Threats Tagged 'quasarrat'

A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement. The attack employed a multi-stage extraction process and deployed the Remote Manipulator System, a legitimate remote administration tool. This incident suggests the adversary may be expanding beyond primarily Ukraine-based targeting, potentially probing Ukraine-supporting institutions in Western Europe. The attack aligns with Mercenary Akula's established tactics, including localized social engineering, multi-stage payload delivery, and the use of signed remote administration tools.

MediumMalwareUkraineGermanyFrance+7#remote manipulator system#quasarrat#fire cells group

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They compromised Google accounts to track victims' locations and remotely wipe Android devices. The attack involved spear-phishing, prolonged reconnaissance, and abuse of legitimate management functions. Multiple RAT variants were deployed, including RemcosRAT, QuasarRAT, and RftRAT. The campaign utilized WordPress-based hosting and geographically distributed C2 servers to evade detection. This sophisticated attack demonstrates the evolving tactics of state-sponsored threat actors.

MediumMalwareGermanyFranceUnited Kingdom+3#rat#find hub#remote wipe

The German hosting provider aurologic GmbH has become a critical infrastructure hub for multiple high-risk and sanctioned cybercrime networks, including entities involved in disinformation and malware campaigns. Despite public scrutiny and sanctions, aurologic continues to provide upstream transit services, enabling threat actors to maintain operational stability. The provider's approach to abuse handling is reactive and legally compliant rather than proactive, allowing malicious infrastructure to persist. This situation highlights challenges in accountability within the hosting ecosystem and the risks posed by infrastructure neutrality when it enables cybercrime. Numerous suspicious domains linked to aurologic-hosted networks have been identified, associated with malware families and threat actor tools. European organizations, especially in Germany, face increased risks due to this infrastructure's stability and continued operation. Mitigation requires enhanced monitoring of traffic from these domains, collaboration with upstream providers, and pressure on hosting providers to adopt proactive abuse prevention. Countries with significant internet infrastructure and cybercrime targets in Europe are most likely to be affected.

MediumCampaignGermanyFranceNetherlands+3#castleloader#neutrality#systembc

Insikt Group has identified five distinct activity clusters linked to TAG-144 (Blind Eagle), targeting primarily Colombian government entities across local, municipal, and federal levels throughout 2024 and 2025. The clusters share similar tactics, techniques, and procedures (TTPs) such as using open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging. However, they differ in infrastructure, malware deployment, and operational methods. The group maintains an extensive operational infrastructure, employs various RATs, and uses multi-stage infection chains. TAG-144's primary focus appears to be credential theft and espionage, with evidence linking it to Red Akodon and compromised Colombian government email accounts used in spearphishing campaigns.

MediumMalwareColombiaBrazilArgentina+5#limerat#dcrat#asyncrat

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extension of Kimsuky's ongoing 'BabyShark' threat activity. The tactic has evolved from VBS-based attacks to more sophisticated email-based and website-delivered methods. Attackers impersonate legitimate entities and use multilingual manuals to guide victims through seemingly harmless steps that actually execute malicious code. The group's infrastructure and linguistic patterns point to North Korean origin. To counter such threats, EDR-based defense strategies are crucial for detecting obfuscated malware and identifying abnormal behaviors.

MediumMalwareGermanyFranceUnited Kingdom+7#social engineering#spear-phishing#powershell