| Campaigns | Description |
|---|---|
| Operation WebStorage | The campaign uses compromised routers and man-in-the-middle attacks to target legitimate ASUS WebStorage software to distribute the Plead malware. The backdoor is created and executed by a legitimate process which is digitally signed by ASUS Cloud Corporation. The operation targets government agencies and private organizations in Asia. |
| Operation SharePoint Middle East | The campaign targeted Microsoft SharePoint servers located at Middle Eastern government organizations to steal sensitive information. The threat actors installed web shells on the compromised servers by taking advantage of flaws that have been patched by the vendor. Various tools were used in the operation including custom backdoors and Mimikatz to traverse the network. |
| Operation BlackWater | The campaign used trojanized documents attached to phishing emails to steal sensitive information from victims located in the Middle East. The malicious software triggered a PowerShell script after the victim enabled macros. A range of data from the infected host is collected including detailed system information, ip addresses, and usernames. |
| Operation MuddyWater POWERSTATS V3 | The campaign targets a range of sectors with spear-phishing emails delivered from legitimate compromised accounts to drop a PowerShell-based backdoor labeled POWERSTATS v3. After gaining access to the network the attackers can upload various data from the infected host including system information, screenshots, and commands executed via cmd.exe. The group behind the attacks have been in operation since at least 2018 and continue to expand and update their tools and attack vectors. |
| Operation ShellTea | The campaign targets the hotel and entertainment sectors with spear-phishing emails to infiltrate systems with the ShellTea backdoor. The malware contains anti-debugging or anti-monitoring techniques to stay under the radar when analyzed. The malicious software also installs itself in the registry to stay persistent and uses PowerShell throughout the infection process. The malware is capable of exfiltrating a range of data from infected hosts including system information, anti-virus details, and… |
| Operation HAWKBALL | The campaign targets the government sector in Central Asia with malicious documents that take advantage of vulnerabilities in Microsoft Office to drop the HAWKBALL backdoor. The malware has many capabilities including collecting system information, creating reverse shells, and uploading, downloading, and deleting files as well as terminating processes. The malicious software also has anti-debugging detection to stay under the radar of security researchers. |
| Operation Frankenstein | The campaign used a range of open-source tools to carry out their attacks including Microsoft’s MSbuild, the post-exploitation framework FruityC2, and PowerShell Empire. The malicious software used in the operation also contained an anti-analysis module that loaded a Visual Basic Application (VBA) script to check for a range of applications including VMWare, Process Explorer, ProcMon, TCPView, AutoIT, WireShark, and many more. The infection vectors consisted of a trojanized Microsoft Word do… |
| Operation TA505 Shifting Tactics | The group behind the operation target users in South Korea, China, and Taiwan with new tactics, techniques, and procedures including Amadey to distribute EmailStealer, using VBA macro and Excel 4.0 macro, and delivering spear-phishing emails containing HTML links to infect victims with the FlawedAmmyy backdoor. |
| Operation Waterbug New Toolset | The threat actor behind the operation launched a series of attacks in the last 18 months against multiple sectors including government, IT, communications, and education. The operation uses a range of tools in the campaigns including a new backdoor labeled Neptun that targets Microsoft Exchange servers, a modified version of Meterpreter, custom loaders, and custom RPC backdoors. The targets are in multiple locations including South America, Europe, Asia, and the Middle East. |
| Operation Soft Cell | The campaign has been active since at least 2012 and targets telecommunications providers in multiple countries. The attackers behind the operation use a range of tools including modified versions of China Chopper, Nbtscan, Mimikatz, and hTran. Also used in the attacks are the PoisonIvy RAT, WMI, PsExec, and Winrar. The goal of the operation is to steal sensitive information including credentials, PII, billing data, and call records as well as other information. |
Top 10 Campaigns
July 16, 2019
