For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
Triangulation: validators, post-compromise activity and modules | Securelist
In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
Dissecting TriangleDB, a Triangulation spyware implant
In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack | Securelist
A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020.
DNS changer in malicious mobile app used by Roaming Mantis
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.
Kimsuky’s GoldDragon cluster and its C2 operations | Securelist
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.
Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack | Securelist
A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020.
DNS changer in malicious mobile app used by Roaming Mantis
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.
Kimsuky’s GoldDragon cluster and its C2 operations | Securelist
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.
Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.
Kimsuky’s GoldDragon cluster and its C2 operations | Securelist
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.
Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.