large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Goblin Panda Recent Infrastructure The Hellsing threat group, also known as Goblin Panda, targeted individuals in Vietnam with malicious Microsoft Office documents. The decoy files exploited a remote code execution vulnerability classified under CVE-2017-11882 after the malicious files are opened by the victim. Multiple files are dropped in the user's local temp directory after exploitation including QcConsole.exe, QcLite.dll, and stdole.tlb. Persistence is achieved by setting a run key in the registry. The legitimate Windows...
Operation Transparent Tribe Attacks The Indian Air Force A cyber espionage campaign attributed to the Transparent Tribe threat group, also known as ProjectM and C-Major, was discovered targeting the government and military sectors in India with spear-phishing emails containing a Microsoft Office document attachment. The decoy file contained a malicious macro which dropped various remote access trojans including PeppyRat and CrimsonRAT to steal sensitive information from the victims. The operation used various techniques including hidden windows, encry...
Operation Fox Kitten The Fox Kitten Campaign targeted multiple sectors around the world including information technology, oil, gas, telecommunications, defense, government, and aviation. The operation targeted organizations to maintain access routes, steal sensitive information, and use supply-chain attacks to target additional companies. A range of open source and custom tools were used during the campaign including Mimikatz, Procdump, JuicyPotato, STSRCheck, and POWSSHNET. The attackers exploited multiple vulnerab...
Operation Turkish Rat Phishing Campaign More than 80 companies in Turkey were targeted with spear-phishing emails to drop the Adwind remote access trojan which is capable of stealing screen captures, keystrokes, videos, sound recordings, and various files from the infected system. The threat actor used GitHub to host the malicious RAT which established a connection with a command control server over a non-standard port. The campaign used unique evasion techniques including Externsheet Injection to stay under the radar of security soft...
Operation Deep Dive Gamaredon Espionage Campaign The Gamaredon Group targeted the Ukrainian military with spear-phishing emails containing a malicious Microsoft Office attachment. Once opened by the victim the weaponized document started a series of steps including downloading two SFX archives containing multiple files with one file written in Microsoft Visual Studio .NET. The campaign used various techniques for persistence and defense evasion including scripting, scheduled task, data encoding, and obfuscation.
Operation North Korean Malware Lazarus The United States Government released an updated report attributed to the HIDDEN COBRA threat actor, also known as Lazarus, APT38, and Hidden Cobra. The report contains information about twenty malicious executables with some of the files being proxy applications used to encode and obfuscate the traffic between the malware and the actors command and control servers. The operation used multiple tactics including valid public SSL certificates to exfiltrate a range of sensitive data including syste...
Operation PowerBand The APT33 threat group, also known as Elfin, Refined Kitten, Magnallium, and Holmium, is suspected to be behind a new remote administration tool known as POWERBAND. The malware is programmed in .NET and highly obfuscated and is similar to the POWERTON backdoor also associated with APT33. A unique identifier composed of the MachineName, UserDomainName and UserName is created for each victim and used to encrypt and decrypt all data exchanged with the actor's command and control server. The bac...
Operation DRBControl A cyberespionage campaign targeting the gambling sector in Asia was discovered using a range of tools to exfiltrate sensitive information including source code and databases from its victims. The threat actor behind the operation used various keyloggers, backdoors, and post-exploitation tools to carry out the attacks. The initial infection vector consisted of spear-phishing emails with malicious documents and focused on the support team of the targeted companies. The APT group used multiple tech...
Operation PlugX Targets Hong Kong The Mustang Panda threat group targeted a range of sectors located in multiple countries with a focus on Hong Kong. The group dropped the PlugX remote access trojan to exfiltrate a range of information including system data and local and network information. The group used various techniques for defense evasion and persistence including scripting, hidden files and directories, obfuscation, and DLL hijacking.
Operation MoleRATs Palestinian Territories driven campaign targeted victims with spear-phishing emails containing either a malicious link or attachment. The documents contained either a macro or Autoit script that downloads/installs the backdoors which were used to perform a range of tasks including stealing sensitive information, downloading additional payloads, taking screenshots, logging keystrokes, recording audio, and using CMD to execute arbitrary commands.