DeftTorero: tactics, techniques and procedures of intrusions revealed

In this report we focus on tactics, techniques, and procedures (TTPs) of the DeftTorero (aka Lebanese Cedar or Volatile Cedar) threat actor, which targets Middle East countries. Continue reading DeftTorero: tactics, techniques and procedures of intrusions revealed

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea. Continue reading Kimsuky’s GoldDragon cluster and its C2 operations

IT threat evolution Q2 2022

ToddyCat APT and WinDealer man-on-the-side attack, Spring4Shell and other vulnerabilities, ransomware trends and our in-depth analysis of the TTPs of the eight most widespread ransomware families. Continue reading IT threat evolution Q2 2022

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly. Continue reading Andariel deploys DTrack and Maui ransomware

Targeted attack on industrial enterprises and public institutions

Kaspersky ICS CERT experts detected a wave of targeted attacks in several East European countries, as well as Afghanistan. Of the six backdoors identified on infected systems, five have been used earlier in attacks attributed to APT TA428. Continue reading Targeted attack on industrial enterprises and public institutions

Targeted attack on industrial enterprises and public institutions

Kaspersky ICS CERT experts detected a wave of targeted attacks in several East European countries, as well as Afghanistan. Of the six backdoors identified on infected systems, five have been used earlier in attacks attributed to APT TA428. Continue reading Targeted attack on industrial enterprises and public institutions

The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. Continue reading The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact