MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017.
During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods remain consistent, utilizing phishing campaigns sent from compromised email accounts targeting a wide array of organizations in countries of interest. These campaigns typically lead to the deployment of legitimate Remote Management Tools (RMM) such as Atera Agent or Screen Connect. Recently, however, they have deployed a custom backdoor Check Point researchers track as BugSleep.
Read more…
Source: Check Point
Related:
- ToddyCat is making holes in your infrastructure
April 22, 2024
Kapersky researchers continue covering the activities of the APT group ToddyCat. In their previous article, they described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, the researchers have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract ...
- From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
April 16, 2024
Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People’s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of ...
- Why the threat of a ‘nightmare’ Chinese supercomputer just got a step closer
April 4, 2024
A cyber security official at the US State Department had noticed something unusual. An internal IT security system, nicknamed “Big Yellow Taxi”, had flagged unusual activity on its corporate Microsoft account. The tech team quickly raised its concerns to Microsoft, hopeful that the alert was just a false positive. What rapidly emerged, however, was that a ...
- Cloud Werewolf spearphishes Russian and Belarus government employees with fake spa vouchers and federal decrees
March 29, 2024
The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the ...
- Chinese hackers targeted UK’s Electoral Commission and politicians, say security services
March 25, 2024
Chinese state-backed hackers were responsible for two “malicious” digital campaigns targeting the UK’s democratic institutions and politicians, the security services have found. The UK holds China responsible for a prolonged cyber-attack on the Electoral Commission during which Beijing allegedly accessed the personal details of about 40 million voters. Two individuals and a front company linked to ...
- APT29 Uses WINELOADER to Target German Political Parties
March 22, 2024
In late February 2024, Mandiant identified APT29 — a Russian Federation backed threat group linked by multiple governments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29’s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor ...