HomeCII/OTMUT-1244 for Security Professionals and Adversarial Operators

MUT-1244 for Security Professionals and Adversarial Operators

Published on

spot_img

A threat actor known as MUT-1244 has been actively targeting academics, pentesters, red teamers, security researchers, and other threat actors with the intent of stealing sensitive data such as AWS access keys and WordPress account credentials. The tactics employed by MUT-1244 include phishing emails, the ClickFix tactic, and the use of GitHub repositories containing malicious exploits.

Despite their efforts to remain undetected, MUT-1244 has been somewhat reckless in their activities, allowing researchers from DataDog and Checkmarx to track and connect their operations. The ultimate goal of MUT-1244 is to deliver a payload known as xmrdropper, which not only updates a cryptocurrency miner but also backdoors systems and exfiltrates valuable information.

One of the methods used by MUT-1244 involved scraping email addresses from research papers published on the arXiv open-access archive and sending out phishing emails from October 5 to October 21, 2024. The emails encouraged recipients to install a CPU microcode update by executing a script that was provided.

In a notable development, a ClickFix-type attack was documented for the first time that targeted Linux systems. When victims executed the malicious command from the GitHub repository opencompiled-oss/kernel-patch, the xmrdropper payload was dropped onto their systems.

Additionally, MUT-1244 targeted security researchers and offensive actors by creating malicious GitHub repositories with fake or trojanized PoC exploit code. This led to the download and execution of xmrdropper on the compromised systems. Furthermore, a trojanized GitHub project offered a tool for validating WordPress credentials but also required the installation of a malicious npm package that facilitated the deployment of xmrdropper.

Checkmarx researchers highlighted that the malicious npm package has been hosted on the NPM registry since October 2023 without being flagged as malicious. The malware not only steals sensitive data but also mines cryptocurrency on infected systems, with up to 68 compromised systems actively mining cryptocurrency at the time of investigation.

DataDog researchers have warned that hundreds of victims have been compromised by MUT-1244, with indicators of compromise being shared by both companies to assist potential victims in assessing if they have been affected. This ongoing campaign represents a serious threat to the cybersecurity community, underscoring the importance of vigilance and proactive defense measures against evolving threats.

Source link

Latest articles

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

Phishing Campaign Disguises Lua Loader as TrueType Font File

Disguised Threats: The Rise of a Large-Scale Phishing Operation In recent reports, a significant phishing...

Google Raises Security Concerns Over EU Order to Unleash Android

Artificial Intelligence & Machine Learning, Geo-Specific, ...

More like this

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

Phishing Campaign Disguises Lua Loader as TrueType Font File

Disguised Threats: The Rise of a Large-Scale Phishing Operation In recent reports, a significant phishing...