Threats Feed

PolySwarm researchers have uncovered previously unreported cyberespionage activity by the Iranian state-sponsored threat actor OilRig (APT34). The campaign leverages a stolen Extended Validation (EV) code signing certificate from a legitimate Thai IT vendor, MOSCII Corporation, to sign malicious payloads, including the custom Karkoff backdoor. By masquerading as legitimate vendor tooling, OilRig targeted Thailand’s energy sector, specifically the Electricity Generating Authority of Thailand (EGAT). The attackers employed advanced defense evasion techniques, such as spoofing compile timestamps to 2014 and padding binaries to 10 MB to bypass automated sandbox environments. This supply chain intrusion highlights OilRig’s continued evolution in targeting critical infrastructure and government agencies through trusted vendor relationships across Southeast Asia and the Middle East.

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

The article "The Curious Case of Mia Ash" by SecureWorks details a sophisticated cyber espionage campaign. This campaign involved a fake online persona named Mia Ash, created by the threat group COBALT GYPSY, which is associated with Iranian cyber operations. Mia Ash was used to establish relationships with employees in targeted organizations, primarily in the Middle East and North Africa. The persona, active across various social media platforms, was instrumental in delivering malware through seemingly innocent interactions. The case underlines the increasing complexity of cyber threats where social engineering and fake identities are employed to breach security systems.