The PolySwarm Blog

Verticals Targeted: Defense
Regions Targeted: Southeast Asia
Related Families: AppleChris, MemFun, Getpass

Executive Summary

A long-running espionage campaign, tracked as CL-STA-1087, is targeting Southeast Asian military organizations using custom backdoors and credential harvesting tools. The activity demonstrates sustained persistence, operational discipline, and a focus on high-value intelligence collection.

Verticals Targeted: Diplomatic, Maritime, Financial, Telecom
Regions Targeted: Middle East
Related Families: Archer RAT / RUSTRIC

Executive Summary

A spear-phishing campaign linked to the Muddy Water APT group was observed deploying a new Rust-based implant called RustyWater against organizations in the Middle East. This evolution from legacy PowerShell and VBS tooling introduces enhanced modularity, anti-analysis features, and asynchronous command-and-control capabilities.

Related Families: Demodex
Verticals Targeted: Telecommunications 

Executive Summary

Salt Typhoon, a China nexus APT group, was recently observed using GhostSpider backdoor to target telecommunications companies.

Executive Summary

Verticals Targeted: Government

Executive Summary

Volt Typhoon was observed compromising Cisco RV325 devices with KV-Botnet.

Verticals Targeted: Government, Defense, Telecommunications, Finance, NGO, IT services  

Executive Summary

Scarred Manticore, a threat actor group associated with Iran’s MOIS, was observed using Liontail framework in an espionage campaign. 

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report provides highlights of activity perpetrated by Russia-based threat actors in 2022. Russian APT activity in 2022 was heavily focused on targeting Ukraine for espionage and sabotage due to the ongoing Russia-Ukraine conflict. While the Russian cyber threat landscape includes a wide variety of ransomware and cybercrime threat actors, we have limited the scope of this report to state-sponsored threat actor activity.

Key Takeaways

• This report highlights activity perpetrated by Russia-based APT threat actors in 2022.
• Threat actors featured in this report include Cozy Bear, Fancy Bear, Energetic Bear, Venomous Bear, Primitive Bear, VooDoo Bear, Ember Bear, Saint Bear, UAC-0041, UAC-0088, and UAC-0098.
• PolySwarm tracked malware associated with multiple Russia nexus threat actors in 2022. 

Background

Qualys Threat Research recently reported on a new Lazarus espionage campaign leveraging employment phishing emails to target the defense sector, primarily targeting those applying for a job at Lockheed Martin. The targeting is similar to previous Lazarus campaigns which targeted Northrop Grumman and BAE Systems. Qualys refers to the current campaign as LolZarus due to the threat actor group’s use of LoLbins in some of the samples, which according to Qualys is the first known use of LoLbins by a well-known threat actor group.