Collaborate Disseminate
The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code. Continue reading A Zebrocy Go Downloader
For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users. We named the actor DustSquad and have provided reports on four of their campaigns. In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities. Continue reading Octopus-infested seas of Central Asia
For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years, which amounts to around 85,000 entries. The aim is to give an overview of which APT groups are active in the Netherlands and what they are interested in. Continue reading Threats in the Netherlands
MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. Continue reading MuddyWater expands operations
Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT. Continue reading Shedding Skin – Turla’s Fresh Faces
In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. Continue reading Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system
Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. This campaign was active immediately prior to Central Asian high-level meeting and we suppose that actor behind still follows regional political agenda. Continue reading LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. Continue reading Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars. Continue reading Dark Tequila Añejo
These summaries are a representative snapshot of what has been discussed in greater detail in our private reports during Q2 2018. They aim to highlight the significant events and findings that we feel people should be aware of. Continue reading APT Trends Report Q2 2018