A different try to analyze and simplify threat intelligence

Threats Feed

We are excited to announce that the preliminary editions of Threats Feed and Actors Insights are now accessible to the public. Our efforts are focused on incorporating additional practical features and beneficial resources with the intention of nurturing an informed community. Stay connected for further updates.

  1. APT34 Targets Iraqi Government with Dual-Channel C2 and Obfuscated Backdoors

    APT34 (OilRig) has launched a targeted cyber espionage campaign against Iraqi government entities since 2024, using spearphishing emails with forged documents to deploy custom C# malware disguised as PDF files. The malware performs system reconnaissance, anti-VM checks, and sets up persistence via scheduled tasks. It communicates with command-and-control infrastructure through both HTTP and compromised Iraqi government email accounts (SMTP/IMAP). The group also utilizes European-hosted infrastructure with deceptive 404 pages and obfuscated communication protocols. Targeted sectors include government, energy, finance, defense, and telecommunications, indicating a continued focus on intelligence gathering in the Middle East.

    read more about APT34 Targets Iraqi Government with Dual-Channel C2 and Obfuscated Backdoors
  2. BellaCPP: Charming Kitten's Latest Malware Innovation in Asia

    Kaspersky has uncovered BellaCPP, a new C++ variant of the BellaCiao malware family, linked to the Charming Kitten threat actor. BellaCPP, found on an infected machine in Asia, features domain generation, XOR-encrypted string decryption, and SSH tunneling, with payloads stored in critical directories like C:\Windows\System32. It lacks a webshell, showing refined design. PDB paths reveal targeting details, highlighting evolving capabilities. These findings underscore the need for robust cybersecurity and thorough network scanning to combat such threats.

    read more about BellaCPP: Charming Kitten's Latest Malware Innovation in Asia
  3. OilRig's Cyber Tactics: Targeting Middle East Sectors with Stealthy Attacks

    OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

    read more about OilRig's Cyber Tactics: Targeting Middle East Sectors with Stealthy Attacks
  4. CyberAv3ngers’ Malware Hits IoT/OT Systems in Fuel and Energy Sectors

    Team82's research details the IOCONTROL malware, a custom-built cyberweapon used by Iran-linked attackers, specifically the CyberAv3ngers group. The malware targets a range of industrial control systems (ICS) and Internet of Things (IoT) devices, notably impacting fuel management systems in Israel and the US. IOCONTROL's functionality includes communication via the MQTT protocol and features such as arbitrary code execution and self-deletion. The analysis reveals the malware's infrastructure, including its command-and-control server and the methods used to evade detection. The report concludes that IOCONTROL represents a significant threat to critical infrastructure, highlighting the ongoing geopolitical conflict.

    read more about CyberAv3ngers’ Malware Hits IoT/OT Systems in Fuel and Energy Sectors