The PolySwarm Blog

Related Families: AhMyth

Executive Summary

AhRAT, an Android RAT, was disguised as the iRecorder app. This malicious version of the iRecorder app is capable of recording audio and exfiltrating files from a victim’s device.

Related Families: Sword2033

Executive Summary

China nexus threat actor group Gallium was recently observed using a new Linux variant of PingPull in an espionage campaign.

Related Families: Andromeda, Kopiluwak, QuietCanary

Executive Summary

Mandiant recently reported on a Turla campaign targeting Ukraine. The threat actors used multiple malware families in this campaign, including Kopiluwak, QuietCanary, and Andromeda.

Verticals Targeted: Government

Executive Summary

Symantec recently reported on Spyder Loader, a tool used by Chinese nexus state-sponsored threat actor group Winnti to target government entities in Hong Kong.

Verticals Targeted: Think Tanks, Media, Government

Executive Summary

In early 2022, the North Korean threat actor group Kimsuky targeted a South Korean think tank and media entities. In this campaign, they leveraged what is known as the GoldDragon backdoor and associated C2 cluster.

Key Takeaways

Background

Iranian threat actor group Muddy Water has been very active in the last few months. In February, CISA issued an alert warning that the group was conducting a campaign targeting global government and commercial networks. Earlier this month, Cisco’s Talos Intelligence published a blog post on Muddy Water activity targeting Turkey and other countries.

Background

Symantec recently published research on Daxin backdoor, which they called the “most advanced” malware they have seen from Chinese threat actors.

PolySwarm Threat Bulletin

Background

Cyble recently released a deep dive analysis of Mythic Leopard espionage activity leveraging CapraRAT Android spyware. This campaign targeted Indian government officials.