Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Mikroceen Mikroceen is a remote access trojan that has been targeting both public and private sector organizations since late 2017 and continues into 2020. It is further believed that the attacks have originated from a state sponsored APT group with victims belonging to the telecom and gas industries as well as governmental entities in the Central Asian region.
Operation Himera and AbSent-Loader An unknown threat actor leveraged the ongoing COVID-19 pandemic to lure unsuspecting users to open spear-phishing emails which contained malicious Microsoft Word attachments. Once opened by the victim, the multi-staged attack used a loader to install a second stage dropper which was used to confirm the system passes all anti-analysis scans. After passing the scan another file is downloaded from a remote location and creates a scheduled task for persistence.
Operation Kazuar Trojan Masks As Sysinternals The Turla group has changed its Kazuar backdoor and used a newer .Net obfuscator to make the analysis more difficult. The actor is using the famous Sysinternals brand to mask the files as being theirs, however, a quick analysis proves to the contrary. McAfee's telemetry shows activity from July 2019 to mid-2020 for some of the samples, however the reporting rate is low, aka a very specific and targeted use of the trojan.
Operation FlowCloud The TA410 threat group targeted the United States utilities sector with the FlowCloud malicious software to exfiltrate sensitive information including keystrokes, screen captures, and files to custom command and control servers. The actor used various domains during the operation including custom domains and web services including Drobox to host the malicious software and upload the stolen data. The initial infection vector consisted of spear-phishing emails containing subject lines and either ....
Operation Australia Australian governments and companies are being targeted by a sophisticated, possibly state-based, actor. The actor is making heavy use of proof-of-concept exploit code, web shells and other open source tools. The most prevalent method of initial access in these attacks has been identified as being the exploitation of public-facing infrastructure. The actors are actively exploiting known vulnerabilities in Telerik UI (CVE-2019-18935), Citrix (CVE-2019-19781) and SharePoint (CVE-2019-0604).
Operation Qbot Targets Financial Institutions The Qbot banking trojan has been in operation for more than a decade and continues to target entities worldwide. The malware has been referenced by many names including Akbot, Qakbot, and Pinkslipbot but still focuses on exfiltrating sensitive information including browser information, financial data, and credentials. A new variant of the malicious software was discovered in 2020 performing new techniques including injecting the malware into explorer.exe and creating a registry run key to surviv...
Operation Netwire Targets Italy Netwire is a RAT that focuses on password stealing and keylogging, but also includes remote control capabilities. On June 5 2020, this malware was reported to target Italian-speaking victims. The variant used in this campaign is similar to other samples of the NetWire malware family but has an evolution of the attack chain. The malware is delivered as a malicious email attachment with XML macro embedded into it.
Operation Dark Basin A hacker for hire operation known as Dark Basin was uncovered targeting multiple industries across many countries around the world. Entities focused on included advocacy groups, journalists, government officials, financial professionals, nonprofits, human rights defenders, and energy and pharmaceutical companies. The initial infection vector mostly consisted of phishing emails containing malicious URL shorteners to direct victims to fake sites which mimicked Google Mail, Yahoo Mail, Facebook, an...
Operation Vendetta RoboSki A new threat group known as "Vendetta" was discovered in early 2020 targeting entities with spear-phishing emails to steal sensitive information. Fake letters from multiple organizations were used as lures and convince victims to open the malicious attachments. The malware was discovered in various regions including North America, Eastern Europe, Western Europe, South East Asia, and North Africa. After the attachment is opened the malicious software runs in memory and can evade sandbox...
Operation Hidden Story The InvisiMole threat group targeted the military, diplomacy, defense, and government sectors in Eastern Europe with an updated toolset. The malware used various techniques including abusing legitimate applications and exploiting vulnerable executables including using EternalBlue and BlueKeep exploits for lateral movement. The group also used the Data Protection API feature in Microsoft Windows for encryption and DNS tunneling to communicate with command and control servers.