The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Asylum Ambuscade

Jun 20, 2023 1:49:52 PM / by The Hivemind

ASYLUMRelated Families: SunSeed, AHKBOT, NODEBOT
Verticals Targeted: Government, Cryptocurrency, Financial

Executive Summary

Asylum Ambuscade is a threat actor group known to engage in both cybercrime and espionage activity. Their targets include government, financial, and SMB entities, primarily in Europe and North America. 

Key Takeaways

  • Asylum Ambuscade is a threat actor group known to engage in both cybercrime and espionage activity. 
  • The group is known to target government, financial, and SMB entities, primarily in Europe and North America. 
  • Asylum Ambuscade is known to use script-based implants.

Who is Asylum Ambuscade?

Asylum Ambuscade is a criminal threat actor group observed conducting espionage operations on the side. They have been operational since at least 2020. ESET recently reported on the group’s activities.


ESET noted Proofpoint originally exposed Asylum Ambuscade back in early 2022. At the time, the group was conducting a phishing campaign to target European government officials. Regarding their cybercrime activity, Asylum Ambuscade has a reputation for targeting bank customers and cryptocurrency traders, as well as small and medium businesses (SMB). Targets have included entities in North America and Europe. As for their cyber espionage activity, the group seems to primarily target government entities in Europe and Central Asia, with a few targets in other regions such as Africa and South America. The group has attacked over 4500 victims worldwide to date.


Asylum Ambuscade uses a variety of tools, including implants written in AutoHotkey, JavaScript, Lua, Python, and VBS. In the past, the group leveraged the Follina vulnerability (CVE-2022-30190).

Asylum Ambuscade’s attack chain used for espionage activity typically begins with a spearphishing email containing a malicious Excel file. The Excel spreadsheet contains malicious VBA code that, in turn, downloads an MSI package from a remote server. It then installs SunSeed, which is a Lua-based downloader. If the victim machine meets the group’s criteria for interest, they next deploy AHKBOT, which is written in AutoHotkey and is extensible with plugins. AHKBOT is used to spy on the victim's machine.

The group’s attack chain used for cybercrime activity differs slightly from the one used for espionage. The main difference is the threat actors use one of two different initial infection vectors. One is a malicious Google Ad that redirects to a website that delivers a malicious JavaScript file, and the other is a redirection chain that involves multiple HTTP redirections in a Traffic Direction System (TDS). When cybercrime is the goal, the group typically uses a different variant of SunSeed written in Tcl or VBS. In place of AHKBOT, the group uses a Node.js equivalent dubbed NODEBOT.


PolySwarm has multiple samples associated with this activity.






You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f AsylumAmbuscade


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Financial, Government, Cryptocurrency, Asylum Ambuscade, SMB, SunSeed, AHKBOT, NODEBOT

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts