Related Families: Sword2033
Executive Summary
China nexus threat actor group Gallium was recently observed using a new Linux variant of PingPull in an espionage campaign.
Related Families: Andromeda, Kopiluwak, QuietCanary
Executive Summary
Mandiant recently reported on a Turla campaign targeting Ukraine. The threat actors used multiple malware families in this campaign, including Kopiluwak, QuietCanary, and Andromeda.
Verticals Targeted: Government
Executive Summary
Symantec recently reported on Spyder Loader, a tool used by Chinese nexus state-sponsored threat actor group Winnti to target government entities in Hong Kong.
Verticals Targeted: Think Tanks, Media, Government
Executive Summary
In early 2022, the North Korean threat actor group Kimsuky targeted a South Korean think tank and media entities. In this campaign, they leveraged what is known as the GoldDragon backdoor and associated C2 cluster.
Key Takeaways
Background
Iranian threat actor group Muddy Water has been very active in the last few months. In February, CISA issued an alert warning that the group was conducting a campaign targeting global government and commercial networks. Earlier this month, Cisco’s Talos Intelligence published a blog post on Muddy Water activity targeting Turkey and other countries.
Background
Symantec recently published research on Daxin backdoor, which they called the “most advanced” malware they have seen from Chinese threat actors.
PolySwarm Threat Bulletin
Background
Cyble recently released a deep dive analysis of Mythic Leopard espionage activity leveraging CapraRAT Android spyware. This campaign targeted Indian government officials.
Background
Proofpoint recently posted their findings on a Molerats espionage campaign leveraging a new implant dubbed NimbleMamba. In this campaign, Molerats employed a complex attack chain that uses a combination of geofencing and URL redirects to legitimate sites to evade detection. Targets of this campaign included Middle Eastern governments, foreign policy think tanks, and an airline.