EastWind campaign: new CloudSorcerer attacks on government organizations in Russia


In late July 2024, we detected a series of ongoing targeted cyberattacks on dozens of computers at Russian government organizations and IT companies.

The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts were used to deliver malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, in particular tools used by the APT31 group and an updated CloudSorcerer backdoor. Kaspersky dubbed this campaign EastWind.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst

    February 4, 2025

    ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the SSH daemon. Samples of this malware collection surfaced around mid-November 2024. While Fortinet researchers have a good amount of threat intelligence on them (e.g., they are attributed to the DaggerFly espionage group and were used during the Lunar Peek campaign against network appliances), nobody ...

  • New Star Blizzard spear-phishing campaign targets WhatsApp accounts

    January 16, 2025

    Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link. The sender address used by the threat actor ...

  • Cloud Atlas seen using a new tool in its attacks

    December 23, 2024

    Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. When opened, the document downloads a ...

  • BellaCPP: Discovering a new BellaCiao variant written in C++

    December 20, 2024

    BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor Charming Kitten. One important aspect of the BellaCiao samples ...

  • Lazarus group evolves its infection chain with old and new malware

    December 19, 2024

    Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation DreamJob”. Kaspersky researchers have previously published the history of ...

  • New Gmail Security Warning For 2.5 Billion – Second Attack Wave Incoming

    December 18, 2024

    As it issues a warning that a second wave of cyber threats against Gmail users is incoming from very persistent attackers, Google has detailed the specific attack methodologies involved and recommended actions that all 2.5 billion Gmail users employ to stay safe and secure. Here’s what you need to know. Although when compared to last year, ...