Advanced Persistent Threat | Breaking Cybersecurity News | The Hacker News

The advanced persistent threat (APT) actor known as  ToddyCat  has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities. The  findings  come from Kaspersky, which  first shed light  on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years. While the group's arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime. This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDr

Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed  Deadglyph  employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET  said  in a  new report  shared with The Hacker News. "This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize." It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug. Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of additi

Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear. "The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities  said . "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.' CVE-2023-35078 refers to a  severe flaw  that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulne

A previously unknown advanced persistent threat (APT) is targeting iOS devices as part of a sophisticated and long-running mobile campaign dubbed  Operation Triangulation  that began in 2019. "The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data," Kaspersky  said . The Russian cybersecurity company said it discovered traces of compromise after creating offline backups of the targeted devices. The attack chain begins with the iOS device receiving a message via iMessage that contains an attachment bearing the exploit. The exploit is said to be  zero-click , meaning the receipt of the message triggers the vulnerability without requiring any user interaction in order to achieve code execution. It's also configured to retrieve additional payloads for privilege escalation and drop a final stage malware from a remote server that Kaspersky described as

The threat actor known as  Dark Pink  has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets. Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with  attacks   targeting  entities primarily located in East Asia and, to a lesser extent, in Europe. The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts. "The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin  said  in a technical report shared with The Hacker News. "Onc

A previously undetected advanced persistent threat (APT) actor dubbed  Red Stinger  has been linked to attacks targeting Eastern Europe since 2020. "Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the  September East Ukraine referendums ," Malwarebytes disclosed in a  report  published today. "Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings." Red Stinger overlaps with a threat cluster Kaspersky revealed under the name  Bad Magic  last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year. While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.

The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022. "In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry Research and Intelligence Team  said  in a technical report published Monday. Another campaign discovered by the Canadian cybersecurity company in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor's collection priorities. SideWinder  has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located across Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, Ha

An advanced persistent threat (APT) actor known as  Dragon Breath  has been observed adding new layers of complexity to its attacks by adopting a novel  DLL side-loading  mechanism. "The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos  said . "The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload." Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was  first   documented  by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram. A  subsequent   campaign  un

Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks. "Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta,  said . "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side." The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel. At least two of the  cyber espionage efforts  entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past  app verification checks  established by Apple and Google.  One of the groups that came under Meta's r

The advanced persistent threat (APT) group referred to as  Evasive Panda  has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021. Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of  cyber espionage attacks  targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities. Some of th

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign. "TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint  said  in a new report. The enterprise security firm is tracking the activity under its own moniker  TA473  (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives. What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting  state authorities of Ukraine and Poland  as well as  government officials in India, Lithuania, Slovakia, and the Vatican . The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score:

An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT. According to Cyble, which  attributed  the operation to  SideCopy , the activity cluster is designed to target the Defence Research and Development Organization ( DRDO ), the research and development wing of India's Ministry of Defence. Known for emulating the infection chains associated with  SideWinder  to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with  Transparent Tribe . It has been active since at least 2019. Attack sequences mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the  K-4 ballistic missile  developed by DRDO. Executing the .LNK file leads to the retrieval of an HTML application from a rem

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. According to multiple reports from  AhnLab Security Emergency response Center  ( ASEC ),  SEKOIA.IO , and  Zscaler , the development is illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection. "The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.  ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012. Last month, ASEC  disclosed  a

The advanced persistent threat known as  Winter Vivern  has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021. The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News. "Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel  said . Winter Vivern, also tracked as UAC-0114,  drew attention  last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif. Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents con

High-profile government entities in Southeast Asia are the target of a cyber espionage campaign undertaken by a Chinese threat actor known as Sharp Panda since late last year. The intrusions are characterized by the use of a new version of the Soul modular framework, marking a departure from the group's attack chains observed in 2021. Israeli cybersecurity company Check Point  said  the "long-running" activities have historically singled out countries such as Vietnam, Thailand, and Indonesia. Sharp Panda was  first documented  by the firm in June 2021, describing it as a "highly-organized operation that placed significant effort into remaining under the radar." The use of the Soul backdoor in real-world attacks was first  detailed  by Broadcom's Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The implant's origins, according to  research  published by Fo

Government and military organizations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor, per latest research conducted by Albert Priego of Group-IB The Singapore-headquartered company, in a  report  shared with The Hacker News, said it's tracking the ongoing campaign under the name  Dark Pink  and attributed seven successful attacks to the adversarial collective between June and December 2022. The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam. The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuable

The advanced persistent threat (APT) group known as  StrongPity  has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle . "A copycat website, mimicking the Shagle service, is used to distribute StrongPity's mobile backdoor app," ESET malware researcher Lukáš Štefanko  said  in a technical report. "The app is a modified version of the open source Telegram app, repackaged with StrongPity backdoor code." StrongPity , also known by the names APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The existence of the group was first publicly reported by Kaspersky in October 2016. The threat actor's  campaigns  have since expanded to encompass more targets across Africa, Asia, Europe, and North America, with the intrusions leveraging watering hole attacks and phishing messages to ac