Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation MuddyWater The attacks targeted victims in the United States and the Middle East in an attempt to steal sensitive information. The group behind the campaign used fake documents claiming to be from the NSA in spear-phishing emails to convince victims to open the malicious attachments.
Operation Oceansalt The campaign reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.
Operation DNSpionage The campaign targets government and private companies in the Middle East. The threat actors behind the operation use malicious Microsoft Office documents with embedded macros hosted on fake websites to infected users with malware intended to steal a range of sensitive information. The actors are also known to compromise DNS nameservers to redirect traffic to IP addresses under their control.
Operation Sharpshooter The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor...
Operation Shamoon v3 A new variant of Shamoon was discovered in late 2018 targeting several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe. Similar to the previous wave, Shamoon Version 3 uses several mechanisms as evasion techniques to bypass security as well as to circumvent analysis and achieve its ends.
Operation Cobra Venom The campaign was carried out by attackers impersonating the South Korean Ministry of Unification. The phishing operation consisted of email attachments containing two malicious executables disguised as PDF documents. Successful exploitation could allow the threat actor to steal sensitive information and drop additional files allowing complete compromise of the infected computer.
Operation RogueRobin 2019 The campaign infects users with malicious macro enabled Microsoft Excel documents to gain a foothold into the network. The C# payload used in the attacks run a series of commands to detect if the code is being analyzed in a sandbox including checking for virtualized environments, querying system information, determining the total number of CPU cores, and checking for process names containing the words “Wireshark” or “Sysinternals." The malicious software is capable of communicating with its...
Operation Holiday Wiper The campaign uses spear-phishing emails with malicious attachments targeting vulnerabilities in Microsoft Office. The command and control server used in the attack is reported to be a Korean medical website and is used to download a payload which is disguised as a Korean security program.
Operation Extreme Job The campaign targets security companies in South Korea with Microsoft Word documents containing malicious macros. The spear-phishing attack requires the victim to acknowledge the "enabling of macros" warning message before infecting the system with a fake "Java Update Scheduler" file.
Operation KEYMARBLE 2019 The campaign targets companies in Russia with Microsoft Office documents containing malicious macros. The operation requires the victim to accept the "enable macro security warning" before the system is infected. The final payload used in the attacks is a new version of the KEYMARBLE backdoor. The attackers use Dropbox in the second stage of the infection chain and also use a benign PDF file as a decoy document to make the files used in the campaign appear legitimate.