HomeCII/OTMUT-1244 for Security Professionals and Adversarial Operators

MUT-1244 for Security Professionals and Adversarial Operators

Published on

spot_img

A threat actor known as MUT-1244 has been actively targeting academics, pentesters, red teamers, security researchers, and other threat actors with the intent of stealing sensitive data such as AWS access keys and WordPress account credentials. The tactics employed by MUT-1244 include phishing emails, the ClickFix tactic, and the use of GitHub repositories containing malicious exploits.

Despite their efforts to remain undetected, MUT-1244 has been somewhat reckless in their activities, allowing researchers from DataDog and Checkmarx to track and connect their operations. The ultimate goal of MUT-1244 is to deliver a payload known as xmrdropper, which not only updates a cryptocurrency miner but also backdoors systems and exfiltrates valuable information.

One of the methods used by MUT-1244 involved scraping email addresses from research papers published on the arXiv open-access archive and sending out phishing emails from October 5 to October 21, 2024. The emails encouraged recipients to install a CPU microcode update by executing a script that was provided.

In a notable development, a ClickFix-type attack was documented for the first time that targeted Linux systems. When victims executed the malicious command from the GitHub repository opencompiled-oss/kernel-patch, the xmrdropper payload was dropped onto their systems.

Additionally, MUT-1244 targeted security researchers and offensive actors by creating malicious GitHub repositories with fake or trojanized PoC exploit code. This led to the download and execution of xmrdropper on the compromised systems. Furthermore, a trojanized GitHub project offered a tool for validating WordPress credentials but also required the installation of a malicious npm package that facilitated the deployment of xmrdropper.

Checkmarx researchers highlighted that the malicious npm package has been hosted on the NPM registry since October 2023 without being flagged as malicious. The malware not only steals sensitive data but also mines cryptocurrency on infected systems, with up to 68 compromised systems actively mining cryptocurrency at the time of investigation.

DataDog researchers have warned that hundreds of victims have been compromised by MUT-1244, with indicators of compromise being shared by both companies to assist potential victims in assessing if they have been affected. This ongoing campaign represents a serious threat to the cybersecurity community, underscoring the importance of vigilance and proactive defense measures against evolving threats.

Source link

Latest articles

FastNetMon Introduces Netomics, a Self-Hosted Routing Intelligence Platform

London, United Kingdom, July 10th, 2026, CyberNewswire In a significant development within the realm of...

Microsoft Alerts Users to Rising Volume of Security Updates

Microsoft has issued a cautionary statement to its customers concerning a significant increase in...

ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust and 17 Additional Stories

The Hidden Dangers of Neglected Security Practices: A Comprehensive Overview of Threats This Week The...

Microsoft Unveils GigaWiper: A Backdoor Engineered for On-Demand Destruction

Unveiling the Capabilities of GigaWiper: A New Threat in Cybersecurity Recent findings have shed light...

More like this

FastNetMon Introduces Netomics, a Self-Hosted Routing Intelligence Platform

London, United Kingdom, July 10th, 2026, CyberNewswire In a significant development within the realm of...

Microsoft Alerts Users to Rising Volume of Security Updates

Microsoft has issued a cautionary statement to its customers concerning a significant increase in...

ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust and 17 Additional Stories

The Hidden Dangers of Neglected Security Practices: A Comprehensive Overview of Threats This Week The...