Info
Subscribe
Campaigns

Come, study threat actor campaigns from our eyes!

Campaigns is a unified digest of information regarding threat actor campaigns for you to use for improving your security. Each campaign includes IOCs, Domains, Reports ,Tweets and News regarding the threat actor operation. Being able to reach that many information conveniently is not only improves the security but also make one to be aware of their threat landscape. For reaching the recent campaigns we suggest you to initiate a free access!

Unknown Threat Actor Uses Chaos Ransomware Variant Yashma To Target English Speaking Countries In Addition To Bulgaria, China and Vietnam

Yashma
Chaos
win.chaos

Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild.

25 August 2023

Mallox Ransomware Group Becomes A Very Active Threat

Mallox
TargetCompany
Fargo

The group tracked as Mallox aka TargetCompany, Fargo and Tohnichi - tends to break into target networks through vulnerable SQL servers lately. Mallox attacks in 2023 are known to have increased by %174, compared to 2022.

14 August 2023

An Ongoing DDoS Campaign Targeting Sweden

DDoS
Islamophobic
Sweden

NoName057 was among the first to respond, warning of a cyberattack on Sweden. NoName removed the websites of the Swedish Ministry of Finance and rail carrier SJ AB on 28 June. In the following days, known and unknown such as AnonymousSudan, Team 1919, Islamic Hacker Army, Host Kill Crew, USA NEXUS HACKER, Mysterious Team Bangladesh, KEP TEAM, UserSec Collective, Team Heroxr, Electronic Tigers Unit, Team R70, GANOSEC TEAM and Turkish Hack Team The hacker group carried out DDoS attacks on many websites of Sweden.

20 July 2023

Gamaredon Steals Data Too Quickly

Gamaredon
UAC-0010
Shuckworm

The Ukraine Computer Emergency Response Team (CERT-UA) begins to warn entities about stealing data 30 minutes after the first security breach by the Russian-linked APT group Gamaredon (aka UAC-0010).

19 July 2023

Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign

SmugX
PlugX
Mustang Panda

SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.

11 July 2023

Darknet Parliament(KILLNET,ANONYMOUS SUDAN,REVil) Tries to Paralyze the West's Financial System

Darknet
Parliament
Killnet

Darknet Parliament, the term introduced by the notorious hacktivist group KillNet, has quickly gained traction, becoming the latest buzzword in the cyber media. KillNet introduced the phrase in a Telegram post on June 16.In the post, they outlined a plan to attack Europe’s banking system.

27 July 2023

Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques

Bronze Silhouette
Living Of The Land
LOL Bins

BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.

14 June 2023

Medusa Ransomware Won't Stop

Medusa
Ransomware
win.medusa

Ransomware operation Medusa became operational in June 2021, according to Bleeping Computer. However, it gained significant momentum in 2023, targeting corporate victims worldwide with multimillion-dollar ransom demands. The ransomware gang has stepped up its effectiveness by launching a "Medusa Blog" in its recent rise. The platform serves to attract media attention by leaking data from victims who refuse to pay the ransom.

13 June 2023

Pipedream Malware Continues to Shred Industrial Systems

Pipedream
Dragos
Industrial Control System

In 2022, the Chernovite threat group created Pipedream, a new modular malware designed to attack Industrial Control Systems (ICS). This powerful toolset has the potential to launch devastating and devastating attacks on tens of thousands of critical industrial devices.

09 June 2023

MOVEit Strikes With All Its Power

win.clop
TA505
Clop

A new wave of mass attacks targeting popular file transfer tool MOVEit Transfer has been linked by security researchers to the Clop ransomware gang. The vulnerability exploited by hackers allows them to gain unauthorized access to the database of the affected MOVEit server.

08 June 2023

Xworm Enters Through the Door Follina Left Open

Xworm
Follina
RAT

Security researchers have identified a new wave of attacks using XWorm malware that exploits the Follina vulnerability. XWorm is a government-sponsored remote access trojan (RAT), the Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

21 June 2023

Smoke Loader Bill Trap

Smoke Loader
win.smokeloader
UAC-0006

Based on the Ukraine Computer Emergency Response Team (CERT-UA), the SmokeLoader malware is now spreading through a phishing campaign using traps focused on bills. A ZIP folder containing a fake document and a JavaScript file is attached to emails that the agency says were sent from hacked accounts.

21 June 2023

Archipelago Hide Office Documents and Cover Up Sneak Campaign With Recon Shark

APT43
Kimsuky
Recon Shark

The North Korean state sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign

01 June 2023

Iranian Hackers Participate in Papercut Attacks

Papercut
Mango
Sandstorm

State-sponsored threat actors named Mint Sandstorm and Mango Sandstorm, both based in Iran, are taking advantage of unpatched PaperCut instances. Microsoft reports that Mango Sandstorm exploitation activity is still minimal, with operators connecting to organizations’ C2 infrastructure using tools from prior intrusions; in contrast, Mint Sandstorm exploitation activity appears opportunistic, affecting businesses across industries and regions.

01 June 2023

Decoding the Spear-Phishing Tactics of SEABORGIUM and TA453 in the UK

SEABORGIUM
TA453
Russia

SEABORGIUM and TA453 are Russia-based and Iran-based threat actors conducting spear-phishing campaigns targeting organizations and individuals in the U.K. and other areas of interest. They target various sectors, including academia, defense, governmental organizations, and NGOs, using personalized phishing emails to compromise the victims' credentials and gain access to sensitive information.

14 July 2023

Raspberry Robin Global USB Malware Campaign

USB Malware
Raspberry
Qnap Worm

The Raspberry Robin malware campaign has been spreading around the world since it first surfaced in late 2021. "Raspberry Robin" is the name of a set of events from Red Canary that we first observed in September 2021, which often includes a worm installed via a USB drive.

01 June 2023

Graphiron Threat From Nodaria(UAC-0056) To Ukraine

Graphiron
Nodaria
UAC-0056

The Russia-linked Nodaria group has installed a new threat, using a wide variety of information from infected computers to play.The Nodaria espionage group (aka UAC-0056) is using a new combination of information stealing malware against browsing in Ukraine. The malware (Infostealer.Graphiron) was designed to gather a wide variety of information written in Go from the infected computer, including system information, credentials, screen content, and files.

01 June 2023

Domino Effect

FIN7
Conti
Trickbot

Former members of the Conti ransomware group use malware developed by the FIN7 group for financial purposes, compromising systems for follow-on exploits; FIN7 has used the "Domino" tool in its attacks since at least last October.

01 June 2023

Hoodoo Uses Google C2 Red Team Tool as Payload

Hoodoo
APT41
Barium

In a strategy change, China-linked APT41 targeted a Taiwanese media outlet and an Italian employment agency with standard, open-source penetration testing tools. The Chinese state-sponsored hacking organization APT 41, also known as HOODOO, targets various industries in the US, Asia, and Europe.

01 June 2023

Anonymous Sudan Continues to Attack

Killnet
Anonymous
Sudan

The world of cyberattacks continues to evolve with the emergence of new hacktivist groups that target different countries for various political reasons. One such group that has been making headlines is KillNet Anonymous Sudan, which is affiliated with the pro-Russian hacktivist group KillNet.

02 June 2023

Operations From APT36 To Government Agencies

APT36
SideCopy
Transparent Tribe

APT36 is an advanced persistent threat group attiributed to Pakistan taht primarilly targets users working at Indian government organizations.SideCopy APT is a Pakistani threat actor operating since at least 2019,targeting mainly South Asian countries and more specifally India and Afghanistan.

01 June 2023

Hack For Hire Group Targets Legal, Finance and Travel Institutions

Jannicab
Deathstalker
HackforHire

Unlike malware-as-a-service (MAAS), hacking-for-hire companies carry out sophisticated, hands-on attacks and exploit vulnerabilities in executing their campaigns, according to a report by researchers Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.

02 June 2023

Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client

SmoothOperator
3CX
Supply Chain Attack

A new supply chain attack called SmoothOperator is currently targeting 3CX's VoIP desktop client, which could cause significant impact due to the company's diverse and valued customer profile. The attackers use a trojanized version of the software to steal information from Windows and macOS users.

12 July 2023

Earth Lusca

China
Espionage
ShadowPad

Earth Lusca is a sophisticated cybercrime group. According to reports from cybersecurity firms. They use a variety of tactics and tools to carry out their attacks, including spear-phishing emails, social engineering, and malware such as remote access trojans (RATs) and credential stealers.

04 April 2023

Adversary-in-the-Middle: The Rise of AiTM Phishing Kits and the Threat Posed by DEV-1101

DEV-1101
Phishing
AİTM

AiTM phishing kits, such as those developed by DEV-1101, are increasingly replacing less advanced forms of phishing. These kits can bypass MFA using reverse-proxy functionality and are available for purchase by cybercriminals, lowering the barrier of entry for cybercrime. DEV-1101 offers an open-source kit that automates phishing activity and provides support services to attackers. Since its release in May 2022, the kit has been continually enhanced with features such as managing campaigns from mobile devices and CAPTCHA evasion, making it attractive to actors with varying motivations and targets in any industry or sector.

19 June 2023

APT5 Smashes Citrix's Networks

Citrix
Manganese
APT5

APT5 is a sophisticated cyber espionage group that is believed to be based in China and has been active since at least 2007. The group primarily targets high-tech and telecommunications firms across the US, Europe, and Asia, using advanced malware and zero-day exploits to gain unauthorized access to networks and steal sensitive information.

29 March 2023

Dalbit's Ingenuity

FRP
Fast Reverse Proxy
Dalbit

Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.

19 June 2023

Hiatus.RAT Data Thieves

Hiatus
Rat
trojan

A new malware campaign, Hiatus, targets business-grade routers to spy on Latin America, Europe, and North America victims. The campaign deploys two malicious binaries, a remote access trojan called HiatusRAT, and a variant of tcpdump that can capture packet capture on the target device.

12 July 2023

Communication Barrier from KillNet

DDoS
Killnet
pro-Russian

Active since at least January 2022, KillNet has evolved from initially a leased DDoS service to a full-fledged threat group. Group distributed denial of service (DDoS) attacks birth website servers to get hit. While KillNet's ties to official Russian government agencies, such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service, have not been confirmed, the group is involved in the group, including the health services. should be viewed as a threat to government and critical infrastructure organizations.

28 February 2023

ESXiArgs: The Consequences of Infection

VMware
ESXi
Ransomware

ESXiArgs is a ransomware strain that has been reported to have infected over 3000 hosts in several countries, including France, Germany, the Netherlands, the U.K., and Ukraine. The ransomware is suspected to be based on the leaked Babuk ransomware code and is believed to be targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.

12 July 2023

From Lazarus''No Pineapple''

Zinc
Hidden Cobra
Lazarus

The North Korean hacker group Lazarus APT 38 ,has been active since 2009. They were a group of criminals with an indeterminate number of criminals. However, due to their intended nature, methods, and threats on the web, they were classified as an Advanced Persistent Threat. The cybersecurity community gathers these under other names such as Zinc and Hidden Cobra.

14 July 2023

The Face of Disaster: Turkey and Syria Earthquake

Earthquake
Turkey
Syria

February 6, 2023, Turkey and Syria woke up to the morning of a major natural disaster. Two devastating earthquakes, 7.7 and 7.6 magnitudes, struck southeastern Turkey and Syria, with millions of people in dozens of different cities affected, and the death toll exceeded thousands. The Turkish government declared a Level 4 alert, the highest level, and requested international assistance for the disaster area.

13 February 2023

Messy Adventures of Cozy Bear

APT29
The Dukes
Cozy Bear

Cozy Bear, also known as APT29, is a sophisticated advanced persistent threat (APT) group believed to be associated with the Russian government. The group has been active since at least 2008. It has been linked to several high-profile cyber espionage operations, including the 2016 hack of the Democratic National Committee (DNC) in the United States. Cozy Bear is known for its sophisticated techniques and ability to remain undetected for long periods of time within compromised networks.

14 July 2023

Aoqin Dragon

UNC94
Mongall

Aoqin Dragon is a known threat actor that has been active since 2013 and primarily targets government, education, and telecommunication organizations in Southeast Asia and Australia.

10 February 2023

Red Menshen: A Look into the Chinese Cyber Espionage Threat

BPFDoor
Red Dev 18

Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the U.S, Turkey, Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor.

09 February 2023

Glupteba: The Blockchain-Enabled Modular Malware

Glupteba
Blockchain

Glupteba is a complex and advanced form of malware that has been affecting Windows devices globally since 2019. It utilizes blockchain technology and has multiple modules that can be used for various malicious activities,

14 July 2023

Exploit of Romcom RAT's

RAT
Romcom

The RomCom RAT is a malicious software program used by a threat actor to remotely control compromised systems, often by impersonating well-known brands and deploying fake versions of legitimate software through phishing campaigns.

14 July 2023

Bronze President

PlugX
TA428
ORat

Bronze President is a likely Chinese government-sponsored threat group that has been active since at least 2012. It is known for conducting cyber-espionage campaigns targeting organizations and individuals in the Asia-Pacific region and beyond.

09 February 2023

Who will be Earth Bogle's Victims in North Africa and the Middle East?

NjRAT
Bladabindi

The campaign is active, and currently, threat actors are targeting victims with NjRAT (also known as Bladabindi) in the Middle East and North Africa.

14 July 2023

StrongPity Expand It's Target

Promethium
APT-C-41

StrongPity, also known as APT-C-41 and Promethium, is a cyber espionage group that has been active since at least 2012. The group's initial focus was on targeting individuals and organizations in Syria and Turkey, but their campaigns have since expanded to encompass a wider range of targets across Africa, Asia, Europe, and North America. The group uses various methods such as watering hole attacks and phishing messages to infiltrate targeted systems and steal sensitive information. These attacks are designed to activate the killchain, which is the sequence of actions taken by the attackers to gain access, establish control, and exfiltrate data from the targeted systems.

14 July 2023

World Cup Qatar

worldcup
fifa
qatar

The 2022 FIFA World Cup is scheduled to be the 22nd running of the FIFA World Cup competition, the quadrennial international men's football championship contested by the senior national teams of the member associations of FIFA. It is scheduled to take place in Qatar from 20 November to 18 December 2022. This will be the first World Cup ever to be held in the Arab world, and the second World Cup held entirely in Asia after the 2002 tournament in South Korea and Japan.[a] In addition, the tournament will be the last to involve 32 teams, with an increase to 48 teams scheduled for the 2026 tournament in the United States, Mexico, and Canada.

28 January 2023

Cyber Risk to the Oil and Gas Industry

gas
oil
pipeline

There has been significant interest within the offshore oil and gas industry to utilise Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS). There has also been a corresponding increase in cyberattacks targeted at oil and gas companies.

14 November 2022

The New Target: Immigrations

TA4563
Evilnum
immigrant

Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.

14 November 2022

Cyber Security in Elections

election
election security

In recent years, the effect of cyber operations on the elections of countries has been increasing rapidly and it has been observed that interstate operations are carried out with cyber espionage campaigns.

14 November 2022

The Return of Emotet

emotet

The notorious Emotet malware is staging a comeback of sorts, months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. While the malware maintainers remain unknown, this campaign suspiciously coincides with the Russian invasion of Ukraine.

14 November 2022

Prestige Ransomware: Targeting Ukraine & Poland

Prestige Ransomware
Ransomware

A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige. "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said.

28 January 2023

Russia - Ukraine Cyberwar

Russia
Ukraine
Cyberwar

The day before the invasion of Ukraine by Russian forces, a new wiper malware sample spreading across Ukrainian companies is observed. An hour before the invasion, an IssacWiper attack against government websites was recorded. Moreover, cyber-attacks continued in March, as well, with the CaddyWiper malware which infiltrated the systems of several Ukrainian organizations, from both the government and the financial sectors.

28 January 2023

Hafnium

Hafnium
Microsoft Exchange Server Zerodays

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

28 September 2022

Attacks on industrial control systems using ShadowPad

shadowpad

Researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. These infected machines includes engineering hardware systems related to automation systems Infected machines includes engineering computers used in building automation systems.

28 January 2023

Operation AppleJeus: North Korea’s Cryptocurrency Malware

cryptocurrency
Lazarus
North Korea

After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses.

14 November 2022

SolarWinds

SolarWinds
Government
Microsoft

Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems

28 September 2022

Operation Quicksand: MuddyWater's Attacks to Israeli Organizations

MuddyWater
Quicksand

During September 2020, identified a new campaign targeting many prominent Israeli organizations was identified. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm).

28 January 2023

Covid-19

Covid-19

Many threat actors are leveraging the high level of global anxiety around the spread of the Coronavirus and are using it to gain initial access to their victim ictim’s network and launch their campaigns. The common factor among these campaigns is the use of social engineering techniques to manipulate their victims into trusting their malicious scams.

28 January 2023

Hackers Behind the Iran

Iran
MuddyWater
OilRig

The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age

14 November 2022

Energy War

BlackEnergy
ELECTRUM

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins

28 January 2023

Magniber Ransomware Used a Variant of Microsoft SmartScreen Bypass with Malformed Signature

Magniber
SmartScreen
Ransomware

Magniber ransomware, which targeted Asian countries in 2017, continues to attack with expanded targets worldwide since 2021

01 June 2023

US Federal Agencies Targeted by Kitten's

Nemesis Kitten
Charming Kitten
Iran

An APT group called Nemesis Kitten, which has ties to Iran, reportedly directed its attack towards an unidentified U.S. federal agency, with some suspicions suggesting the targeted entity was the U.S. Merit Systems Protections Board. The group infiltrated the agency's network and loaded cryptocurrency-mining software onto it.

28 March 2023

The Pegasus Project

Pegasus
NSO

The Pegasus Project is a collaborative investigation into NSO Group, an Israeli “cyber intelligence” company that sells sophisticated spyware to governments around the world.

06 November 2022

The Cyber Face of Economic Development

GEARSHIFT
apt41
Winnti

Like other Chinese espionage operators, hacker groups, espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity.

14 November 2022

Red Children of Censorship

apt37
kimsuky

North Korean state-sponsored cyber espionage groups. Focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.

14 November 2022

From Altai To The Red Square

apt28
Fancy Bear
TG-4127

The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.

14 November 2022