Group  Group

DATE

NAME

CATEGORY

SUBCATE

INFO

19.4.24FIN7GroupAPTThreat Group FIN7 Targets the U.S. Automotive Industry
16.4.24Muddled LibraGroupGroupMuddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources to assist with data exfiltration. All CSPs have terms of service (TOS) policies that explicitly prohibit activities like those performed by Muddled Libra.
12.4.24TA547GroupGroupSecurity Brief: TA547 Targets German Organizations with Rhadamanthys Stealer

11.4.24

Virtual Invaders

Group

Group

There is no indication that this campaign is linked to any known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders.

9.4.24Starry AddaxGroupGroupStarry Addax targets human rights defenders in North Africa with new malware
5.4.24UTA0178GroupGroupWhile Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting.
5.4.24CoralRaiderGroupGroupCoralRaider targets victims’ data and social media accounts
2.4.24Earth FreybugGroupGroupThis article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
28.3.24NARWHAL SPIDERGroupAPTNARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.
27.3.24Earth KrahangGroupAPTEarth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
27.3.24Earth Lusca GroupAPTEarth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
27.3.24BRONZE VINEWOODGroupAPTDETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN
26.3.24Lord Nemesis StrikesGroupHacktivism“Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector
26.3.24TA450GroupAPTSecurity Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
24.3.24SpringtailGroupAPTSpringtail APT group abuses valid certificate of known Korean public entity
24.3.24KimsukyGroupAPTThe Updated APT Playbook: Tales from the Kimsuky threat actor group
22.3.24UNC302GroupGroupBRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies
22.3.24UNC3886GroupGroupUNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support.
22.3.24UNC5221GroupGroupWhile Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting.

20.3.24

Andariel

Group

Group

Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions

18.3.24

ITG05 

Group

Group

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

14.3.24APT-C-36GroupAPTSince April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.
14.3.24DarkCasinoGroupAPTDarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.
11.3.24BianLianGroupRansomwareBianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022.
7.3.24Evasive PandaGroupAPTEvasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
7.3.24TA4903GroupPhishingTA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids
7.3.248220 Mining GroupGroupCryptocurrencyReturned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software.
6.3.24GhostSecGroupRansomwareGhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.
6.3.24UNC1945GroupAPTUNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks.
6.3.24APT32GroupAPTCyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.
6.3.24KimsukyGroupAPTJOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky
5.3.24TA577GroupGroupTA577’s Unusual Attack Chain Leads to NTLM Data Theft
2.3.24Scattered SpiderGroupHackingScattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.
2.3.24BlackTechGroupCyberSpyBlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
2.3.24Peach Sandstorm GroupAPTOur analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
2.3.24LightBasinGroupAPTUNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks.
1.3.24UNC1549 BigBrotherCyberSpyWhen Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
1.3.24UNC3886GroupGroupUNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support.
1.3.24TortoiseshellGroupGroupA previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018.
1.3.24Bohrium GroupGroupBohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India.
19.2.24TAG-70GroupGroupRussia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign

6.2.24

GambleForce

Group

Group

Analysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in the APAC region

3.2.24

COLDRIVER GroupGroupThe Coldriver Group, also known as Callisto and SEABORGIUM, is a threat actor known to attack government organizations, think tanks, and journalists in Europe and the Caucasus regions through spearphishing campaigns.

3.2.24

ShuckwormGroupGroupShuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine

3.2.24

LitterDrifterGroupGroupMalware Spotlight – Into the Trash: Analyzing LitterDrifter

3.2.24

UAC-0027GroupGroupUAC-0027 Attack Detection: Hackers Target Ukrainian Organizations Using DIRTYMOE (PURPLEFOX) Malware

2.2.24

UNC5221GroupCyberSpyUNC5221: Unreported and Undetected WIREFIRE Web Shell Variant

2.2.24

Volt TyphoonGroupGroup[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

1.2.24

UNC4990GroupGroupEvolution of UNC4990: Uncovering USB Malware's Hidden Depths

19.1.24

COLDRIVERGroupGroupRussian threat group COLDRIVER expands its targeting of Western officials to include the use of malware