Threat Actors Database

Group-IB, one of the global cybersecurity leaders, has today published its findings into Dark Pink, an ongoing advanced persistent threat (APT) campaign launched against high-profile targets in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina that we believe, with moderate confidence, was launched by a new threat actor. To date, Group-IB’s Threat Intelligence has been able to attribute seven successful attacks to this particular group from June-December 2022, with targets including military bodies, government ministries and agencies, and religious and non-profit organizations, although the list of victims could be significantly longer. Group-IB also noted one unsuccessful attack on a European state development body based in Vietnam.

We believe that Earth Minotaur is an intrusion set which hasn’t been publicly reported. In the first report of MOONSHINE exploit kit in 2019, the threat actor using the toolkit was named Poison Carp, Evil Eye . While both used the MOONSHINE exploit kit and had similar targets, we did not find further connections between Earth Minotaur and POISON CARP. The backdoor DarkNimbus had been developed in 2018 but was not found in any of POISON CARP’s previous activity. Therefore, we categorized them as two different intrusion sets.

Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea. The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks. For example, the attackers could be stealing proprietary information about industrial equipment designs so they can sell it to competitors and nation-states seeking to advance their competitive posture. Also, credentials can provide attackers with remote RDP access to IoT/ICS networks, while plant schematics help adversaries understand plant layouts in order to facilitate attacks. Design information can also be used by cyberattackers to identify vulnerabilities in industrial control systems.

GCHQ gains its intelligence by monitoring a wide variety of communications and other electronic signals. For this, a number of stations have been established in the UK and overseas. The listening stations are at Cheltenham itself, Bude, Scarborough, Ascension Island, and with the United States at Menwith Hill. Ayios Nikolaos Station in Cyprus is run by the British Army for GCHQ. As revealed by Edward Snowden in The Guardian, GCHQ spied on foreign politicians visiting the 2009 G-20 London Summit by eavesdropping phonecalls and emails and monitoring their computers, and in some cases even ongoing after the summit via keyloggers that had been installed during the summit. Other publicly exposed major APT activities from GCHQ involve the wholesale worldwide spying from programs such as, together with Equation Group , INCENSER , where various international Internet trunks were tapped.

In August 2024, open sources revealed that US political campaign officials and affiliates were targeted as part of Mint Sandstorm and APT 42 operations. In this report, we discuss threat activity associated with the Iran-nexus group we track as GreenCharlie, which overlaps with Magic Hound, APT 35, Cobalt Illusion, Charming Kitten . Recorded Future has tracked Iran-linked GreenCharlie activity and malicious infrastructure since 2020. Our global Network Intelligence capability has allowed us to identify and track a large and rapidly evolving cluster of infrastructure used to support GreenCharlie cyber-espionage campaigns. Now, we have been able to link this network to the recent targeting of US political campaigns.

In March 2018 we published our research on Olympic Destroyer, an advanced attack that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware. We are calling the actor behind the Olympic Destroyer attack – “Hades”. We have previously emphasized that Hades is different from other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus Group, Hidden Cobra, Labyrinth Chollima APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery. Some of the TTPs and operational security used by Hades during the Olympic Destroyer attack bear a certain resemblance to Sofacy, APT 28, Fancy Bear, Sednit APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Hades can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.

Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools. Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. This activity has been ongoing since at least October 2022. While Symantec, by Broadcom Software, did not see any data being exfiltrated in this campaign, the targets, as well as some of the tools used, indicate that the most likely motivation in this campaign is intelligence gathering.

A previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on Afghanistan, in what appears to be an information-stealing campaign using a new toolset. The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.

IBM X-Force Incident Response Intelligence Services (IRIS) has uncovered rare details on the operations of the suspected Iranian threat group ITG18, which overlaps with Magic Hound, APT 35, Cobalt Illusion, Charming Kitten , Rocket Kitten, Newscaster, NewsBeef and APT 42 . In the past few weeks, ITG18 has been associated with targeting of pharmaceutical companies and the U.S. presidential campaigns. Now, due to operational errors—a basic misconfiguration—by suspected ITG18 associates, a server with more than 40 gigabytes of data on their operations has been analyzed by X-Force IRIS analysts. Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations. But that is exactly what X-Force IRIS uncovered on an ITG18 operator whose OPSEC failures provide a unique behind-the-scenes look into their methods, and potentially, their legwork for a broader operation that is likely underway.

Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica. It has been operating since November 2016 at least. We are uncertain of its objectives but estimate it is criminally motivated. leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers. Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.

When we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers. To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself. In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011. In most cases, the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash. Russia’s banking system, like those of many other countries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap. So we decided to take a closer look at the malware. The first attempts to understand how the program worked gave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the same way: it didn’t do anything. This is how the program, and later the group behind it, got its name. To “lurk” means to hide, generally with the intention of ambush. We were soon able to help investigate another incident involving Lurk. This time we got a chance to explore the image of the attacked computer. There, in addition to the familiar malicious program, we found a .dll file with which the main executable file could interact. This was our first piece of evidence that Lurk had a modular structure. Later discoveries suggest that, in 2011, Lurk was still at an early stage of development. It was formed of just two components, a number that would grow considerably over the coming years.

Recently, in the course of daily APT tracking,the Knownsec 404 Advanced Threat Intelligence team discovered an attack campaign by the APT-K-47 organization using the topic of “Hajj”, and the attackers used a CHM file to execute a malicious payload in the same directory. The final payload is relatively simple, supporting only the cmd shell, and is implemented using asynchronous programming, which is very similar to the “Asynshell” that was used by the organization several times during Our team’s tracking cycle from 2023 to the first half of 2024. Based on our tracking observations, the previously captured Asynshell has been updated in several versions, and based on the logic and functionality of the code, we have reason to suspect that this sample is an upgraded version of Asynshell.

FireEye has been tracking ongoing activity associated with a unique and relatively stealthy group we first identified in 2013 using the name “APT.NineBlog.“ The name NINEBLOG refers to a specific backdoor used by the threat group; some versions of the backdoor use the string ‘nineblog’ in their command and control (CnC) URI path. We have observed this group targeting organizations primarily in South Asia and the Middle East. The threat group is notable because it employs Visual Basic Scripts (VBScripts) as a backdoor, a tactic we do not often observe. The group can maintain a low profile probably because the VBScripts are small and stealthy in their execution. The NINEBLOG malware is difficult to detect because the VBScripts are encoded and the actors employ SSL network communications. We have observed intermittent activity from this group since we first identified it in 2013, and we saw a spike in activity during mid-2015. We assess that one of the probable targets of the group’s 2015 campaign is a Southeast Asian government, based on the specificity of some of the decoy documents. In addition to the anti-analysis techniques, the group has used SSL communications since we first identified this activity in 2013. The use of encrypted SSL traffic makes it extremely difficult to develop network-based signatures to detect the malware’s communications.

Cisco Talos recently discovered a malicious campaign targeting government employees and military personnel in the Indian sub-continent with two commercial and commodity RAT families known as NetwireRAT (aka NetwireRC) and WarzoneRAT (aka Ave Maria). The attackers delivered a variety of lures to their targets, predominantly posing as guides related to Indian governmental infrastructure and operations such as Kavach and I.T.-related guides in the form of malicious Microsoft Office documents (maldocs) and archives (RARs, ZIPs) containing loaders for the RATs. Some of these lures and tactics utilized by the attackers bear a strong resemblance to the Transparent Tribe, APT 36 and SideCopy APT groups, including the use of compromised websites and fake domains.

With the coming holidays also come news of various credit card breaches that endanger the data of many industries and their customers. High-profile breaches, such as that of the Hilton Hotel and other similar establishments, were accomplished using point-of-sale (PoS) malware, leading many to fear digital threats on brick-and-mortar retailers this Thanksgiving, Black Friday, Cyber Monday, and the rest of the holiday season. Researchers also found a broad campaign that uses the modular ModPOS malware to steal payment card data from retailers in the US. However, from what we have seen, it is not only retailers in the US that are at risk of breaches. Our researchers recently found an early version of a potentially powerful, adaptable, and invisible botnet that seeks out PoS systems within networks. It has already extended its reach to small and medium sized business networks all over the world, including a healthcare organization in the US. We are calling this operation Black Atlas, in reference to BlackPOS, the malware primarily used in this operation. Operation Black Atlas has been around since September 2015, just in time to plant its seeds before the holiday season. Its targets include businesses in the healthcare, retail, and more industries which rely on card payment systems.

In 2021 we detected an ongoing campaign targeting corporate networks in Spanish-speaking countries, with 90% of the detections in Venezuela. When comparing the malware used in this campaign with what was previously documented, we found new functionality and changes to this malware, known as Bandook. We also found that this campaign targeting Venezuela, despite being active since at least 2015, has somehow remained undocumented. Given the malware used and the targeted locale, we chose to name this campaign Bandidos.

From late June to mid-July 2024, a suspected China-nexus threat actor targeted large business-to-business IT service providers in Southern Europe, an activity cluster that we dubbed ‘Operation Digital Eye’. The intrusions could have enabled the adversaries to establish strategic footholds and compromise downstream entities. SentinelLabs and Tinexta Cyber detected and interrupted the activities in their initial phases. The threat actors used a lateral movement capability indicative of the presence of a shared vendor or digital quartermaster maintaining and provisioning tooling within the Chinese APT ecosystem. The threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2 purposes, attempting to evade detection by making malicious activities appear legitimate. Our visibility suggests that the abuse of Visual Studio Code for C2 purposes had been relatively rare in the wild prior to this campaign. Operation Digital Eye marks the first instance of a suspected Chinese APT group using this technique that we have directly observed.

In May 2023, in a threat hunt across Sophos Managed Detection and Response telemetry, Sophos MDR’s Mark Parsons uncovered a complex, long-running Chinese state-sponsored cyberespionage operation we have dubbed “Crimson Palace” targeting a high-profile government organization in Southeast Asia. MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component. In the investigation that followed, we tracked at least three clusters of intrusion activity from March 2023 to December 2023. The hunt also uncovered previously unreported malware associated with the threat clusters, as well as a new, improved variant of the previously-reported EAGERBEE malware. In line with our standard internal nomenclature, Sophos tracks these clusters as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305).

We recently discovered an APT campaign we are calling Operation Dragon Castling. The campaign is targeting what appears to be betting companies in South East Asia, more specifically companies located in Taiwan, the Philippines, and Hong Kong. With moderate confidence, we can attribute the campaign to a Chinese speaking APT group, but unfortunately cannot attribute the attack to a specific group and are not sure what the attackers are after.