This campaign analysis details a series of cyber attacks targeting government agencies globally, with a focus on three case studies: a phishing email aimed at the South Carolina Department of Employment and Workforce, a fraudulent domain impersonating the U.S. Social Security Administration, and a malicious PDF masquerading as a notice from the South African Judiciary. The attackers employ a multi-vector approach combining social engineering and malware delivery to compromise government institutions. Key tactics include domain spoofing, phishing, and malicious document distribution to harvest credentials and deploy malware. The primary malware identified is FormBook, an information-stealing trojan capable of keylogging, credential theft, and data exfiltration. Additionally, remote access tools such as ScreenConnect are used to maintain persistence and enable further exploitation. The campaign leverages several MITRE ATT&CK techniques including credential harvesting (T1078), phishing (T1566), malicious file execution (T1204.002), and others. Indicators of compromise include a malicious domain (documentssagov.com) designed to mimic legitimate government websites and a specific malware hash. Although no known exploits in the wild have been reported, the campaign’s combination of social engineering and technical exploits poses a significant risk to the confidentiality and integrity of government data, potentially disrupting operations and eroding public trust. The analysis also highlights the utility of ANY.RUN’s Threat Intelligence Lookup, Interactive Sandbox, and YARA Search tools for detection and investigation of such threats.

For European organizations, particularly government agencies and public sector entities, this campaign represents a substantial threat. The use of phishing and domain spoofing can lead to credential compromise, granting attackers unauthorized access to sensitive government systems and data. Deployment of FormBook stealer and remote access tools can facilitate extensive data exfiltration, espionage, and disruption of government services. Breaches involving sensitive government data can undermine national security, disrupt critical public services, and erode citizen trust. Furthermore, compromised credentials may enable lateral movement within networks, escalating the scope and impact of the attack. Given the increasing targeting of European governments by sophisticated threat actors, such campaigns may serve as precursors to more destructive attacks or influence operations. The campaign underscores the persistent risk posed by social engineering combined with malware delivery, a common vector for initial compromise in government environments.

European government organizations should adopt targeted and advanced mitigation strategies beyond generic controls: 1) Enforce strict email authentication protocols including DMARC, DKIM, and SPF to reduce the delivery of spoofed and phishing emails. 2) Implement advanced email filtering solutions capable of detecting domain spoofing and malicious attachments, particularly PDFs. 3) Conduct regular, scenario-based phishing awareness training tailored to government employees, emphasizing recognition of domain spoofing and malicious document indicators. 4) Deploy sandboxing technologies similar to ANY.RUN to safely analyze suspicious files and URLs before user interaction. 5) Enforce multi-factor authentication (MFA) across all government systems, especially for remote access tools like ScreenConnect, to mitigate credential theft risks. 6) Continuously monitor network traffic and endpoints for behaviors indicative of FormBook and other malware, such as unusual outbound connections and credential harvesting activities. 7) Maintain an updated inventory of authorized domains and actively monitor for lookalike or fraudulent domains to enable rapid blocking or takedown. 8) Implement strict application whitelisting and Endpoint Detection and Response (EDR) solutions to detect and prevent unauthorized code execution. 9) Develop and regularly update incident response playbooks specifically addressing phishing and credential theft scenarios to enable rapid containment and remediation.