Info
SubscribeCome, study threat actor campaigns from our eyes!
Campaigns is a unified digest of information regarding threat actor campaigns for you to use for improving your security. Each campaign includes IOCs, Domains, Reports ,Tweets and News regarding the threat actor operation. Being able to reach that many information conveniently is not only improves the security but also make one to be aware of their threat landscape. For reaching the recent campaigns we suggest you to initiate a free access!
Chameleon Unleashed: The Silent Predator of Mobile Banking Earth Baku began using tools like Cobalt Strike, Crosswalk, and Metasploit in their cyber espionage campaigns.
The Chameleon malware, initially targeting general Android users, has now evolved to impersonate CRM applications, specifically aiming at employees. This sophisticated banking trojan uses advanced tactics to infiltrate and exploit corporate environments, posing significant risks to financial and personal data security.
17 September 2024
PWA Phishing Attacks Targeting Mobile Banking: The Next Generation Cyber Threat
This campaign targets a new phishing attack using Progressive Web Apps (PWA), where attackers target users' identity data with fake banking applications. The flexibility of PWA technology makes these attacks more dangerous.
17 September 2024
SideWinder's Stealthy Strikes: Unveiling the New Threat to Mediterranean Maritime Security
SideWinder, a cyber espionage group, is conducting a campaign targeting Mediterranean ports and maritime facilities with advanced techniques and new infrastructure, highlighting the growing threat to critical maritime infrastructure from state-sponsored cyber actors.
17 September 2024
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign
Earth Baku, an APT group linked to APT41, has expanded its operations beyond the Indo-Pacific to target Europe, the Middle East, and Africa, including countries like Italy, Germany, UAE, and Qatar. The group's recent tactics involve exploiting public-facing applications, particularly IIS servers, to gain initial entry for cyber attacks. Their sophisticated and persistent methods pose a significant challenge to global cybersecurity, highlighting the need for robust defensive measures.
17 September 2024
SMS Stealer Unmasked: A Global Cyber Threat Infecting 113 Countries
One-time passwords (OTPs) represent a pivotal enhancement to the security of online accounts, with numerous enterprises depending on them to protect sensitive information and applications. Despite their intended protective role, OTPs are highly sought after by cybercriminals. A global SMS Stealer campaign has emerged, employing sophisticated mobile malware to exfiltrate OTPs and infiltrate corporate networks, utilizing thousands of Telegram bots to compromise Android devices.
17 September 2024
DNS Under Siege: The Covert Campaign Hijacking Thousands of Domains
The "Sitting Ducks" campaign exploits DNS vulnerabilities to hijack over 35,000 domains without accessing owner accounts. It targets domains with weak verification processes and misconfigured authoritative name servers or different DNS providers. Russian cybercriminals primarily use these hijacked domains for phishing, malware distribution, and data theft.
17 September 2024
OneDrive Pastejacking: The Sneaky Phishing and Downloader Campaign
OneDrive Pastejacking is a sneaky phishing and downloader campaign that targets users by injecting malicious commands during copy-paste operations. This attack deceives users into downloading harmful content to their systems. This type of attack exploits security vulnerabilities and can put your sensitive data at risk.
17 September 2024
ShadowRoot Campaign: The Dark Wave of Cyber Attacks on Turkey's Business Sector
The ShadowRoot ransomware campaign targets Turkish entities through phishing emails with malicious PDF attachments disguised as invoices from a Russian domain. The attack begins with downloading an executable file from a compromised GitHub repository, which includes a Delphi binary that conceals the ransomware payload, "RootDesign.exe." This payload encrypts files with the “.shadowroot” extension and sends information to a Russian SMTP server, demanding an email ransom from the victims.
25 July 2024
Espionage Extension: Kimsuky's TRANSLATEXT Infiltrates South Korean Academia
Kimsuky, a North Korean cyber-espionage group, has deployed a malicious Chrome extension called TRANSLATEXT targeting South Korean academia. The extension is designed to steal sensitive information such as email addresses, passwords, and browser data. This campaign highlights Kimsuky's ongoing efforts to gather intelligence on political affairs related to North Korea.
25 July 2024
Cyberstorm Unleashed: The Exploitation of PHP Vulnerability to Deploy ShellBot
CVE-2024-4577 (CVSS score: 9.8) is a critical vulnerability that allows remote execution of malicious commands on Windows systems, particularly those using Chinese and Japanese language locales. Publicly disclosed in early June 2024, this flaw enables attackers to escape the command line and pass arguments directly to PHP. According to Akamai researchers, the issue lies in converting Unicode characters to ASCII, affecting PHP installations running in CGI mode.
25 July 2024
Critical Alert: POCO RAT Infiltrates Spanish-Speaking Networks via Phishing Campaigns
Since February 2024, Spanish-speaking individuals have been targeted by a sophisticated email phishing campaign delivering a new Remote Access Trojan (RAT) known as Poco RAT. The attacks primarily focus on sectors such as mining, manufacturing, hospitality, and utilities, as identified by cybersecurity company Cofense.
25 July 2024
Hemlock Havoc: The Devastating Cluster Bomb Campaign
The Hemlock Cluster Bomb campaign employs sophisticated malware to target multiple sectors with devastating impact. Utilizing a multi-faceted approach, it spreads across networks to maximize damage and disrupt operations.
25 July 2024
Operation Niki: North Korea's Espionage Offensive Targeting Aerospace and Defense Sectors
In a significant escalation of cyber threats, North Korean hackers have launched a sophisticated espionage campaign known as Operation Niki, targeting the aerospace and defense sectors. This operation employs a newly identified backdoor malware called 'Niki,' designed to infiltrate and exfiltrate sensitive information from high-value targets.
12 July 2024
Latest Agent Tesla Offensive Targets Spanish-Speaking Population
A new Agent Tesla variant is targeting Spanish-speaking users via phishing emails. The attack involves fake SWIFT transfer emails with malicious Excel files. This malware hijacks devices and steals data from over 80 applications.
12 July 2024
Crimson Palace Campaign: Spotlight on Chinese Cyber Covert Actions
A Chinese state-sponsored cyberespionage campaign targeted a Southeast Asian government. The investigation revealed clusters of intrusion activities dating back to early 2022. The threat actors were found using new malware variants for cyber espionage.
12 July 2024
Grandoreiro Malware Campaign: A Global Threat to Banking Security
The cybercriminals behind the Windows-based Grandoreiro banking trojan have resurfaced in a global campaign beginning in March 2024, following a major law enforcement operation in January. These extensive phishing attacks, likely enabled by other threat actors through a malware-as-a-service (MaaS) model, are targeting over 1,500 banks worldwide. The attacks are affecting more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region, as reported by researchers
07 June 2024
Malvertising Attacks: A New Threat for Windows Administrators - PuTTy and WinSCP
In March 2024, attackers initiated a sophisticated campaign by distributing compromised installers for WinSCP and PuTTY through malicious ads. These installers contained a renamed pythonw.exe file, which loaded a malicious DLL, side-loading a legitimate DLL to inject a Sliver beacon via reflective DLL injection. This allowed the attackers to establish persistence, download additional payloads, steal data, and deploy ransomware with tactics resembling those of the BlackCat/ALPHV group.
13 June 2024
Black Basta is Bombarding Organisations with Fake Emails and Phone Calls
Recently, a new cyber attack campaign called "Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls" has been targeting organizations by attempting to steal information through fake emails and phone calls. This campaign is aggressively ongoing, aiming to compromise organizational security and obtain sensitive data.
17 May 2024
Scattered Spider Strikes Again: The Group Behind the MGM Attack Launches a New Campaign Targeting the Financial Sector
Scattered Spider, a hacking group previously linked to cyberattacks on MGM Resorts and Clorox, has recently shifted its focus to the financial sector. This cybercriminal group employs sophisticated techniques including social engineering, data theft, and ransomware to target banks and insurance companies. The FBI and CISA have issued advisories warning about the group's methods, which include the deployment of ransomware such as BlackCat/ALPHV to encrypt and extort their targets.
03 June 2024
GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception
Researchers have detected a malware campaign in which North Korean hackers used eScan antivirus updates to install backdoors and GuptiMiner for crypto mining on large networks. The campaign linked to Kimsuky involved multiple types of backdoors and was neutralized by eScan on July 31, 2023, following alerts to India's CERT.
03 June 2024
Latin America Under Threat: The Venom RAT Campaign's Cyber Invasion Initiative
TA558, a notorious threat actor, has reemerged with a formidable phishing campaign targeting diverse sectors across Latin America. Employing sophisticated tactics, the group aims to deploy Venom RAT to infiltrate systems and carry out financial crimes.
18 April 2024
New Threat Wave from Earth Freybug: Unapimon Malware Campaign
Researchers report new technical details of an "Unapimon" malware campaign attributed to Earth Freybug that leverages dynamic link library (DLL) hijacking and application programming interface (API) disabling to prevent child processes from being offloaded to other processes."
18 April 2024
Unveiling the ShadowRay Campaign: Exploiting Critical Ray Framework Vulnerabilities to Target and Compromise AI Workloads Globally
Since September 5, 2023, the 'ShadowRay' campaign, led by anonymous hackers, has been exploiting a hidden vulnerability in the Ray framework to capture resources in the Education, Cryptocurrency and Biopharma sectors. Developed by Anyscale, Ray is crucial for scaling AI and Python applications used by large companies such as Amazon and OpenAI. This breach, which has garnered more than 30,500 stars on GitHub, indicates a significant threat in the field of cyber espionage. Researchers found that hundreds of exposed Ray servers were compromised via CVE-2023-48022, giving attackers access to sensitive information such as artificial intelligence models. environment variables, production database
04 April 2024
Digital Deception: The LESLIELOADER Campaign's Mastery of Malware Misdirection
It was found by cybersecurity researchers that the SPARKRAT malware was deployed using an undocumented Golang installer, allowing it to execute undetected on target systems. Although SPARKRAT's project has been discontinued, it is still being modified for use in targeted attacks, most notably in the "DRAGONSPARK" campaign against East Asian organizations.
27 March 2024
VCURMS Malware Campaign: Hackers Use AWS and GitHub to Attack Browsers
Cybersecurity researchers have uncovered a major threat: the "Vcurms" malware. It leverages email for command and control, utilizes AWS and GitHub for storage, and employs a commercial protector to evade detection. Targeting Java-installed platforms, it poses a serious risk, granting attackers full control upon infiltration.
25 March 2024
Cyber Pandemonium Unleashed: Tracing the Trail of Sophisticated Linux Malware Campaign
The researchers' latest discovery uncovered a sophisticated Spinning Yarn malware campaign focused on misconfigured Linux servers with popular cloud services. The cryptojacking campaign involving Linux malware misconfigured Apache Hadoop, Confluence, Docker, and Redis with new and unique malicious payloads. targets examples,
25 March 2024
Unseen Threat Infiltrating Redis Servers: The Migo Malware Campaign and Emerging Dangers
In February, security researchers encountered a new malware campaign targeting Redis for initial access. The malware, dubbed Migo by developers, aims to compromise Redis servers in order to mine cryptocurrency on the underlying Linux host.
03 March 2024
Unleash AndroxGh0st: Master the Art of Python Malware for Dominance Over AWS and Microsoft 365 Accounts
The AndroxGh0st malware is written in Python and usually targets Simple Mail Transfer Protocol (SMTP) to enable spamming. AndroxGh0st specifically targets cloud environments — in particular, AWS secrets — and exploits vulnerabilities in web applications running in the cloud to maintain a foothold.
31 January 2024
Campaign Alert: The Year-Long Shadow of AsyncRAT in U.S. Infrastructure
Researchers have identified a campaign to unwittingly distribute AsyncRAT to victim systems. For at least 11 months, this threat actor attempted to deliver the RAT via an initial JavaScript file embedded in the phishing page. Even after 300+ samples and 100+ domains, the threat actor remains persistent in its intent.
25 January 2024
RE TURGENCE: Turkish Hackers' New Target - MSSQL Servers
RE TURGENCE campaign by Turkish hackers using Mimic ransomware to target weak Microsoft SQL servers in the US, EU and Latin America. This campaign, uncovered by Securonix, aims to exploit vulnerabilities for financial gain by selling access or installing ransomware on compromised hosts.
25 January 2024
WordPress Under Siege: The Expansive Reach of Balada Injector Malware
Balada Injector is a significant and persistent malware campaign that primarily targets WordPress websites. Active since 2017, this campaign has infected over a million WordPress sites. Its main strategy involves exploiting vulnerabilities in WordPress themes and plugins, employing various techniques for this purpose.
17 January 2024
Operation Triangulation Most Sophisticated Attack Chain Ever Seen
Operation Triangulation is the recent sophisticated cyber attack campaign, known for its complex and multifaceted nature. It involves a series of attacks aimed at distributing malicious software and stealing sensitive information. Security experts closely analyzed the targets and impacts of such attacks.
29 December 2023
From Data Insights to Cyber Threats: The Tale of Qlik Sense and Cactus Ransomware
Cactus ransomware is a type of ransomware that has been active since March 2023, targeting large commercial organizations. Cactus attempts to identify local and network user accounts and accessible endpoints within a network. This ransomware possesses a new encryption and also employs double extortion tactics to get paid ransom. . Cactus gains initial access to targeted networks by exploiting known vulnerabilities in VPN devices. It makes detection difficult by encrypting itself, thereby successfully bypassing antivirus and network monitoring tools.
27 December 2023
In the Shadow of Digital Threats: The Rise of Cyber Av3ngers
Cyber Av3ngers is a threat actor group associated with Iran's Islamic Revolutionary Guard Corps (IRGC). This group aims to create confusion and a perception of high risk through technically simple hacks.
27 December 2023
Excel's Blind Spot: Hackers' Strategy to Spread Agent Tesla Malware
Cyber attackers are exploiting an old Microsoft Office vulnerability to distribute a strain of malware known as Agent Tesla. These campaigns use decoy Excel documents in invoice-themed messages to deceive users into activating the CVE-2017-11882 vulnerability. The vulnerability allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". Agent Tesla functions as a Remote Access Trojan (RAT) and information stealer, built on the .NET framework.
26 December 2023
Global Chain of Deception:''Unraveling the Konni Campaign's Cyber Intrigue''
This campaign extracts information from devices and executes commands using a Remote Access Trojan (RAT). This campaign, which has been going on for years, uses a variety of methods for initial access and load delivery. Later in this campaign, FortiGuard Labs detected a Word document containing a malicious macro in Russian. Although the document was created in September, activity on the campaign's control server continues.
01 December 2023
Cybercriminals Are Misusing Google Ads to Trick Users into Installing Trojanized WinSCP Software
A new ongoing campaign has been observed that lures users mimicking download of a legitimate software, WinSCP which is a popular SSH/SCP connection platform. Threat Actors are taking advantage of Google's Dynamic Search Ads (DSA) mechanism. DSAs are designed to automatically generate ads based on a website's content.But in this case, they are being used maliciously to create negative advertising. This strategy is particularly insidious because it exploits users' trust in legitimate advertising services such as Google and the usual expectation that search engine results are trustworthy. The effectiveness of this approach lies in its subtlety
24 November 2023
Pay Attention to Magecart While Shopping
Magecart, inspired by ecommerce platform Magento, is a type of cyberattack that targets online businesses with the goal of stealing sensitive information, including payment card data. These attacks are a form of web skimming and derive from the Magecart hacker group that began in 2015 targeting several well-known global brands.
26 October 2023
Threat Actors Deploy FreeWorld Ransomware by Hijacking MSSQL Servers on DB Jammer
Threat actors working as part of DB JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
13 September 2023
Unknown Threat Actor Uses Chaos Ransomware Variant Yashma To Target English Speaking Countries In Addition To Bulgaria, China and Vietnam
Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild.
25 August 2023
Mallox Ransomware Group Becomes A Very Active Threat
The group tracked as Mallox aka TargetCompany, Fargo and Tohnichi - tends to break into target networks through vulnerable SQL servers lately. Mallox attacks in 2023 are known to have increased by %174, compared to 2022.
14 August 2023
An Ongoing DDoS Campaign Targeting Sweden
NoName057 was among the first to respond, warning of a cyberattack on Sweden. NoName removed the websites of the Swedish Ministry of Finance and rail carrier SJ AB on 28 June. In the following days, known and unknown such as AnonymousSudan, Team 1919, Islamic Hacker Army, Host Kill Crew, USA NEXUS HACKER, Mysterious Team Bangladesh, KEP TEAM, UserSec Collective, Team Heroxr, Electronic Tigers Unit, Team R70, GANOSEC TEAM and Turkish Hack Team The hacker group carried out DDoS attacks on many websites of Sweden.
20 July 2023
Gamaredon Steals Data Too Quickly
The Ukraine Computer Emergency Response Team (CERT-UA) begins to warn entities about stealing data 30 minutes after the first security breach by the Russian-linked APT group Gamaredon (aka UAC-0010).
19 July 2023
Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign
SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.
11 July 2023
Darknet Parliament(KILLNET,ANONYMOUS SUDAN,REVil) Tries to Paralyze the West's Financial System
Darknet Parliament, the term introduced by the notorious hacktivist group KillNet, has quickly gained traction, becoming the latest buzzword in the cyber media. KillNet introduced the phrase in a Telegram post on June 16.In the post, they outlined a plan to attack Europe’s banking system.
27 July 2023
Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques
BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.
14 June 2023
Medusa Ransomware Won't Stop
Ransomware operation Medusa became operational in June 2021, according to Bleeping Computer. However, it gained significant momentum in 2023, targeting corporate victims worldwide with multimillion-dollar ransom demands. The ransomware gang has stepped up its effectiveness by launching a "Medusa Blog" in its recent rise. The platform serves to attract media attention by leaking data from victims who refuse to pay the ransom.
13 June 2023
Pipedream Malware Continues to Shred Industrial Systems
In 2022, the Chernovite threat group created Pipedream, a new modular malware designed to attack Industrial Control Systems (ICS). This powerful toolset has the potential to launch devastating and devastating attacks on tens of thousands of critical industrial devices.
09 June 2023
MOVEit Strikes With All Its Power
A new wave of mass attacks targeting popular file transfer tool MOVEit Transfer has been linked by security researchers to the Clop ransomware gang. The vulnerability exploited by hackers allows them to gain unauthorized access to the database of the affected MOVEit server.
08 June 2023
Xworm Enters Through the Door Follina Left Open
Security researchers have identified a new wave of attacks using XWorm malware that exploits the Follina vulnerability. XWorm is a government-sponsored remote access trojan (RAT), the Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.
21 June 2023
Smoke Loader Bill Trap
Based on the Ukraine Computer Emergency Response Team (CERT-UA), the SmokeLoader malware is now spreading through a phishing campaign using traps focused on bills. A ZIP folder containing a fake document and a JavaScript file is attached to emails that the agency says were sent from hacked accounts.
21 June 2023
Archipelago Hide Office Documents and Cover Up Sneak Campaign With Recon Shark
The North Korean state sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign
01 June 2023
Iranian Hackers Participate in Papercut Attacks
State-sponsored threat actors named Mint Sandstorm and Mango Sandstorm, both based in Iran, are taking advantage of unpatched PaperCut instances. Microsoft reports that Mango Sandstorm exploitation activity is still minimal, with operators connecting to organizations’ C2 infrastructure using tools from prior intrusions; in contrast, Mint Sandstorm exploitation activity appears opportunistic, affecting businesses across industries and regions.
01 June 2023
Decoding the Spear-Phishing Tactics of SEABORGIUM and TA453 in the UK
SEABORGIUM and TA453 are Russia-based and Iran-based threat actors conducting spear-phishing campaigns targeting organizations and individuals in the U.K. and other areas of interest. They target various sectors, including academia, defense, governmental organizations, and NGOs, using personalized phishing emails to compromise the victims' credentials and gain access to sensitive information.
14 July 2023
Raspberry Robin Global USB Malware Campaign
The Raspberry Robin malware campaign has been spreading around the world since it first surfaced in late 2021. "Raspberry Robin" is the name of a set of events from Red Canary that we first observed in September 2021, which often includes a worm installed via a USB drive.
01 June 2023
Graphiron Threat From Nodaria(UAC-0056) To Ukraine
The Russia-linked Nodaria group has installed a new threat, using a wide variety of information from infected computers to play.The Nodaria espionage group (aka UAC-0056) is using a new combination of information stealing malware against browsing in Ukraine. The malware (Infostealer.Graphiron) was designed to gather a wide variety of information written in Go from the infected computer, including system information, credentials, screen content, and files.
01 June 2023
Domino Effect
Former members of the Conti ransomware group use malware developed by the FIN7 group for financial purposes, compromising systems for follow-on exploits; FIN7 has used the "Domino" tool in its attacks since at least last October.
01 June 2023
Hoodoo Uses Google C2 Red Team Tool as Payload
In a strategy change, China-linked APT41 targeted a Taiwanese media outlet and an Italian employment agency with standard, open-source penetration testing tools. The Chinese state-sponsored hacking organization APT 41, also known as HOODOO, targets various industries in the US, Asia, and Europe.
01 June 2023
Anonymous Sudan Continues to Attack
The world of cyberattacks continues to evolve with the emergence of new hacktivist groups that target different countries for various political reasons. One such group that has been making headlines is KillNet Anonymous Sudan, which is affiliated with the pro-Russian hacktivist group KillNet.
02 June 2023
Operations From APT36 To Government Agencies
APT36 is an advanced persistent threat group attiributed to Pakistan taht primarilly targets users working at Indian government organizations.SideCopy APT is a Pakistani threat actor operating since at least 2019,targeting mainly South Asian countries and more specifally India and Afghanistan.
01 June 2023
Hack For Hire Group Targets Legal, Finance and Travel Institutions
Unlike malware-as-a-service (MAAS), hacking-for-hire companies carry out sophisticated, hands-on attacks and exploit vulnerabilities in executing their campaigns, according to a report by researchers Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.
02 June 2023
Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client
A new supply chain attack called SmoothOperator is currently targeting 3CX's VoIP desktop client, which could cause significant impact due to the company's diverse and valued customer profile. The attackers use a trojanized version of the software to steal information from Windows and macOS users.
12 July 2023
Adversary-in-the-Middle: The Rise of AiTM Phishing Kits and the Threat Posed by DEV-1101
AiTM phishing kits, such as those developed by DEV-1101, are increasingly replacing less advanced forms of phishing. These kits can bypass MFA using reverse-proxy functionality and are available for purchase by cybercriminals, lowering the barrier of entry for cybercrime. DEV-1101 offers an open-source kit that automates phishing activity and provides support services to attackers. Since its release in May 2022, the kit has been continually enhanced with features such as managing campaigns from mobile devices and CAPTCHA evasion, making it attractive to actors with varying motivations and targets in any industry or sector.
19 June 2023
Earth Lusca
Earth Lusca is a sophisticated cybercrime group. According to reports from cybersecurity firms. They use a variety of tactics and tools to carry out their attacks, including spear-phishing emails, social engineering, and malware such as remote access trojans (RATs) and credential stealers.
04 April 2023
APT5 Smashes Citrix's Networks
APT5 is a sophisticated cyber espionage group that is believed to be based in China and has been active since at least 2007. The group primarily targets high-tech and telecommunications firms across the US, Europe, and Asia, using advanced malware and zero-day exploits to gain unauthorized access to networks and steal sensitive information.
29 March 2023
Dalbit's Ingenuity
Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.
19 June 2023
Hiatus.RAT Data Thieves
A new malware campaign, Hiatus, targets business-grade routers to spy on Latin America, Europe, and North America victims. The campaign deploys two malicious binaries, a remote access trojan called HiatusRAT, and a variant of tcpdump that can capture packet capture on the target device.
12 July 2023
Communication Barrier from KillNet
Active since at least January 2022, KillNet has evolved from initially a leased DDoS service to a full-fledged threat group. Group distributed denial of service (DDoS) attacks birth website servers to get hit. While KillNet's ties to official Russian government agencies, such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service, have not been confirmed, the group is involved in the group, including the health services. should be viewed as a threat to government and critical infrastructure organizations.
28 February 2023
ESXiArgs: The Consequences of Infection
ESXiArgs is a ransomware strain that has been reported to have infected over 3000 hosts in several countries, including France, Germany, the Netherlands, the U.K., and Ukraine. The ransomware is suspected to be based on the leaked Babuk ransomware code and is believed to be targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.
12 July 2023
From Lazarus''No Pineapple''
The North Korean hacker group Lazarus APT 38 ,has been active since 2009. They were a group of criminals with an indeterminate number of criminals. However, due to their intended nature, methods, and threats on the web, they were classified as an Advanced Persistent Threat. The cybersecurity community gathers these under other names such as Zinc and Hidden Cobra.
14 July 2023
The Face of Disaster: Turkey and Syria Earthquake
February 6, 2023, Turkey and Syria woke up to the morning of a major natural disaster. Two devastating earthquakes, 7.7 and 7.6 magnitudes, struck southeastern Turkey and Syria, with millions of people in dozens of different cities affected, and the death toll exceeded thousands. The Turkish government declared a Level 4 alert, the highest level, and requested international assistance for the disaster area.
13 February 2023
Messy Adventures of Cozy Bear
Cozy Bear, also known as APT29, is a sophisticated advanced persistent threat (APT) group believed to be associated with the Russian government. The group has been active since at least 2008. It has been linked to several high-profile cyber espionage operations, including the 2016 hack of the Democratic National Committee (DNC) in the United States. Cozy Bear is known for its sophisticated techniques and ability to remain undetected for long periods of time within compromised networks.
14 July 2023
Aoqin Dragon
Aoqin Dragon is a known threat actor that has been active since 2013 and primarily targets government, education, and telecommunication organizations in Southeast Asia and Australia.
10 February 2023
Glupteba: The Blockchain-Enabled Modular Malware
Glupteba is a complex and advanced form of malware that has been affecting Windows devices globally since 2019. It utilizes blockchain technology and has multiple modules that can be used for various malicious activities,
14 July 2023
Red Menshen: A Look into the Chinese Cyber Espionage Threat
Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the U.S, Turkey, Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor.
09 February 2023
Exploit of Romcom RAT's
The RomCom RAT is a malicious software program used by a threat actor to remotely control compromised systems, often by impersonating well-known brands and deploying fake versions of legitimate software through phishing campaigns.
14 July 2023
Bronze President
Bronze President is a likely Chinese government-sponsored threat group that has been active since at least 2012. It is known for conducting cyber-espionage campaigns targeting organizations and individuals in the Asia-Pacific region and beyond.
09 February 2023
Who will be Earth Bogle's Victims in North Africa and the Middle East?
The campaign is active, and currently, threat actors are targeting victims with NjRAT (also known as Bladabindi) in the Middle East and North Africa.
14 July 2023
StrongPity Expand It's Target
StrongPity, also known as APT-C-41 and Promethium, is a cyber espionage group that has been active since at least 2012. The group's initial focus was on targeting individuals and organizations in Syria and Turkey, but their campaigns have since expanded to encompass a wider range of targets across Africa, Asia, Europe, and North America. The group uses various methods such as watering hole attacks and phishing messages to infiltrate targeted systems and steal sensitive information. These attacks are designed to activate the killchain, which is the sequence of actions taken by the attackers to gain access, establish control, and exfiltrate data from the targeted systems.
14 July 2023
World Cup Qatar
The 2022 FIFA World Cup is scheduled to be the 22nd running of the FIFA World Cup competition, the quadrennial international men's football championship contested by the senior national teams of the member associations of FIFA. It is scheduled to take place in Qatar from 20 November to 18 December 2022. This will be the first World Cup ever to be held in the Arab world, and the second World Cup held entirely in Asia after the 2002 tournament in South Korea and Japan.[a] In addition, the tournament will be the last to involve 32 teams, with an increase to 48 teams scheduled for the 2026 tournament in the United States, Mexico, and Canada.
28 January 2023
Cyber Risk to the Oil and Gas Industry
There has been significant interest within the offshore oil and gas industry to utilise Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS). There has also been a corresponding increase in cyberattacks targeted at oil and gas companies.
14 November 2022
Cyber Security in Elections
In recent years, the effect of cyber operations on the elections of countries has been increasing rapidly and it has been observed that interstate operations are carried out with cyber espionage campaigns.
14 November 2022
The New Target: Immigrations
Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
14 November 2022
The Return of Emotet
The notorious Emotet malware is staging a comeback of sorts, months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. While the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.
14 November 2022
Prestige Ransomware: Targeting Ukraine & Poland
A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige. "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said.
28 January 2023
Russia - Ukraine Cyberwar
The day before the invasion of Ukraine by Russian forces, a new wiper malware sample spreading across Ukrainian companies is observed. An hour before the invasion, an IssacWiper attack against government websites was recorded. Moreover, cyber-attacks continued in March, as well, with the CaddyWiper malware which infiltrated the systems of several Ukrainian organizations, from both the government and the financial sectors.
28 January 2023
Hafnium
Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
28 September 2022
Attacks on industrial control systems using ShadowPad
Researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. These infected machines includes engineering hardware systems related to automation systems Infected machines includes engineering computers used in building automation systems.
28 January 2023
Operation AppleJeus: North Korea’s Cryptocurrency Malware
After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses.
14 November 2022
SolarWinds
Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems
28 September 2022
Operation Quicksand: MuddyWater's Attacks to Israeli Organizations
During September 2020, identified a new campaign targeting many prominent Israeli organizations was identified. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm).
28 January 2023
Magniber Ransomware Used a Variant of Microsoft SmartScreen Bypass with Malformed Signature
Magniber ransomware, which targeted Asian countries in 2017, continues to attack with expanded targets worldwide since 2021
01 June 2023
Covid-19
Many threat actors are leveraging the high level of global anxiety around the spread of the Coronavirus and are using it to gain initial access to their victim ictim’s network and launch their campaigns. The common factor among these campaigns is the use of social engineering techniques to manipulate their victims into trusting their malicious scams.
28 January 2023
Energy War
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins
28 January 2023
US Federal Agencies Targeted by Kitten's
An APT group called Nemesis Kitten, which has ties to Iran, reportedly directed its attack towards an unidentified U.S. federal agency, with some suspicions suggesting the targeted entity was the U.S. Merit Systems Protections Board. The group infiltrated the agency's network and loaded cryptocurrency-mining software onto it.
28 March 2023
Hackers Behind the Iran
The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age
14 November 2022
The Pegasus Project
The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.
06 November 2022
The Cyber Face of Economic Development
Like other Chinese espionage operators, hacker groups, espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity.
14 November 2022
Red Children of Censorship
North Korean state-sponsored cyber espionage groups. Focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.
14 November 2022
From Altai To The Red Square
The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
14 November 2022
Copyright © 2023 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
