The APT-C-28 group, also known as ScarCruft, has expanded its cyberattack operations to include the cryptocurrency industry, leveraging advanced phishing tactics to compromise victims. The attack vector involves sending LNK shortcut files masquerading as PDF documents, enticing victims with investment proposals ranging from $1 million to $3 million. When executed, these LNK files initiate a multi-stage payload deployment process that downloads and decrypts additional components, culminating in the installation of MiradorShell version 2.0. MiradorShell is an AutoIt-based backdoor that establishes a connection to a command and control (C2) server, enabling attackers to execute reverse shell commands, manage files, run remote programs, and perform victim fingerprinting to gather system information. Persistence is achieved through the creation of scheduled tasks, ensuring the malware remains active across reboots. The malware incorporates evasion techniques such as embedding inline library files and making direct API calls to avoid detection by traditional security tools. Indicators of compromise include specific file hashes, IP addresses, and URLs linked to the C2 infrastructure. Although no CVSS score is assigned, the threat is rated medium severity due to its potential impact and attack complexity. The campaign targets organizations involved in cryptocurrency, a sector of strategic interest to APT-C-28, indicating a focused and financially motivated espionage and intrusion effort.

For European organizations, particularly those in the cryptocurrency and financial sectors, this threat can lead to significant confidentiality breaches, including theft of sensitive financial data and credentials. The integrity of systems may be compromised through unauthorized remote code execution and file manipulation, potentially resulting in fraudulent transactions or data tampering. Availability could also be affected if attackers disrupt operations or deploy ransomware as a secondary payload. The use of sophisticated phishing and evasion techniques increases the likelihood of successful compromise, especially in organizations with less mature security awareness or endpoint defenses. The financial losses and reputational damage could be substantial, given the high-value nature of targeted investment proposals and cryptocurrency assets. Additionally, the persistence mechanisms and stealthy communication with C2 servers complicate detection and remediation efforts, increasing dwell time and potential damage. European regulatory frameworks such as GDPR and NIS Directive impose strict requirements on incident response and data protection, raising the stakes for affected entities.

1. Implement advanced phishing detection and user awareness training focused on identifying LNK files disguised as PDFs and suspicious investment proposals. 2. Enforce application whitelisting and restrict execution of LNK files from email attachments or untrusted sources. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting AutoIt-based malware behaviors, including unusual API calls and inline library usage. 4. Monitor network traffic for connections to known C2 IP addresses and URLs associated with MiradorShell, using threat intelligence feeds to update detection rules. 5. Regularly audit and restrict scheduled tasks creation permissions to prevent unauthorized persistence mechanisms. 6. Employ multi-factor authentication and credential hygiene to limit attacker lateral movement and privilege escalation. 7. Conduct regular threat hunting exercises focusing on indicators of compromise such as the provided hashes and IP addresses. 8. Maintain up-to-date backups and incident response plans tailored to ransomware and backdoor infections. 9. Collaborate with industry information sharing groups to stay informed about evolving tactics of APT-C-28 and similar threat actors.