Latest Update30/06/2025

Threats Feed

  1. Public

    Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors

    The Lyceum group (also known as Hexane) is a cyber threat actor focused on the telecommunications, energy and aviation sectors, particularly targeting high-profile organisations in Tunisia. Active since 2018, Lyceum has recently replaced its .NET-based malware with new C++ backdoors and PowerShell scripts to evade detection. The group continues to rely on DNS tunneling for command and control (C2) and uses tools for system reconnaissance, credential theft and keylogging. Lyceum also uses spoofed domains to disguise its activities, demonstrating an adaptive approach to persistent targeting of critical infrastructure.

    read more about Lyceum Intensifies Cyber Espionage on Tunisian Telecom and Aviation Sectors
  2. Public

    MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT

    The Iranian APT group MalKamak has been targeting aerospace and telecommunications companies in the Middle East since at least 2018, with additional victims in the US, Russia and Europe. The group uses ShellClient, a newly discovered remote access trojan (RAT), to conduct highly targeted cyberattacks. ShellClient uses Dropbox, a popular cloud-based service, for command and control (C2) operations, replacing the group's previous C2 infrastructure.

    read more about MalKamak Targets Middle Eastern Aerospace and Telecom Firms with ShellClient RAT
  3. Public

    MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe

    Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

    read more about MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe
  4. Public

    Siamesekitten APT Targets Israeli IT Firms with Supply Chain Attacks

    The Iranian APT group Siamesekitten (Lyceum/Hexane) launched targeted cyberattacks on Israeli IT and technology firms in 2021 using advanced social engineering and supply chain tactics. The campaign impersonated HR personnel and organizations via phishing websites and LinkedIn profiles to distribute malware such as Milan and its successor Shark. Victims were infected with DanBot RAT through DNS tunneling and HTTPS C2 communication. The group also exploited legitimate tools like UltraVNC for remote access. Known for prior attacks on oil, gas, and telecom sectors in the Middle East and Africa, Siamesekitten’s recent focus highlights its shift to Israeli targets for espionage and data theft.

    read more about Siamesekitten APT Targets Israeli IT Firms with Supply Chain Attacks
  5. Public

    Domestic Kitten: Inside Iran's Surveillance Campaign Against Citizens

    APT-C-50's Domestic Kitten surveillance operation, linked to the Iranian government, targets over 1,200 Iranian citizens including dissidents, opposition forces, and minorities. Since 2017, ten campaigns delivered the FurBall malware via Iranian blogs, Telegram channels, and SMS links. FurBall collects device data, call logs, SMS messages, and media files, tracking victims' activities. It leverages commercially available parental control software, KidLogger, for its operations. This extensive surveillance continues with four active campaigns as of November 2020.

    read more about Domestic Kitten: Inside Iran's Surveillance Campaign Against Citizens
  6. Public

    Election Interference Exposed: Iranian APT Scans and Exploits U.S. Voter Data

    The joint advisory from CISA and the FBI reveals that an Iranian advanced persistent threat (APT) actor targeted U.S. state websites, specifically election websites, in an attempt to influence the 2020 presidential election. The actor employed methods like scanning with Acunetix, exploiting public-facing applications, and using VPN services to masquerade their operations. The APT also attempted to access and distribute U.S. voter registration data, which was subsequently used in disinformation campaigns misleadingly attributed to domestic sources. The operations spanned from September 20 to October 17, 2020, aiming to compromise election infrastructure and gather sensitive information.

    read more about Election Interference Exposed: Iranian APT Scans and Exploits U.S. Voter Data
  7. Public

    Cyber Threats from Iranian APT Actors to U.S. Electoral Integrity

    Iranian APTs are suspected of attempting to disrupt the U.S. electoral process to undermine public confidence and create discord among voters. These activities have included the creation of fictitious and spoofed media sites to distribute misinformation about voter issues, utilizing voter-registration data, and spreading anti-American sentiments. The APT groups have exploited critical vulnerabilities such as CVE-2020-5902 and CVE-2017-9248, impacting VPNs and content management systems, to conduct distributed denial-of-service (DDoS) attacks, SQL injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.

    read more about Cyber Threats from Iranian APT Actors to U.S. Electoral Integrity
  8. Public

    Lyceum APT Targets Middle Eastern Oil, Gas, and Telecom Sectors

    The Lyceum APT targets the oil, gas and telecommunications sectors in the Middle East, focusing on credential theft and network infiltration through a multi-stage attack chain. The initial infection involves malicious Microsoft Office documents that deploy DanDrop, a VBA-based malware dropper that installs DanBot, a remote access Trojan used for ongoing control. The group also uses PowerShell scripts, including keyloggers and credential decryption tools, to gather sensitive data from Active Directory and RDCMan configurations. The sophisticated attack chain used by this cybercrime group highlights the ongoing threat to critical infrastructure in the Middle East.

    read more about Lyceum APT Targets Middle Eastern Oil, Gas, and Telecom Sectors
  9. Public

    Rampant Kitten: Iranian Cyber Espionage Campaign Exposed

    Check Point Research uncovered an ongoing Iranian espionage campaign, Rampant Kitten, targeting Iranian expats and dissidents. The attackers used Windows infostealers to steal personal documents and access Telegram and KeePass accounts. They employed Android backdoors to intercept SMS-based 2FA codes and record audio, and also created Telegram phishing pages. The campaign's initial infection vector involved a malicious document exploiting external template loading. Key targets included anti-regime organizations and minority resistance groups such as AFALR and Azerbaijan National Resistance Organization. The malware utilized SOAP for communication and featured sophisticated persistence and data exfiltration techniques.

    read more about Rampant Kitten: Iranian Cyber Espionage Campaign Exposed
  10. Public

    PIONEER KITTEN: Exploiting VPN Vulnerabilities to Target Sensitive Sectors

    Pioneer Kitten, an Iran-based adversary active since 2017, targets North American and Israeli entities of intelligence interest, including technology, government, defense, and healthcare sectors. The group relies on exploiting vulnerabilities in VPNs and network appliances (e.g., CVE-2019-11510, CVE-2019-19781, CVE-2020-5902) for initial access, and uses open-source tools like Ngrok and SSHMinion for SSH tunneling and RDP for hands-on activity. Recently, PIONEER KITTEN was seen selling access to compromised networks on underground forums, indicating an attempt to diversify revenue streams.

    read more about PIONEER KITTEN: Exploiting VPN Vulnerabilities to Target Sensitive Sectors
  11. Public

    Iranian Threat Group ITG18 Exposed: Targeting US Military and Political Campaigns

    IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.

    read more about Iranian Threat Group ITG18 Exposed: Targeting US Military and Political Campaigns
  12. Public

    Credential and Information Theft: APT33's Job Scam Campaign

    Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

    read more about Credential and Information Theft: APT33's Job Scam Campaign
  13. Public

    Inside Hexane: Sophisticated Cyber Tools and Tactics Targeting Critical Industries

    Hexane (LYCEUM), a threat actor primarily targeting the Middle East’s oil, gas, and telecommunications sectors, has expanded its attack methods. Using spear-phishing emails with malicious Excel macros, the group delivers DanBot, a RAT capable of DNS and HTTP-based command and control, file transfer, and command execution. Additional tools include a PowerShell-based keylogger, credential decryption scripts, and LDAP data-extraction tools targeting Active Directory accounts. They employ social engineering, password spraying, and DNS tunneling to maintain access, frequently rotating C2 infrastructure. The group’s activity indicates continued cyber threats within these critical sectors.

    read more about Inside Hexane: Sophisticated Cyber Tools and Tactics Targeting Critical Industries
  14. Public

    APT33 Elevates C2 Capabilities with New PowerShell Malware

    The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

    read more about APT33 Elevates C2 Capabilities with New PowerShell Malware
  15. Public

    Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps

    The Domestic Kitten campaign, an Iranian surveillance operation active since 2016, targets Iranian citizens, including Kurdish and Turkish natives and ISIS supporters, using malicious mobile apps. These apps, disguised as legitimate, collect sensitive information such as contact lists, call records, SMS messages, browser history, geo-location, photos, and surrounding voice recordings. The stolen data is encrypted and exfiltrated to C&C servers, with IP addresses linked to Iranian origins. The operation's infrastructure suggests involvement by Iranian government entities like the IRGC and Ministry of Intelligence.

    read more about Domestic Kitten: Iranian Surveillance on Citizens Using Malicious Mobile Apps
  16. Public

    Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware

    APT33’s Dropshot, also known as StoneDrill, is a sophisticated wiper malware targeting organizations primarily in Saudi Arabia. Dropshot uses advanced anti-emulation techniques and obfuscation to evade detection. The malware decrypts its payload from an encrypted resource and employs anti-emulation strategies, including invalid Windows API calls. It also leverages zlib for decompression. This analysis focuses on decrypting Dropshot's encrypted resource to understand its functionality. The malware's association with APT33 and similarities to the Shamoon malware underscore its threat to targeted sectors.

    read more about Unveiling APT33’s Dropshot: Decrypting the Sophisticated Wiper Malware
  17. Public

    APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled

    APT33's Dropshot malware, also known as StoneDrill, targeted organizations primarily in Saudi Arabia. Dropshot, a sophisticated wiper malware, employs advanced anti-emulation techniques and string encryption to evade detection and analysis. The malware's high entropy suggests packed or compressed data, particularly in the .rsrc section, indicating hidden malicious content. This analysis focuses on decrypting the strings within Dropshot.

    read more about APT33's Dropshot Malware: Advanced Evasion Techniques Unveiled
  18. Public

    Espionage Operations by Flying Kitten Impact US, Israel, and Academia

    The Flying Kitten group conducted extensive espionage and surveillance campaigns from 2013 to 2014. Utilizing spearphishing, social engineering, and the "Stealer" malware, they targeted high-profile individuals, security researchers, and various sectors. The campaigns involved compromised social media accounts and phishing domains to gather credentials and sensitive information. The malware recorded keystrokes, took screenshots, and collected system data, focusing on credential harvesting rather than file exfiltration. This activity impacted targets in the United States, Israel, and global academia and business sectors.

    read more about Espionage Operations by Flying Kitten Impact US, Israel, and Academia
  19. Public

    Flying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran

    The Iranian cyber groups Flying Kitten and Rocket Kitten exhibited overlapping tactics in credential theft and spearphishing, targeting entities in sectors like media, education, and technology across the UK, US, and Iran. Utilizing domains that mimicked legitimate services, such as Google and Microsoft, they orchestrated phishing campaigns to harvest user credentials. Their operations involved shared phishing toolkits and malware, including a keylogger, with connections back to Iranian infrastructure. Despite cessation of Flying Kitten activities post-2014, their tools and tactics were resurrected by Rocket Kitten, highlighting the persistent threat posed by these actors.

    read more about Flying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran
  20. Public

    Saudi Arabian Government Hit by Stealthy Macro Malware

    A Saudi Arabian Government entity has been targeted by an innovative attack that relies on macros within malicious Word documents and leverages various scripts rather than a binary payload. The attack uses a VBScript to lower security settings within Microsoft Word and Excel and fetches data from Pastebin. A PowerShell script then communicates with the C2 server and exfiltrates data, persistently remaining undetected and continuing to collect information from the targeted system. The primary targeted sector is the Government.

    read more about Saudi Arabian Government Hit by Stealthy Macro Malware
  21. Public

    CopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks

    The Iranian threat agent CopyKittens compromised multiple Israeli websites, including the Jerusalem Post, and one Palestinian Authority website between October 2016 and January 2017. The attackers bought access to the server to gain the access, inserting a single line of Javascript into existing libraries. This enabled them to load further malicious Javascript from a domain they controlled, selectively targeting users based on their IP addresses. The malicious payload used was the BeEF Browser Exploitation Framework.

    read more about CopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks
  22. Public

    CopyKitten’s Spearphishing Attack on Israeli Ministry of Communications

    CopyKitten, a known cyber-attack group, has launched a spearphishing campaign targeting the Israeli government’s Ministry of Communications. The investigation commenced with the identification of a suspicious domain that led to multiple related domains. One such domain closely mimicked the Israeli Prime Minister's SSL VPN login page and was used to drop a malicious Word document titled "Annual Survey.docx." This document had an embedded OLE object that communicated with a C2 server, signifying a well-planned attack. The campaign appears to be part of CopyKitten's ongoing activities against Israeli interests.

    read more about CopyKitten’s Spearphishing Attack on Israeli Ministry of Communications
  23. Public

    Disttrack Malware Decimates Saudi Critical Infrastructure

    The BlackBerry Cylance threat research team's report offers a comprehensive analysis of the Disttrack malware, also known as Shamoon, renowned for its devastating attacks on system master boot records. The report traces the malware's history, its resurgence, and explores its technical operations, including network management capabilities and modular architecture. It particularly highlights Disttrack's impact on Saudi Arabia's critical infrastructure, demonstrating its potential for significant damage. This abstract succinctly captures the essence of the malware's threat and operational dynamics for a general audience.

    read more about Disttrack Malware Decimates Saudi Critical Infrastructure
  24. Public

    Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics

    In mid-November 2016, Mandiant responded to the Shamoon 2.0 malware attack targeting organizations in the Gulf states, marking the return of the suspected Iranian hacker group "Cutting Sword of Justice." This updated version of the 2012 Shamoon malware features embedded credentials, suggesting previous targeted intrusions for credential harvesting. Shamoon 2.0 performs subnet scanning, uses domain-specific credentials for unauthorized access, modifies system registries, and schedules tasks for execution. Its payload involves overwriting system files and wiping boot records, notably shifting imagery from a burning U.S. flag to a photograph of Alan Kurdi, symbolizing a devastating critique through cyber vandalism.

    read more about Shamoon 2.0 Resurfaces in the Gulf States with Enhanced Cyberattack Tactics