CyberSecurity news

FlagThis - #kaspersky

Sojun Ryu,@Securelist //

Lazarus Group Exploits South Korean Software Products - Lazarus APT group is exploiting vulnerabilities in South Korean software products through a watering hole attack campaign named ‘Operation SyncHole,’ targeting at least six major South Korean organizations to steal data and conduct malicious activities.
The Lazarus Group, a North Korea-linked advanced persistent threat (APT), is behind a new cyber espionage campaign named "Operation SyncHole." This operation has targeted at least six major South Korean organizations across software, IT, financial, semiconductor manufacturing, and telecommunications industries. The earliest signs of compromise were detected in November 2024. Kaspersky GReAT experts uncovered the campaign, revealing that Lazarus employed a sophisticated combination of watering hole attacks and exploitation of vulnerabilities in South Korean software products.

The attackers strategically leveraged vulnerabilities in widely used software such as Cross EX and Innorix Agent. Cross EX is a legitimate software prevalent in South Korea, enabling security software in online banking and government websites, while Innorix Agent is a file transfer solution. By compromising legitimate South Korean media websites, the attackers redirected specific visitors to attacker-controlled infrastructure where malicious scripts were executed, exploiting vulnerabilities in Cross EX. A vulnerability in Innorix Agent facilitated lateral movement, enabling further deployment of malware across internal networks.

The campaign involved the use of updated variants of Lazarus's malicious tools, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE. The attackers exploited a "one-day" vulnerability in Innorix Agent for lateral movement. Researchers assess that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware. The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence.

Recommended read:
References :
  • Securelist: Operation SyncHole: Lazarus APT goes back to the well
  • The Hacker News: Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Flaws and ThreatNeedle Malware
  • cyberpress.org: A newly uncovered cyber campaign, attributed to the infamous Lazarus advanced persistent threat (APT) group, has targeted at least six major South Korean organizations through an attack chain leveraging watering hole techniques and the exploitation of recently patched (“one-dayâ€) vulnerabilities in local security and file transfer software.
  • The DefendOps Diaries: Explore Lazarus Group's Operation SyncHole, targeting South Korea's industries with advanced cyber espionage tactics.
  • Cyber Security News: Cyberpress: Lazarus APT Exploits One-Day Vulnerabilities to Attack Organizations
  • BleepingComputer: Lazarus hackers breach six companies in watering hole attacks
  • CXO Insight Middle East: Kaspersky uncovers new Lazarus-led supply chain cyberattacks in South Korea
  • securityaffairs.com: SecurityAffairs article on Operation SyncHole campaign by Lazarus APT.
  • cyberinsider.com: Lazarus Group Breached Semiconductor and Software Firms in South Korea
@poliverso.org //

Chinese IronHusky APT Targets Russia With RAT - The IronHusky APT group, a Chinese-speaking threat actor, is targeting government organizations in Russia and Mongolia with an upgraded version of the MysterySnail RAT, abusing a legitimate piping server for command and control.
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.

Recommended read:
References :
  • Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
  • The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
  • BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • Know Your Adversary: 108. Hunting for Node.js Abuse
  • bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
  • poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
  • threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
  • securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
  • www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
  • securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.
@The DefendOps Diaries //

Triada Trojan Preinstalled on Counterfeit Android Devices - A new version of the Triada trojan has been discovered preinstalled on thousands of counterfeit Android devices, allowing threat actors to steal data immediately after setup.
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
  • Sam Bent: Triada Malware Preloaded on Counterfeit Androids Hijacks 2,600+ Devices for Crypto Theft and Espionage
  • www.scworld.com: Updated Triada trojan compromises thousands of Android devices
  • securityaffairs.com: New Triada Trojan comes preinstalled on Android devices
  • The Hacker News: Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices
  • Cyber Security News: Trinda Malware Infects Android Devices to Manipulate Phone Numbers During Calls
  • Cyber Security News: New Triada Malware Attacking Android Devices to Replaces Phone Numbers During Calls
  • www.techradar.com: Dodgy Android smartphones are being preloaded with Triada malware
info@thehackernews.com (The@The Hacker News //

SideWinder APT Targets Maritime, Nuclear Sectors - The SideWinder APT group is intensifying attacks on the maritime sector and nuclear power plants across Asia, the Middle East, and Africa, using phishing tactics and exploiting old vulnerabilities.
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
Sunny Yadav@eSecurity Planet //

SilentCryptoMiner Targets Russian Users - A large-scale cryptocurrency miner campaign is targeting Russian users with SilentCryptoMiner, disguised as a tool to bypass internet restrictions, distributed through popular YouTube channels, affecting over 2,000 users.
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.

The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.

Recommended read:
References :
  • securityaffairs.com: Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner
  • thehackernews.com: SilentCryptoMiner infects 2,000 Russian users via fake VPN and DPI Bypass Tools
  • eSecurity Planet: SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN Tools
Field Effect@Blog //

Australia Bans Kaspersky Software Over National Security Concerns - Australia banned Kaspersky software from government networks due to national security concerns, citing risks of foreign interference, espionage, and sabotage.
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.

The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.

Recommended read:
References :
  • BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
  • securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
  • Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
  • Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
  • Blog: FieldEffect reports on the Australian government banning Kaspersky software.
@securityonline.info //

Trojanized Game Installers Deploy Cryptocurrency Miner Globally - The StaryDobry campaign uses trojanized game installers to deploy XMRig cryptocurrency miner, targeting users in Russia, Brazil, Germany, Belarus, and Kazakhstan.
A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.

Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.

Recommended read:
References :
  • securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
  • The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
  • www.scworld.com: Global XMRig attack campaign involves trojanized game installers
  • Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
  • Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
  • Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
  • gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
  • BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
  • www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
  • Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.

Posts

Blogs

Research Tools