#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Advanced Persistent Threat | Breaking Cybersecurity News | The Hacker News

Dark Pink APT Group Targets Governments and Military in APAC Region

Dark Pink APT Group Targets Governments and Military in APAC Region

Jan 11, 2023 Advanced Persistent Threat
Government and military organizations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor, per the latest research conducted by Albert Priego of Group-IB Singapore-headquartered Group-IB, in a  report  shared with The Hacker News, said it's tracking the ongoing campaign under the name  Dark Pink  and attributed seven successful attacks to the adversarial collective between June and December 2022. The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam. The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuable
StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users

StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users

Jan 10, 2023 Advanced Persistent Threat
The advanced persistent threat (APT) group known as  StrongPity  has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle . "A copycat website, mimicking the Shagle service, is used to distribute StrongPity's mobile backdoor app," ESET malware researcher Lukáš Štefanko  said  in a technical report. "The app is a modified version of the open source Telegram app, repackaged with StrongPity backdoor code." StrongPity , also known by the names APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The existence of the group was first publicly reported by Kaspersky in October 2016. The threat actor's  campaigns  have since expanded to encompass more targets across Africa, Asia, Europe, and North America, with the intrusions leveraging watering hole attacks and phishing messages to ac
cyber insurance

external linkEliminating SaaS Shadow IT is Now Available via a Free Self-Service Product

websitewww.wing.securitySaaS Security / Shadow IT
This new product provides IT and Security visibility into the risky SaaS apps employees are using.
Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities

Researchers Uncover MirrorFace Cyber Attacks Targeting Japanese Political Entities

Dec 15, 2022 Advanced Persistent Threat
A Chinese-speaking advanced persistent threat (APT) actor codenamed  MirrorFace  has been attributed to a spear-phishing campaign targeting Japanese political establishments. The activity, dubbed  Operation LiberalFace  by ESET, specifically focused on members of an unnamed political party in the nation with the goal of delivering an implant called LODEINFO and a hitherto unseen credential stealer named MirrorStealer. The Slovak cybersecurity company said the campaign was launched a little over a week prior to the  Japanese House of Councillors election  that took place on July 10, 2022. "LODEINFO was used to deliver additional malware, exfiltrate the victim's credentials, and steal the victim's documents and emails," ESET researcher Dominik Breitenbacher  said  in a technical report published Wednesday. MirrorFace is said to share overlaps with another threat actor tracked as  APT10  (aka Bronze Riverside, Cicada, Earth Tengshe, Stone Panda, and Potassium) and
Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

Oct 13, 2022
An advanced persistent threat (APT) actor known as  Budworm  targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. Other "strategically significant" intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia. Budworm , also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that's believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest. "Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments it operates in," Secureworks  notes  in a profile of
Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Sep 11, 2022
A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called  APT35 , which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda. APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, i
State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

Jun 24, 2022
A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed  Bronze Starlight  by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers  said  in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently." Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant empha
New ToddyCat Hacker Group on Experts' Radar After Targeting MS Exchange Servers

New ToddyCat Hacker Group on Experts' Radar After Targeting MS Exchange Servers

Jun 21, 2022
An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at government and military entities in Europe and Asia since at least December 2020. The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain. Other prominent countries singled out include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, the swift escalation in targeting marked by improvements to its toolset over the course of successive campaigns. "The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," Russian cybersecurity company Kaspersky  said  in a report published toda
Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor

Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor

Jun 03, 2022
An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed  LuoYu  has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky  said  in a new report. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection." Known to be active since 2008, organizations targeted by LuoYu are predominantly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies. LuoYu's use of  WinDealer  was first documented by Taiwanese cybersecurity firm  TeamT5  at the Japan Security Analyst Conference (JSAC) in January 2021. S
Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

Apr 07, 2022
Cybersecurity researchers have detailed a "simple but efficient" persistence mechanism adopted by a relatively nascent malware loader called Colibri , which has been observed deploying a Windows information stealer known as Vidar as part of a new campaign. "The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer," Malwarebytes Labs  said  in an analysis. "The document contacts a remote server at (securetunnel[.]co) to load a remote template named 'trkal0.dot' that contacts a malicious macro," the researchers added. First documented by  FR3D.HK  and Indian cybersecurity company CloudSEK earlier this year, Colibri is a malware-as-a-service (MaaS) platform that's engineered to drop additional payloads onto compromised systems. Early signs of the loader appeared on Russian underground forums in August 2021. "This loader has multiple techniques that help avoid detection," CloudSEK r
Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

Chinese 'Mustang Panda' Hackers Spotted Deploying New 'Hodur' Malware

Mar 23, 2022
A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with a specific foc
Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

Chinese Hackers Target Taiwan's Financial Trading Sector with Supply Chain Attack

Feb 22, 2022
An advanced persistent threat (APT) group operating with objectives aligned with the Chinese government has been linked to an organized supply chain attack on Taiwan's financial sector. The attacks are said to have first commenced at the end of November 2021, with the intrusions attributed to a threat actor tracked as  APT10 , also known as Stone Panda, the MenuPass group, and Bronze Riverside, and known to be active since at least 2009. The second wave of attacks hit a peak between February 10 and 13, 2022, according to a  new report  published by Taiwanese cybersecurity firm CyCraft, which said the wide-ranging supply chain compromise specifically targeted the software systems of financial institutions, resulting in "abnormal cases of placing orders." The infiltration activity, codenamed " Operation Cache Panda ," exploited a vulnerability in the web management interface of the unnamed securities software that has a market share of over 80% in Taiwan, usi
Palestine-Aligned Hackers Use New NimbleMamba Implant in Recent Attacks

Palestine-Aligned Hackers Use New NimbleMamba Implant in Recent Attacks

Feb 08, 2022
An advanced persistent threat (APT) hacking group operating with motives that likely align with Palestine has embarked on a new campaign that takes advantage of a previously undocumented implant called NimbleMamba . The intrusions leveraged a sophisticated attack chain targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline, enterprise security firm Proofpoint  said  in a report, attributing the covert operation to a threat actor tracked as Molerats (aka TA402). Notorious for continuously updating their malware implants and their delivery methods, the APT group was most recently linked to an  espionage offensive  aimed at human rights activists and journalists in Palestine and Turkey, while a previous attack exposed in June 2021 resulted in the deployment of a backdoor called  LastConn . But the lull in the activities has been offset by the operators actively working to retool their arsenal, resulting in the development of NimbleMamba, whic
Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor

Feb 07, 2022
A Chinese advanced persistent threat (APT) group has been targeting Taiwanese financial institutions as part of a "persistent campaign" that lasted for at least 18 months. The intrusions, whose primary intent was espionage, resulted in the deployment of a backdoor called xPack , granting the adversary extensive control over compromised machines, Broadcom-owned Symantec said in a  report  published last week. What's notable about this campaign is the amount of time the threat actor lurked on victim networks, affording the operators ample opportunity for detailed reconnaissance and exfiltrate potentially sensitive information pertaining to business contacts and investments without raising any red flags. In one of the unnamed financial organizations, the attackers spent close to 250 days between December 2020 and August 2021, while a manufacturing entity had its network under their watch for roughly 175 days. Although the initial access vector used to the breach the ta
A New APT Hacker Group Spying On Hotels and Governments Worldwide

A New APT Hacker Group Spying On Hotels and Governments Worldwide

Sep 25, 2021
A new advanced persistent threat (APT) has been behind a string of attacks against hotels across the world, along with governments, international organizations, engineering companies, and law firms. Slovak cybersecurity firm ESET codenamed the cyber espionage group  FamousSparrow , which it said has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala. Attacks mounted by the group involve exploiting known vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the  ProxyLogon  remote code execution vulnerability in Microsoft Exchange Server that came to light in March 2021, making it the  latest threat actor  to have had access to the exploit before details of the flaw became public. According to ESET, intrusions exploiting the flaws comme
WildPressure APT Emerges With New Malware Targeting Windows and macOS

WildPressure APT Emerges With New Malware Targeting Windows and macOS

Jul 07, 2021
A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats. Russian cybersecurity firm attributed the attacks to an advanced persistent threat (APT) it tracks as " WildPressure ," with victims believed to be in the oil and gas industry.  WildPressure first came to light in March 2020 based off of a malware operation distributing a fully-featured C++ Trojan dubbed "Milum" that enabled the threat actor to gain remote control of the compromised device. The attacks were said to have begun as early as August 2019. "For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service," Kaspersky researcher Denis
U.S Defense Warns of 3 New Malware Used by North Korean Hackers

U.S Defense Warns of 3 New Malware Used by North Korean Hackers

May 13, 2020
Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The three new malware strains are the latest addition to a long list of over 20 malware samples , including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH , among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra , or widely known by the moniker Lazarus Group. Full
Researchers Developed Artificial Intelligence-Powered Stealthy Malware

Researchers Developed Artificial Intelligence-Powered Stealthy Malware

Aug 09, 2018
Artificial Intelligence (AI) has been seen as a potential solution for automatically detecting and combating malware, and stop cyber attacks before they affect any organization. However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only when the target's face is detected by the camera. To demonstrate this scenario, security researchers at IBM Research came up with DeepLocker —a new breed of "highly targeted and evasive" attack tool powered by AI," which conceals its malicious intent until it reached a specific victim. According to the IBM researcher, DeepLocker flies under the radar without being detected and "unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition." Describing it as the "sp
A New Paradigm For Cyber Threat Hunting

A New Paradigm For Cyber Threat Hunting

Jun 11, 2018
It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti
More Resources