NewsBeef APT Revives BeEF for Global Watering Hole Campaigns
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Security Misconfiguration,Vulnerability Exploitation,Backdoor,Downloader,Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
In early 2016, the NewsBeef APT (aka Charming Kitten/Newscaster) repurposed the open-source BeEF and Metasploit frameworks in widespread watering hole attacks. These operations targeted visitors to strategically compromised websites, including institutions in Iran, Russia, India, Ukraine, the EU, Turkey, Germany, Japan, China, Brazil, and more. Sectors impacted included education, military, diplomacy, manufacturing, and media. The attackers injected malicious JavaScript to hook browsers, track visitor behavior, and fingerprint systems using evercookies and browser enumeration. While full exploitation wasn’t always observed, selective delivery of backdoors or spoofed login prompts was reported. The group’s campaign reflects an evolution from low-tech social engineering to more technically advanced infrastructure attacks using open-source tools.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Information Technology | Verified |
| Sector | Manufacturing | Verified |
| Sector | Military | Verified |
| Sector | Media | Verified |
| Sector | University | Verified |
| Region | Algeria | Verified |
| Region | Brazil | Verified |
| Region | China | Verified |
| Region | Germany | Verified |
| Region | India | Verified |
| Region | Iran | Verified |
| Region | Japan | Verified |
| Region | Kazakhstan | Verified |
| Region | Romania | Verified |
| Region | Russia | Verified |
| Region | Turkey | Verified |
| Region | United Kingdom | Verified |
| Region | European Countries | Verified |
FAQs
Understanding the NewsBeef Campaign
A known hacking group compromised a university website in Iran and many others globally to inject malicious code that can secretly monitor and track people’s web activity using their browsers.
The group responsible is called NewsBeef, also known as Charming Kitten or Newscaster. They are an advanced persistent threat (APT) group known for social engineering and using repurposed hacking tools.
Their main goal was to identify, track, and profile visitors to compromised websites, with occasional delivery of malware or phishing pages to selected high-value targets.
The attackers hacked websites using old vulnerabilities, then added hidden scripts that connected visitors’ browsers to a command server. These scripts could then track online behavior, gather data, or attempt further exploitation.
Targets included universities, embassies, government sites, military schools, and media organizations across multiple regions—particularly in the Middle East, Russia, Europe, and Asia.
The attackers were likely seeking sensitive information, credentials, or ways to infiltrate organizations by first learning who was visiting these websites and from where.
Yes, although many of the compromised sites have been cleaned, similar attacks continue to emerge, suggesting the group is actively updating its methods.
Keep websites and plugins up-to-date, monitor unusual traffic or scripts on your domain, and educate users about the dangers of suspicious sites or pop-ups asking for login details.
While the most damaging parts are highly targeted, the initial tracking tactics affect anyone visiting the compromised websites, making it a mix of broad and focused attacks.