Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Sharpshooter The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor...
Operation WinRAR Goldmouse The attack campaign targets victims in the Middle East with malicious Microsoft Word documents located inside of an archive and takes advantage of a flaw in WinRAR. Once decompressed the malware creates an entry in the computers start up folder and is executed at next login or next reboot. The final payload is the njRAT backdoor which stops the local firewall and then starts a keylogger to steal sensitive information.
Operation Hidden Python The operation targets victims with a compressed file containing a malicious .hwp document and an executable that attempt to take advantage of a flaw in WinRAR. The archive file is labeled "North America Second Summit .rar" and is password protected to avoid detection. Once executed by the victim the malware creates a startup task and is active once the infected system is rebooted.
Operation Bad Tidings The phishing campaign has been ongoing since at least 2016 and continues to be in operation into 2019. The attack focuses on fake websites that mimic multiple branches of the Saudi Arabian government in an attempt to steal sensitive data from local citizens including personally identifiable information (PII).
Operation ShadowHammer The supply chain attack targeted users who own ASUS computers with malware injected in the ASUS Live Update Utility. The threat actors behind the operation used stolen digital certificates to sign the malicious software to appear legitimate to end users. The campaign targeted users across the globe with a majority of the infections appearing in Russia, Germany, and France.
Operation Masquerade Lucky Elephant The campaign targets governments in South Asia with spear-phishing emails to direct victims to malicious web pages in an attempt to steal credentials. The fake websites mimic Microsoft Outlook 365 login pages and well-known government sites including those controlled by authorities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, Nepal, and Shanghai.
Operation Pick-Six The campaign attempts to infect its victims with either Ryuk and LockerGoga ransomware to extort funds. The operation uses a combination of various tools and techniques to carry out the attacks including stolen credentials, Cobalt Strike, Metasploit, Microsoft Remote Desktop Protocol, and PowerShell as well as publicly available applications.
Operation TajMahal The APT framework consists of two packages labeled Tokyo and Yokohama which are used to infect targeted systems with a range of malicious software. Once infected the malware can steal a range of sensitive information including documents, Apple mobile device data, screenshots, audio, and cookies from Internet Explorer, Netscape Navigator, Firefox and RealNetworks.
Operation London Blue BEC A business email compromise campaign has been discovered attacking workers in Asia with spoofed emails that appear to come from legitimate companies located around the world. The actors latest operation was discovered in early 2019 and its theme is based around mergers and acquisitions in an attempt to get the victims to wire funds to the threat actors.
Operation TRITON 2019 The attackers behind the campaign updated their custom tools and tactics to attack a critical infrastructure company in an attempt to steal credentials, install backdoors, escalate privileges, and move laterally across the IT and OT networks. The threat actors used custom tools including SecHack, NetExec, Cryptcat, and PLINK to carry out their operation.