job offer
tech sector
discord bot
xelera
memz
Published: February 12, 2025
Downloadable IOCs: 4

Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. T…
powershell
rokrat
spear-phishing
2025-02-05
pcloud
ole
file-less
hwp
k messenger
Published: February 5, 2025
Downloadable IOCs: 0

CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

A zero-day vulnerability in 7-Zip (CVE-2025-0411) was exploited by Russian cybercrime groups to target Ukrainian organizations. The vulnerability allows bypassing Windows Mark-of-the-Web protections through double archiving, enabling execution of malicious content. The campaign involved spear-phish…
zero-day
cyberespionage
smokeloader
spear-phishing
CVE-2025-0411
2025-02-04
7-zip
homoglyph attacks
mark-of-the-web bypass
Published: February 4, 2025
Downloadable IOCs: 0

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rog…
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes
Published: December 17, 2024
Downloadable IOCs: 421

Analysis report on recent phishing attacks by APT-C-48 (CNC)

APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF f…
spear-phishing
anti-vm
2024-12-03
anti-debugging
apt-c-48
Published: December 3, 2024
Downloadable IOCs: 5

Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024

A spear-phishing campaign targeting Japan since June 2024 has been identified, featuring the reemergence of the ANEL backdoor, previously used by APT10 until 2018. The campaign, attributed to Earth Kasha, targets individuals in political organizations, research institutions, and international relat…
backdoor
noopdoor
spear-phishing
apt10
uac bypass
2024-11-27
japan
roamingmouse
anelldr
uppercut
anel
Published: November 27, 2024
Downloadable IOCs: 6

New Trend in MSI File Abuse: New Use of MST Files to Deliver Tromas

The New OceanLotus group has reactivated after a year, employing a novel tactic of MSI file misuse. This APT campaign, targeting a domestic governmental enterprise, marks the first observed use of the MSI TRANSFORMS technique by an APT group. The attack utilizes a legitimate Microsoft installation …
shellcode
dll side-loading
spear-phishing
2024-11-06
rust trojan
governmental targets
tromas
mst files
apt-q-31
msi abuse
Published: November 6, 2024
Downloadable IOCs: 0

Analysis of Cyber Reconnaissance Activities Behind APT37 Threats

The report analyzes the covert cyber reconnaissance activities of the state-sponsored APT37 group targeting South Korea. The group uses spear-phishing emails with malicious LNK files to deploy the RoKRAT malware, collecting sensitive information from victims' devices. The attackers employ various t…
north korea
rokrat
cyber espionage
reconnaissance
spear-phishing
lnk files
2024-11-06
web beacons
Published: November 6, 2024
Downloadable IOCs: 20

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Downloadable IOCs: 158

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targeting Brazil With Astaroth Malware

Water Makara, a threat actor group, is targeting enterprises in Brazil with a spear phishing campaign using the Astaroth banking malware. The attackers employ obfuscated JavaScript to bypass security defenses, often impersonating official tax documents to trick users. The campaign primarily affects…
brazil
lnk files
2024-10-15
astaroth
spear phishing
domain generation algorithm
tax documents
obfuscated javascript
banking malware
Published: October 15, 2024
Downloadable IOCs: 0

Threat actors use ChatGPT to write malware

OpenAI has disrupted over 20 malicious cyber operations abusing ChatGPT for various purposes, including malware development and spear-phishing attacks. The company confirmed cases involving Chinese and Iranian threat actors. SweetSpecter, a Chinese group, targeted OpenAI employees with phishing ema…
social engineering
sugargh0st rat
reconnaissance
chatgpt
spear-phishing
2024-10-14
threat actors
cyber operations
openai
Published: October 14, 2024
Downloadable IOCs: 1

CHARMING KITTEN

Since June 2024, the Iran-nexus actor CHARMING KITTEN has been creating new network infrastructure for credential phishing, targeting individuals perceived as threats to the Iranian regime. The actor's infrastructure, known as Cluster B, uses domains with specific characteristics like similar TLDs,…
iran
infrastructure
domain registration
2024-10-04
spear-phishing
credential phishing
mint sandstorm
ta453
apt42
Published: October 4, 2024
Downloadable IOCs: 11

MDR in Action: Preventing The More_eggs Backdoor From Hatching

A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
backdoor
malware-as-a-service
2024-10-01
spear-phishing
skid
more_eggs
vision one
spicyomelette
terra loader
recruitment
golden chickens
mdr
Published: October 1, 2024
Downloadable IOCs: 10

Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a suspected China-based threat actor, targeted government organizations, telecommunication businesses, and the energy industry in multiple Asia-Pacific countries. The group employed sophisticated techniques, including spear-phishing emails and exploitation of a GeoServer vulnerability …
cobalt strike
geoserver
2024-09-20
spear-phishing
ripcoy
eagledoor
Published: September 20, 2024
Downloadable IOCs: 29
Click here to see more Attack Reports