ALERTS APT
HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 4.1.26 | Datebug APT campaign targeting governmental organizations in India | Researchers from Cyfirma have identified a targeted cyber espionage campaign attributed to Datebug APT group (aka APT36, Transparent Tribe). The campaign utilizes a deceptive delivery mechanism involving a weaponized Windows shortcut (LNK) files concealed within a ZIP archive, masquerading as a legitimate PDF to trick victims. The infection chain is notable for its stealthy, fileless execution. | ALERTS | APT |
|
25.12.25 |
AshTag malware distributed by the Ashen Lepus APT | Researchers from Palo Alto have detailed an evolving espionage campaign attributed to the Ashen Lepus APT group. This campaign has introduced a fully featured, modular .NET malware dubbed AshTag. The infection chain relies on social engineering and DLL side-loading performed by the AshenLoader malware. | APT | |
| 13.12.25 | AdaptixC2 and Havoc tools among the updated arsenal of the Tomiris APT group | Researchers from Securelist reported on updated activities of the Advanced Persistent Threat (APT) group known as Tomiris. The threat actors have been increasingly relying on known public services like Telegram and Discord for command-and-control (C2) communications. | APT | |
| 13.12.25 | Monarch APT delivers ValleyRAT malware via Microsoft Teams impersonation | ReliaQuest researchers have identified a campaign conducted by the Advanced Persistent Threat (APT) group known as Monarch (aka Silver Fox, Void Arachne). | APT | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
|
9.11.25 |
Recent activity focusing on organizations influencing U.S. policy |
China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. |
||
|
9.11.25 |
Attackers linked to Russia continue activity against Ukraine |
Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. |
||
|
28.10.25 |
The state-sponsored threat group Brimstone (also known as ColdRiver, UNC4057, Star Blizzard, and Callisto) rapidly overhauled its operations following the May 2025 public disclosure of its LostKeys malware as reported by the researchers from Google. |
|||
|
19.10.25 |
Purseweb APT delivers updated BeaverTail and OtterCookie variants in the latest campaign |
Cisco Talos researchers have identified a new campaign attributed to the Purseweb (aka Famous Chollima) threat group that targets job seekers using fake employment offers. The attackers deploy custom infostealing malware strains including BeaverTail and OtterCookie. |
||
|
19.10.25 |
Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the network of a Russian IT service provider and lasted for the first five months of 2025. |
|||
|
27.9.25 |
RedNovember threat group targets global entities for espionage |
A report by Insikt Group at Recorded Future details recent activity of a China-backed threat actor named RedNovember (previously known as TAG-100). |
||
|
27.9.25 |
New malware distribution campaign attributed to the Rustfly APT group |
Rustfly APT group (also known as UNC1549 or Nimbus Manticore) is engaged in a sustained cyberespionage operation targeting defense manufacturing, telecommunications, and aviation sectors. Recently published report from Checkpoint reveals a heightened focus from this APT group on Western Europe, particularly Denmark, Sweden, and Portugal. The attackers employ sophisticated spear-phishing campaigns, posing as HR recruiters to lure victims to fake career portals. |
||
|
27.9.25 |
Leafperforator APT leverages Nepalese protest movement for mobile malware distribution |
A recent activity reported by the researchers from StrikeReady demonstrates a popular trend where geopolitical events serve as bait for targeted cyber threats. |
||
|
6.9.25 |
A new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group, has been identified by LAB52. Delivered via Microsoft OneDrive with DLL side-loading, NotDoor uses an Outlook VBA macro to monitor emails for trigger words, enabling command execution, data exfiltration and file uploads. |
|||
|
6.9.25 |
North Korean Vedalia expands espionage via Operation HanKook Phantom |
An espionage campaign dubbed Operation HanKook Phantom, attributed to North Korean threat actor Vedalia (also known as APT37, ScarCruft), has been reported by Seqrite targeting South Korean academic and research organizations. |
||
|
31.8.25 |
ShadowSilk: A Mixed-Language APT Targeting Government in Asia |
A recently published report details the ShadowSilk threat actor group, a mixed-language (Chinese and Russian) actor primarily focused on data exfiltration from government targets. |
||
|
26.8.25 |
A new campaign by APT36(aka Transparent Tribe) has been reported, leveraging phishing emails containing ZIP archives with malicious .desktop files disguised as PDFs to target users. |
|||
|
26.8.25 |
UNC1151 leverages macro-enabled Spreadsheets and Cloud C2 in latest campaign |
The UNC1151 APT group has been observed conducting a malware campaign targeting Ukraine and Poland through malicious archive files containing decoy spreadsheets with embedded obfuscated macros. |
||
|
25.7.25 |
Chinese APT Clusters Escalate Attacks on Taiwan's Semiconductor Sector |
The Taiwanese semiconductor industry has become the primary target of a series of sophisticated spear-phishing campaigns orchestrated by three distinct Chinese state-sponsored threat actor groups: UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. |
||
|
9.7.25 |
Datebug threat group (also known as APT36 or Transparent Tribe) has been reported to conduct a new campaign targeting the BOSS Linux systems. |
|||
|
6.7.25 |
Over the past several months, we have observed a sharp increase in the malicious use of the popular Remote Monitoring and Management (RMM) tool ConnectWise by ransomware operators, Initial Access Brokers, APTs, and other eCrime actors. |
|||
|
21.6.25 |
FIN7-linked GrayAlpha uses PowerShell loaders and TDS to spread NetSupport RAT |
GrayAlpha, a cybercriminal group associated with FIN7, has been reported conducting a sophisticated malware campaign using multiple infection vectors to distribute NetSupport RAT via custom PowerShell loaders, PowerNet and MaskBat. |
||
|
7.6.25 |
APT41 using custom malware "TOUGHPROGRESS" to exploit Google Calendar |
Threat Actor group APT41 has been observed using custom malware named TOUGHPROGRESS, which leverages Google Calendar events as its C2 channel, allowing it to hide malicious commands in seemingly benign public calendar entries. |
||
|
4.6.25 |
APT threat actor Earth Lamia exploits vulnerabilities in web applications to gain access to organizations, using various SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations for data exfiltration. |
|||
|
28.5.24 |
A newly APT campaign, dubbed “Swan Vector” has been targeting East Asian nations, particularly Japan and Taiwan. |
|||
|
22.5.24 |
A new cyber-espionage campaign by APT group SideWinder has been targeting high-profile government institutions in Bangladesh, Pakistan, and Sri Lanka. The attackers leverage spear-phishing lures paired with geofenced payloads to ensure that only victims in specific countries receives the malicious content. To activate the infection process and deploy the StealerBot malware a combined exploitation of old vulnerabilities (CVE-2017-0199 and CVE-2017-11882) takes place. |
|||
|
9.5.24 |
Earth Kasha threat actor targets Taiwan and Japan in a recent campaign |
As recently reported by the researchers from Trend Micro, Earth Kasha threat group continues to target users in Taiwan and Japan. The attackers leverage a dropper malware dubbed RoamingMouse that comes in the form of a macro-enabled MS Excel file. |
||
|
2.5.24 |
ClickFix social engineering tactic being used by various APT groups |
ClickFix has gained traction in targeted espionage operations across multiple APT groups from North Korea, Iran, and Russia. This is a social engineering tactic where malicious websites impersonate legitimate software or document sharing platforms. |
||
|
2.5.24 |
Iranian threat actor targeted critical Middle Eastern infrastructure |
Researchers at Fortinet have recently published their investigation into an Iranian threat actor's attack against critical infrastructure in the Middle East. |
||
|
29.4.25 |
Multi-Stage malware campaign targeting South Korean entities linked to Konni APT |
A sophisticated multi-stage malware campaign potentially linked to the North Korean Konni APT group has been observed targeting entities primarily in South Korea. The attack begins with a ZIP file containing a disguised .lnk shortcut which executes an obfuscated PowerShell script designed to download and run additional malicious payloads. |
||
|
24.4.25 |
The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. |
|||
|
18.4.25 |
A new malicious campaign targeting diplomatic entities in Europe has been attributed to the cyberespionage group called Fritillary (aka Midnight Blizzard, APT29). According to a recent research by Checkpoint, the attackers have been leveraging a new custom malware loader dubbed GrapeLoader as well as an updated variant of the WineLoader backdoor. |
|||
|
9.4.25 |
Springtail APT group targets South Korean government entities |
The Springtail (aka Kimsuky) APT group recently engaged in campaigns targeting South Korean government entities. The campaigns leveraged government-themed messaging (one being tax related and another regarding a policy on the topic of sex offenders) to distribute malicious LNK files as malspam attachments. |
||
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan |
Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. |
||
|
13.3.25 |
Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. |
|||
|
13.3.25 |
A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. |
|||
|
1.3.25 |
Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims |
The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. In a recent report by researchers at Cisco Talos, activity from this group was seen in attacks affecting organizations such as governments, manufacturing, and telecommunications and media in Asia. |
||
|
27.2.25 |
Vedalia APT group phishing campaign delivers RokRat malware across Asia |
phishing campaign by the North Korean-linked threat actor Vedalia (also known as APT37, RedEyes and ScarCruft) has been reported delivering fileless RokRat malware. The campaign targets government and corporate entities across South Korea and Asia. |
||
|
18.02.25 |
RedCurl (also known as EarthKapre) is a threat group known for conducting espionage and data exfiltration activities. The recently observed campaign attributed to this threat actor has been leveraging legitimate Adobe executable (ADNotificationManager.exe) to sideload malicious binaries. The infection chain has been initiated via crafted PDF malspam leading to ZIP compressed .img binaries. |
|||
|
11.02.25 |
Trojanized KMS activation tools leveraged in latest Sandworm APT campaigns |
According to the latest report published by EclecticIQ researchers, Sandworm APT (aka APT44, UAC-0145) has been recently engaged in espionage activities against users in Ukraine. The attackers have been leveraging trojanized Microsoft Key Management Service (KMS) activator tools and fake update installers in efforts aimed at distribution of a new BackOrder loader variant. This new variant utilizes various LOLbin binaries as one of the defence evasion measures. The final payload spread in this campaign belongs to the Dark Crystal RAT (DcRAT) malware family and can be used by the threat actors for cyber espionage and sensitive data exfiltration. |
||
|
18.1.25 |
Fireant (aka RedDelta, Mustang Panda) advanced persistent threat (APT) group has been targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia in recent campaign spreading an updated variant of the PlugX backdoor. |
|||
|
1.11.24 |
Daggerfly targets Taiwanese entities with new CloudScout Toolset |
China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. This toolset can retrieve data from various cloud services by leveraging stolen web session cookies. Additionally, CloudScout integrates seamlessly with MgBot, Evasive Panda's signature malware framework. |
||
|
27.10.24 |
IcePeony: China-linked APT group targeting Southeast Asian governments |
A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. The group's attack vector often involves SQL injection, leading to compromises via web shells and backdoors that utilize custom malware like "IceCache" to infiltrate networks. |
||
|
27.10.24 |
Leafperforator APT group expands operations into the Middle East and Africa |
Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. |
||
|
27.10.24 |
Threat actors associated with North Korea target tech job seekers with malware |
The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews. Newer variants of previously used malware targeted individuals seeking jobs in the tech industry. The BeaverTail downloader and stealer is responsible for downloading the final InvisibleFerret backdoor payload. Researchers in Palo Alto Networks Unit 42 published a report with technical details of this activity. |
||
|
27.10.24 |
VeilShell: A new threat from North Korea's Vedalia APT group |
According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper) |
||
|
27.10.24 |
A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group continuously updates its tools, such as backdoors, to evade detection and exploits cloud services like Dropbox and OneDrive for custom solutions. They also leverage GitHub’s features to create a covert reverse shell, using the platform as their dedicated C2 server. | |||
28.9.24 |
Louse APT Group launches malware campaign targeting Chinese entities |
The Louse APT group (also known as Patchwork and Dropping Elephant) has reportedly launched a malware campaign targeting Chinese entities. The attack vector involves a malicious LNK file, likely originating from a phishing email. This file executes a PowerShell script that downloads a decoy PDF and a malicious DLL, which is loaded using DLL sideloading techniques. |
||
20.9 20.9.24 |
North Korean APT group Appleworm delivers PondRAT via poisoned Python packages |
An ongoing campaign involving poisoned Python packages delivering backdoors for Linux and macOS, dubbed PondRAT, has been reported. This campaign is believed to be driven by the North Korean APT group Appleworm (also known as AppleJeus, Citrine Sleet, Gleaming Pisces). |
||
17.9.24 |
Fireant (APT31) unveils new tools in recent campaign against Asia-Pacific government entities |
The China-linked threat actor known as Fireant (also referred to as Mustang Panda or APT31) has recently been observed using new tools, including PUBLOAD, FDMTP, and PTSOCKET, in espionage attacks targeting government entities in the Asia-Pacific region. |
||
13.9.24 |
Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. This threat actor used VSCode’s embedded reverse shell feature to gain a foothold in target networks to execute arbitrary code and deliver additional payloads. The leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. |
|||
6.9.24 |
Tropic Trooper unleashes new China Chopper variant and Crowdoor loader |
Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. The attackers focused on systems related to human rights studies, using a new China Chopper variant deployed on a compromised Umbraco CMS server. The group employed DLL hijacking to load malicious payloads, including Crowdoor, a loader linked to the SparrowDoor backdoor. |
||
20.8.24 |
Threat actor Damselfly conducts campaigns against the U.S. and Israel |
Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. Observed credential phishing campaigns use socially engineered lures and leverage links, fake sites and publicly available services like Dropbox, OneDrive, and those offered by Google. |
||
3.8.24 |
Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks |
As reported by researchers from Cisco Talos, Grayfly threat grup (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution. |
||
2.8.24 |
APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection. |
|||
27.7.24 |
Continuous espionage activities attributed to the Stonefly APT |
Symantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul). |
||
24.7.24 |
Over the past few weeks, multiple campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41. |
|||
19.7.24 |
APT17 Campaign: New variants of 9002 RAT targeting Italian government entities |
A malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer. |
||
12.7.24 |
OilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials. |
|||
9.7.24 |
A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware. |
|
||
2.7.24 |
Renewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One. The threat actors continue to distribute Android malware known as CapraRAT via malicious Android .apk packages that mimic the appearance of legitimate apps. While the Datebug group has been known to target individuals within military and government sectors in India, this updated campaign leverages some new lures and attempts to expand its reach to users interested in mobile gaming, TikTok videos or weapon enthusiasts. |
|||
12.6.24 |
Fireant APT targets Vietnamese entities with LNK file malware campaign |
A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system. |
||
8.6.24 |
Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others. The final payloads distributed in campaigns by Sticky Werewolf include various RAT variants and infostealers. Some examples of malware families spread in previous attacks are Rhadamanthys Stealer, Ozone RAT, MetaStealer, DarkTrack and NetWire. |
|||
8.6.24 |
UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaign |
The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure. Upon execution of the Excel document, which contains an embedded VBA Macro, it drops an LNK and a DLL loader file. Subsequently, running the LNK file initiates the DLL loader, potentially leading to a suspected final payload including AgentTesla, Cobalt Strike beacons, and njRAT. |
||
30.5.24 |
APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. The group utilizes phishing emails to lure recipients into opening an attached or linked malicious ZIP or ISO file which leads to the data exfiltration tool being installed. |
|||
30.5.24 |
Emergence of a new North Korean threat actor dubbed Moonstone Sleet |
A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. This actor has been detected engaging in various deceptive tactics, including the establishment of fake companies and job listings to lure potential targets. Additionally, they have been distributing trojanized versions of legitimate software tools, developing malicious games, and introducing a novel custom ransomware named FakePenny, comprising a loader and an encrypter. Their targets span individuals and organizations across sectors such as software and information technology, education, and defense industrial base. |
||
25.5.24 |
An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. |
|||
23.5.24 |
As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. Sharp Dragon is known to use large-scale phishing attacks, malicious RTF files, DLL-loaders but most recently also executable loaders disguises as documents. The threat group has also been reported to leverage CVE-2023-0669 RCE vulnerability affecting Fortra GoAnywhere in their attacks. |
|||
21.5.24 |
In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). This group is linked to malware used in a recent campaign against organizations in South Korea. The campaign leveraged Trojanized software installation packages to deliver the backdoor. |
|||
3.5.24 |
NiceCurl and TameCat custom backdoors leveraged by Damselfly APT |
NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). These backdoors are reported to be delivered mostly by spear-phishing campaigns and used by the threat actors for the purpose of initial access to the targeted environments. While NiceCurl is a VBScript-based malware with capabilities to download and execute additional modules, TameCat backdoor is used to execute PowerShell and C# scripts as well as download additional arbitrary content. |
||
25.4.24 |
SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign |
A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. Clicking these links will download and install the SSLoad malware, then this DLL-based loader will deploy further backdoors and payloads, including a Cobalt Strike beacon to establish connection to the attacker's C2 servers to exfiltrate system and user information. |
||
25.4.24 |
SpyNote campaign using Vietnam's National Public Service as bait |
SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. In a recent campaign, Symantec observed the threat (DỊCH VỤ CÔNG.apk) masquerading as an official app from Vietnam's National Public Service web platform, which offers extensive online public services for both citizens and businesses. |
||
25.4.24 |
The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. This campaign appears to be an extension of APT43's BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files. TutorialRAT is a C#-based remote control program that functions as an infostealer, collecting and exfiltrating device and users' personal information . |
|||
22.4.24 |
Core Werewolf APT group targets Russian defense organizations in espionage campaign |
Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. The attack utilized a malicious document as bait, purportedly meant for the presentation of state awards to special forces soldiers. However, the document is actually a 7zSFX archive containing a legitimate remote access tool, UltraVNC. Upon extraction, the malware creates copies of a decoy document and the UltraVNC executable, schedules tasks to run the executable, and establishes a connection to a designated server. |
||
20.4.24 |
Coreid (aka Fin7) uses backdoor against US Automaker victims |
A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. According to the report, the campaign leveraged spearphishing emails against selected targets by socially engineering content related to free online scanning tools. The victim would be coerced into following a link to a typosquatted domain related to a legitimate online scanner. |
||
20.4.24 |
APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings |
A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. Users are enticed to visit the main webpages of these projects to download the software. Once installed, the software further infects devices with infostealer malware. Depending on the operating system, the malware variants include Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro. |
||
8.4.24 |
African based telecommunications organizations targeted by Iranian Seedworm group |
The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, which occurred in November 2023, leveraged some new and some existing features previously attributed to Seedworm. |
||
27.3.24 |
Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. Both of these packages' main goal is to deploy malware with the use of abused copies of applications from known software developers like QFX Sofware Corporation and Electronic Arts, Inc.. |