Latest Update20/12/2024

Threats Feed

  1. Public

    MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe

    Operation GhostShell is a cyber espionage campaign targeting aerospace and telecommunications companies, primarily in the Middle East, with victims in the U.S., Russia and Europe. The operation, carried out by the Iranian group MalKamak, uses a stealthy, evolving remote access trojan (RAT) called ShellClient, which has been in development since 2018. ShellClient evades detection through masquerading, AES encryption and WMI-based reconnaissance. The attackers used tools such as PAExec for lateral movement and lsa.exe for credential dumping. Data exfiltration was facilitated by using WinRar to compress stolen information before sending it via Dropbox.

    read more about MalKamak's GhostShell Campaign Hits Middle East, U.S., and Europe
  2. Public

    TA456's Advanced Espionage Tactics Against Defense Contractors Using LEMPO Malware

    The report from Proofpoint outlines a complex social engineering and malware campaign that appears to have been conducted by an actor aligned with the Iranian state, believed to be TA456. Over several years, TA456 used a fake social media persona, "Marcella Flores," to build a relationship with an employee of an aerospace defense contractor. The aim was to infect the target's computer with the LEMPO malware, designed for reconnaissance and data exfiltration. This campaign serves to illustrate TA456's persistence and advanced social engineering tactics, targeting smaller contractors with the ultimate goal of eventually compromising larger defense firms.

    read more about TA456's Advanced Espionage Tactics Against Defense Contractors Using LEMPO Malware
  3. Public

    Tortoiseshell's Cross-Platform Espionage Targets Military and Defense Industries in US, UK, and Europe

    Tortoiseshell targeted military personnel and companies in the defense and aerospace industries, primarily in the United States and, to a lesser extent, the UK and Europe. The group used social engineering, phishing, and custom malware tools, including Syskit and a Liderc-like reconnaissance tool, to compromise and profile victims' systems. The campaign involved fake online personas, spoofed domains, and outsourced malware development to Tehran-based IT company Mahak Rayan Afraz (MRA), which has ties to the Islamic Revolutionary Guard Corps (IRGC).

    read more about Tortoiseshell's Cross-Platform Espionage Targets Military and Defense Industries in US, UK, and Europe
  4. Public

    SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars

    Iranian-state aligned actor TA453 has been covertly targeting individuals of intelligence interest to the Iranian government by masquerading as British scholars from the University of London's School of Oriental and African Studies (SOAS). The threat actor, targeted Middle Eastern experts, senior professors, and journalists. TA453 compromised a legitimate academic website to deliver personalized credential harvesting pages.

    read more about SpoofedScholars: TA453 Targets Intelligence Interests Posing as British Scholars
  5. Public

    Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign

    The article from Check Point Research focuses on the resurgence of Iran's APT34 cyber espionage group, which has updated its tactics and tools. This group, also known as OilRig, has targeted a Lebanese entity using a new backdoor variant named "SideTwist". They have refined their strategies to evade detection, continuing their pattern of using job opportunity documents to deliver malware through LinkedIn. The article provides an in-depth analysis of the infection chain, the malware's capabilities, and its persistence techniques. It aligns with APT34's history of targeting Middle Eastern entities, underscoring the ongoing cyber threats in the region.

    read more about Iranian APT34's Evolving Arsenal: A Deep Dive into the SideTwist Campaign
  6. Public

    BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals

    In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.

    read more about BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals
  7. Public

    Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

    In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

    read more about Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS
  8. Public

    MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion

    The MuddyWater threat group, through an intrusion set named Earth Vetala, targeted various organizations in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the United Arab Emirates. The group used spear-phishing emails to distribute malicious packages, predominantly aiming at Government Agencies, Academia, and the Tourism sector. MuddyWater deployed post-exploitation tools to dump passwords and establish a persistent presence within targeted systems. They used multiple C&C servers to execute obfuscated PowerShell scripts and were persistent in attempting multiple techniques to establish connectivity despite repeated failures.

    read more about MuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion
  9. Public

    Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors

    The cyberespionage group, Static Kitten, launched a cyber attack primarily targeting the government sectors of the United Arab Emirates (UAE) and Kuwait. Using geopolitical lures and masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait, the attackers aimed to install a remote management tool called ScreenConnect on victims' devices. The campaign involved phishing emails, URL masquerading, and delivering ZIP files that purport to contain relevant documents but instead initiate the ScreenConnect installation process.

    read more about Static Kitten Launches Cyberespionage Attack on UAE and Kuwait Government Sectors
  10. Public

    Unwrapping Charming Kitten's Holiday Phishing Campaign

    During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

    read more about Unwrapping Charming Kitten's Holiday Phishing Campaign
  11. Public

    Iranian APT39 Uses Android Malware for Domestic Surveillance

    The ReversingLabs analysis, based on an FBI report, reveals that the Iranian-backed APT39 (Rana Corp) is using Android malware for state-sponsored surveillance, primarily targeting individuals deemed a threat by the Iranian government. The malware exploits smartphone features such as the camera and microphone to spy on users. It can intercept SMS, record audio, take photos and manipulate network connections. Obfuscation techniques were used, but analysis of an older sample revealed key capabilities for remote monitoring and control. The malware specifically monitors Iranian messaging apps, suggesting domestic surveillance. Targeted sectors include political dissidents and individuals of interest within Iran.

    read more about Iranian APT39 Uses Android Malware for Domestic Surveillance
  12. Public

    Phosphorus Targets Munich Security Conference and T20 Summit Attendees

    The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.

    read more about Phosphorus Targets Munich Security Conference and T20 Summit Attendees
  13. Public

    Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections

    The espionage group Seedworm (aka MuddyWater) has been actively targeting government organizations, telecoms, and computer services sectors across the Middle East, including Iraq, Turkey, Kuwait, the United Arab Emirates, Georgia, Afghanistan, Israel, Azerbaijan, Cambodia, and Vietnam. Seedworm's recent activities, linked to the PowGoop tool, involve PowerShell usage, credential dumping, and DLL side-loading. The group establishes connections to its infrastructure using Secure Sockets Funneling and Chisel while deploying PowGoop through remote execution tools. The connection between PowGoop and Seedworm remains tentative, suggesting potential retooling.

    read more about Seedworm's Rising Activity: Middle East Targets and PowGoop Tool Connections
  14. Public

    Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics

    In September 2020, the Iranian threat actor MuddyWater launched "Operation Quicksand," as reported by the ClearSky cybersecurity company. This operation targeted Israeli organizations and others across the Middle East and North Africa, aiming to deploy a destructive variant of Thanos ransomware through "PowGoop," a malicious loader disguised as a Google update DLL. By employing spear-phishing, exploiting vulnerabilities, and using sophisticated malware delivery mechanisms, the campaign focused on destructive attacks rather than financial gain, marking a significant shift in MuddyWater's operational intent from espionage to more aggressive tactics.

    read more about Operation Quicksand: MuddyWater's Escalation to Destructive Malware Tactics
  15. Public

    Iranian APT39 Targets Global Sectors with Sophisticated Malware Campaign

    Rana Intelligence Computing Company (APT39) is an Iranian front group for the Ministry of Intelligence and Security (MOIS) that conducts cyber operations in Asia, Africa, Europe and North America. Its primary targets include the travel, telecommunications, hospitality, academic, and government sectors. Rana used malware delivered via spearphishing, using Visual Basic, PowerShell, AutoIt scripts and BITS malware to steal data, track individuals and maintain persistence. Their campaign targeted over 15 US companies, using scheduled tasks, encryption and obfuscation techniques to evade detection. Rana also deployed Android malware with root access capabilities for C2 communications, audio recording, and photo capture.

    read more about Iranian APT39 Targets Global Sectors with Sophisticated Malware Campaign
  16. Public

    Persistent Exploits in Microsoft Outlook: Iranian Hackers Bypass Security Patches

    Iranian APT groups, notably APT34 and APT33, have exploited the CVE-2017-11774 vulnerability in Microsoft Outlook, using it for espionage and destructive attacks. This exploit involves modifying Outlook's homepage settings via the registry to achieve persistence and remote code execution, bypassing Microsoft's patch. The attacks have targeted sectors globally, leveraging custom phishing documents and Azure-hosted payloads to bypass security measures and maintain control over compromised systems.

    read more about Persistent Exploits in Microsoft Outlook: Iranian Hackers Bypass Security Patches
  17. Public

    Credential and Information Theft: APT33's Job Scam Campaign

    Iranian APT33 has been detected running a phishing campaign that employs fake job scams to lure victims. The campaign aims for credential theft, information theft, and unauthorized remote access. While the targeted sectors and countries are not specified, the indicators of compromise involve domain names like "www[.]global-careers[.]org" and filenames such as "JobDescription.zip" and "JobDescription.vbe".

    read more about Credential and Information Theft: APT33's Job Scam Campaign
  18. Public

    Tortoiseshell Targets U.S. Military Veterans with Malicious Job Seeking Website

    Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

    read more about Tortoiseshell Targets U.S. Military Veterans with Malicious Job Seeking Website
  19. Public

    Tortoiseshell Group Targets IT Providers in Saudi Arabia: Supply Chain Attacks Uncovered

    The Tortoiseshell group has targeted IT providers in Saudi Arabia since at least July 2018, focusing on supply chain attacks to compromise the IT providers' customers. The group deployed both custom and off-the-shelf malware, infecting an unusually large number of computers in targeted attacks. The custom malware, Backdoor.Syskit allowed for downloading and executing additional tools and commands. The attackers used various information-gathering tools, achieving domain admin-level access on at least two organizations, and it is suspected they compromised a web server to deploy malware onto the network.

    read more about Tortoiseshell Group Targets IT Providers in Saudi Arabia: Supply Chain Attacks Uncovered
  20. Public

    APT33 Elevates C2 Capabilities with New PowerShell Malware

    The article provides a detailed analysis of a sophisticated PowerShell malware linked to APT33, a notable cyber threat group. It examines a specific file associated with this malware, highlighting its capabilities and behaviors. The malware includes a variety of functions such as privilege escalation, data encryption and decryption, file uploading and downloading, and a mechanism for capturing screenshots. It also features a complex command structure for interacting with a control server, and implements persistence methods through WMI event filters and registry modifications. The analysis contributes to the broader understanding of APT33's tactics and tools.

    read more about APT33 Elevates C2 Capabilities with New PowerShell Malware
  21. Public

    MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector

    The Iranian APT group, MuddyWater, targeted Kurdish political groups and Turkish defense sector organizations using emails with malicious Word documents. The documents contained embedded Macros that used PowerShell to execute various commands and modify registry values for persistence. The Macro also used obfuscation techniques, encoding data within image files and a document. The attackers tested their malicious documents against various anti-virus engines, uploading files from Germany and Iraq. This campaign signifies an evolution in MuddyWater's attack methods, with malware extraction now performed locally rather than via a C2 server.

    read more about MuddyWater APT Targets Kurdish Political Groups and Turkish Defense Sector
  22. Public

    Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors

    Seedworm has compromised more than 130 victims across 30 organizations since September 2018. The group targets primarily the Middle East, Europe, and North America, focusing on government agencies, oil and gas companies, NGOs, telecoms, and IT firms. Seedworm uses tools such as Powermud, Powemuddy, and PowerShell scripts and has updated its tactics to avoid detection. The main targeted sectors include telecommunications, IT services, oil and gas, universities, and embassies. The group is known for its speed and agility in obtaining actionable intelligence from targeted organizations.

    read more about Seedworm's Persistent Cyber Campaigns: Intelligence Gathering across Multiple Sectors
  23. Public

    MuddyWater Expands Cyberattacks with Two-Stage Spear-phishing Campaign Targeting Lebanon and Oman

    The MuddyWater threat group has been launching two-stage spear-phishing attacks on targets in Lebanon and Oman. The first stage involves sending macro-embedded documents posing as resumes or official letters. These documents contain obfuscated code hosted on compromised domains. In the second stage, obfuscated source code from these domains is executed to propagate MuddyWater's main PowerShell backdoor, POWERSTATS. This campaign marks a shift from single-stage to two-stage attacks, allowing for stealthier delivery of the payload.

    read more about MuddyWater Expands Cyberattacks with Two-Stage Spear-phishing Campaign Targeting Lebanon and Oman
  24. Public

    MuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors

    The MuddyWater group has expanded its cyber operations, focusing mainly on government bodies, military entities, telecommunication companies, and educational institutions. The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros, thereby initiating malware extraction and execution. The malware is designed for extensive system reconnaissance, and the command-and-control communication structure allows the threat actors to accept or reject victims based on various criteria.

    read more about MuddyWater Expands Spear-Phishing Operations across Multiple Countries and Sectors