#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Pakistani Hackers | Breaking Cybersecurity News | The Hacker News

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

Jul 18, 2023 Malware / Cyber Attack
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver  ShadowPad , a successor to the PlugX backdoor that's commonly associated with  Chinese hacking crews . Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022. The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems. The attack chain takes the form of a malicious installer for  E-Office , an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless. It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there&
Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies

Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies

Apr 19, 2023 Linux / Malware
The Pakistan-based advanced persistent threat (APT) actor known as  Transparent Tribe  used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. "It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways." Transparent Tribe  is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. It has also repeatedly leveraged trojanized versions of Kavac
Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions

Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions

Apr 13, 2023 Malware / Cyber Attack
The  Transparent Tribe  threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target  military and government entities  in the country, the activities have since expanded to include the  education vertical . The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary's attacks since late 2021. "Crimson RAT is a  consistent   staple  in the group's  malware arsenal  the adversary uses in its campaigns," SentinelOne researcher Aleksandar Milenkoski  said  in a report shared with The Hacker News. The .NET malware has the functionality to exfiltrate files and system data to an actor-controlled server. It's also bui
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
What's the Right EDR for You?

What's the Right EDR for You?

May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of
Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence

Pakistan-Origin SideCopy Linked to New Cyberattack on India's Ministry of Defence

Mar 28, 2023 Advanced Persistent Threat
An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT. According to Cyble, which  attributed  the operation to  SideCopy , the activity cluster is designed to target the Defence Research and Development Organization ( DRDO ), the research and development wing of India's Ministry of Defence. Known for emulating the infection chains associated with  SideWinder  to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with  Transparent Tribe . It has been active since at least 2019. Attack sequences mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the  K-4 ballistic missile  developed by DRDO. Executing the .LNK file leads to the retrieval of an HTML application from a rem
Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps

Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps

Mar 07, 2023 Spyware / Cyber Espionage
A suspected Pakistan-aligned advanced persistent threat (APT) group known as  Transparent Tribe  has been linked to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called  CapraRAT . "Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET  said  in a report shared with The Hacker News. As many as 150 victims, likely with military or political leanings, are estimated to have been targeted, with the malware (APK package name " com.meetup.chat ") available to download from fake websites that masquerade as the official distribution centers of these apps. It's being suspected that the targets are lured through a honeytrap romance scam wherein the threat actor approaches the victims via another platform and persuades them to install the malware-laced apps under the pretext of "secure" messaging and calling. Howeve
Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

Feb 21, 2023 Cyber Threat / Cyber Attack
A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT . Cybersecurity firm ThreatMon  attributed  the activity to a threat actor tracked as  SideCopy . SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called  Transparent Tribe . It is so named for mimicking the infection chains associated with  SideWinder  to deliver its own malware. The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen's Black Lotus Labs  detailed  a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan. Recent attack campaigns associated with SideCopy have primarily  set their sights  on a two-factor authentication solution known as Kavach (meaning "armor" in Hindi) that's used by Indian government officials. The infection journey documented by ThreatMon commences with a phishing email containi
NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities

NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities

Feb 09, 2023 Cyber Attack / Cyber Threat
A previously unknown threat actor dubbed  NewsPenguin  has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure. "The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said . PIMEC , short for Pakistan International Maritime Expo and Conference, is an  initiative  of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to "jump start development in the maritime sector." It's scheduled to be held from February 10-12, 2023. The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document. Once the document is launched and macros are enabled, a method called  remote templa
Researchers Warn of Kavach 2FA Phishing Attacks Targeting Indian Govt. Officials

Researchers Warn of Kavach 2FA Phishing Attacks Targeting Indian Govt. Officials

Dec 23, 2022 Cyber Espionage / Pakistani Hackers
A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials. Cybersecurity firm Securonix dubbed the activity  STEPPY#KAVACH , attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks. ".LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a new report. SideCopy, a  hacking crew  believed to be of Pakistani origin and active since at least 2019, is said to share ties with another actor called  Transparent Tribe  (aka APT36 or Mythic Leopard). It's also known to impersonate attack chains leveraged by  SideWinder , a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset. That said, this is not the
Researchers Detail New Malware Campaign Targeting Indian Government Employees

Researchers Detail New Malware Campaign Targeting Indian Government Employees

Nov 04, 2022
The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach . "This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh  said  in a Thursday analysis. The cybersecurity company said the advanced persistent threat group has also conducted low-volume credential harvesting attacks in which rogue websites masquerading as official Indian government portals were set up to lure unwitting users into entering their passwords. Transparent Tribe, also known by the monikers APT36, Operation C-Major, and Mythic Leopard, is a suspected Pakistan  adversarial collective  that has a  history  of striking Indian and Afghanistan entities. The latest attack chain is not the first time the threat actor has set its sights o
SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

Oct 24, 2022
SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called  WarHawk . "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as  KernelCallBackTable injection  and Pakistan Standard Time zone check in order to ensure a victorious campaign," Zscaler ThreatLabz  said . The threat group, also called APT-C-17, Rattlesnake, and Razor Tiger, is  suspected  to be an Indian state-sponsored actor, although a report from Kaspersky earlier this May acknowledged previous indicators that led to the attribution have since disappeared, making it challenging it to link the threat cluster to a specific nation. More than 1,000 attacks are said to have been  launched by the group  since April 2020, an indication of SideWinder's newfound aggression
Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

Jul 14, 2022
The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021. "This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos  said  in a report shared with The Hacker News. Also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, the Transparent Tribe actor is  suspected  to be of Pakistani origin and is known to strike government entities and think tanks in India and Afghanistan with custom malware such as CrimsonRAT, ObliqueRAT, and CapraRAT. But the targeting of educational institutions and students, first  observed  by India-based K7 Labs in May 2022, indicates a deviation from the adversary's typical focus. "The latest targeting of the educational sector may align with the strategic goals of espionage of the
SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities

SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities

Jun 02, 2022
The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities. "Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity company Group-IB  said  in a Wednesday report. SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka. Last month, Kaspersky  attributed  to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques. The threat actor's modus operandi involves the use of spear-phishing
Facebook Bans Pakistani and Syrian Hacker Groups for Abusing its Platform

Facebook Bans Pakistani and Syrian Hacker Groups for Abusing its Platform

Nov 17, 2021
Meta, the company formerly known as Facebook, announced Tuesday that it took action against four separate malicious cyber groups from Pakistan and Syria who were found targeting people in Afghanistan, as well as journalists, humanitarian organizations, and anti-regime military forces in the West Asian country. The Pakistani threat actor, dubbed  SideCopy , is said to have used the platform to single out people with ties to the Afghan government, military and law enforcement in Kabul. The campaign, which Meta dubbed as a "well-resourced and persistent operation," involved sending malicious links, often shortened using URL shortener services, to websites hosting malware between April and August of 2021, what with the operators posing as young women and tricking the recipients with romantic lures in a bid to make them click on phishing links or download trojanized chat applications. Meta's threat intelligence analysts said these apps were a front for two distinct malwa
SideCopy Hackers Target Indian Government Officials With New Malware

SideCopy Hackers Target Indian Government Officials With New Malware

Jul 08, 2021
A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a "boost in their development operations." Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers (Xeytan and Lavao), Cisco Talos said in a report published Wednesday. "Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India," researchers Asheer Malhotra and Justin Thattil  said . "These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections." First documented in September 2020 by Indian cybersecurity firm Quick Heal,  SideCopy  has a 
Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

May 14, 2021
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research. The attacks have been linked to a group called  Transparent Tribe , also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other fake domains posing as file-sharing sites to host malicious artifacts. "While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting," researchers from Cisco Talos  said  on Thursday. These domains are used to deliver maldocs distributing  CrimsonRAT , and ObliqueRAT, with the group incorporating new phishing, lu
Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

Warning — 5 New Trojanized Android Apps Spying On Users In Pakistan

Jan 12, 2021
Cybersecurity researchers took the wraps off a new spyware operation targeting users in Pakistan that leverages trojanized versions of legitimate Android apps to carry out covert surveillance and espionage. Designed to masquerade apps such as the Pakistan Citizen Porta l, a Muslim prayer-clock app called Pakistan Salat Time , Mobile Packages Pakistan , Registered SIMs Checker , and TPL Insurance , the malicious variants have been found to obfuscate their operations to stealthily download a payload in the form of an Android Dalvik executable (DEX) file. "The DEX payload contains most of the malicious features, which include the ability to covertly exfiltrate sensitive data like the user's contact list and the full contents of SMS messages," Sophos threat researchers Pankaj Kohli and Andrew Brandt said. "The app then sends this information to one of a small number of command-and-control websites hosted on servers located in eastern Europe." Interestingly, t
Cybersecurity
Expert Insights
Cybersecurity Resources