In the last six months, a number of advanced persistent threat (APT) groups have been investigated and analyzed by ESET Research. The findings have been summarized in the ESET APT Activity Report Q4 2022–Q1 2023, with several China-aligned threat actors focusing on European organizations during this timeframe.
The report shows that Ke3chang, a China-aligned group, deployed a new Ketrican variant, while Mustang Panda utilized two new backdoors. Meanwhile, MirrorFace targeted Japan and implemented new malware delivery approaches, and Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents.
In South Asia, India-aligned groups SideWinder and Donot Team continued to target governmental institutions. SideWinder targeted the education sector in China while the Donot Team continued to develop its infamous yty framework and deployed the commercially available Remcos RAT. There were also a high number of Zimbra webmail phishing attempts.
The Middle East saw Iran-aligned group MuddyWater stop using SimpleHelp during this period to distribute its tools to its victims, and shift to PowerShell scripts. In Israel, the OilRig group deployed a new custom backdoor, which has been named Mango, as well as the SC5k downloader. POLONIUM, another group, used a modified CreepySnail.
North Korea-aligned groups, including ScarCruft, Andariel and Kimsuky, focused on South Korean and South Korea-related entities using their usual toolsets. Lazarus, a group known to focus on South Korea-related entities, shifted its focus from its usual target verticals to a data management company in India. This group also utilized an Accenture-themed lure, targeting the employees of a defense contractor in Poland with a fake Boeing-themed job offer. A Linux malware was also identified during one of their campaigns.
Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers. Additionally, they also used a new tool that they have named SwiftSlicer. Gamaredon, Sednit, and the Dukes utilized spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Winter Vivern, a group particularly active in Europe, exploited the previously mentioned Zimbra email platform, and SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, has been noted to be undergoing retooling.
The ESET APT Activity Report Q4 2022–Q1 2023 provides insights into the countries, regions, and verticals affected by the various APT groups. These include Australia, Bangladesh, Bulgaria, Central Asia, China, Egypt, Europe, Hong Kong, India, Israel, Japan, Namibia, Nepal, Pakistan, the Philippines, Poland, Saudi Arabia, South Korea, Southwest Asia, Sri Lanka, Sudan, Taiwan, Ukraine, the United Kingdom, and the United States. Targeted business verticals include data management companies, defense contractors, diplomats, educational institutions, the energy sector, financial services, gambling companies, governmental organizations, healthcare, hospitality, media, and research institutes.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT Reports PREMIUM. For more information, individuals can visit the ESET Threat Intelligence website.
ESET Research regularly updates its followers on Twitter regarding key trends and top threats in the cybersecurity industry.