Advanced Persistent Threat


NEWS 
  • North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media

    June 1, 2023

    The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), are jointly issuing this advisory to highlight the use of social engineering by Democratic People’s Republic of Korea ...

  • Operation Triangulation: iOS devices targeted with previously unknown malware

    June 1, 2023

    While monitoring its own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), Kaspersky researchers noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, researchers created offline backups of the devices in question, inspected them using the ...

  • Lazarus hackers target Windows IIS web servers for initial access

    May 29, 2023

    The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers’ malicious activities help fund North Korea’s weapons development programs. However, the group has also been ...

  • Volt Typhoon targets US critical infrastructure with living-off-the-land techniques

    May 24, 2023

    Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt ...

  • New PowerExchange malware backdoors Microsoft Exchange servers

    May 24, 2023

    A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. After infiltrating the mail server via a phishing email containing an archived malicious executable, the threat actors deployed a web shell named ExchangeLeech (first observed by the Digital14 Incident Response team in 2020) that ...

  • Meet the GoldenJackal APT group. Don’t expect any howls

    May 23, 2023

    GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as Kaspersky understands, has not been publicly described. Their researchers started monitoring the group in mid-2020 ...

  • CloudWizard APT: the bad magic story goes on

    May 19, 2023

    In March 2023, Kaspersky researchers uncovered a previously unknown APT campaign in the region of the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic implants. However, at the time it was not clear which threat actor was behind the attack. Since the release of Kaspersky report about CommonMagic, Kaspersky researchers have been looking for ...

  • The distinctive rattle of APT SideWinder

    May 17, 2023

    In February 2023, Group-IB’s Threat Intelligence team released a technical report about previously unknown phishing attacks conducted by the APT group SideWinder: Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021. As always, Group-IB customers and partners were the first to get access to the report through the interface of ...

  • Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors

    May 15, 2023

    The Lancefly advanced persistent threat (APT) group is using a custom-written backdoor in attacks targeting organizations in South and Southeast Asia, in activity that has been ongoing for several years. Lancefly may have some links to previously known groups, but these are low confidence, which led researchers at Symantec, by Broadcom Software, to classify this activity ...

  • CISA and Partners Disclose Snake Malware Threat From Russian Cyber Actors

    May 9, 2023

    Today, CISA and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat. CISA urges organizations to review the advisory for more information and ...