large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaign Description
Operation High Level Targets The Thrip espionage group attacked multiple sectors across South East Asia to install the Hannotog and Sagerunex backdoors. Recent attacks also targeted the satellite communications sector with the malware to maintain persistence and allow remote access to the attackers.
Operation Back to School The COBALT DICKENS threat group, also known as Silent Librarian, sent spear-phishing emails to universities in multiple countries located around the world. The emails contained a malicious link that sent victims to a spoofed website under the attackers control. The fake site captured user's credentials and then redirected the victims to the valid academic website.
Operation Undocumented Backdoor Stealth Falcon The Stealth Falcon threat group has been in operation since at least 2012 and target multiple sectors located in the Middle East. The group was discovered using a custom backdoor that used the Microsoft Windows Background Intelligent Transfer Service (BITS) component for command and control communication. The malicious software is capable of stealing and exfiltrating sensitive information, updating its own configuration, and deleting files.
Operation ELECTRICFISH BADCALL On Monday, September 9, 2019 the US Department of Homeland Security (DHS) released a report on possible malicious activity and pre-shared the IOCs with the industry. McAfee's ATR team enriched and researched the provided indicators and concludes with high confidence that these belong to previous activity from the Lazarus Group. Several network indicators overlap with previously observed campaigns. The samples share a lot of code-overlap with previous versions of the malware which is typical ...
Operation At It Again The TA505 threat group targeted multiple countries across the globe with updated versions of the FlawedAmmyy RAT and ServHelper backdoor. The initial infection vector was spear-phishing emails that contained either a malicious link or attachment. The groups recent campaigns also changed to using .ISO image attachments and a .NET downloader to carry out the attacks.
Operation CERTFR-2019-ACT-009 Multiple sectors were targeted with spear-phishing emails and phishing websites to harvest credentials from victims located in various countries across the globe. The campaign was in operation from at least 2017 and used several malicious domain names, subdomains, and e-mail addresses to carry the attacks.
Operation ITG08 Strikes Again The FIN6 threat group, also known as ITG08, sent targeted spear-phishing emails to employees that contained a malicious link to a supposed job offer. Once compromised, the attackers dropped the More_eggs JScript backdoor to download additional malware including Mimikatz to steal sensitive information.
Operation SectorJ04 2019 The SectorJ04 threat group, also known as TA505, targeted a range of sectors located across the world. The attacker used spear-phishing emails with malicious attachments to install one of multiple backdoors including ServHelper, FlawedAmmyy, AndroMut, and FlowerPippi. The malware was used to steal sensitive information from the victims and some of the malicious software was signed with valid digital signatures.
Operation Center Stage The Lyceum threat group, also known as Hexane, targeted multiple entities in the oil, gas, and telecom sectors across the Middle East, Central Asia, and Africa. The group has been in operation since at least 2018 and used compromised accounts that were obtained through password spraying or brute-force attacks. The command and control servers used throughout the attacks were registered using the PublicDomainRegistry.com, Web4Africa, and Hosting Concepts B.V. registrars.
Operation Winnti Malware 4.0 The Winnti malware family dates to at least 2013 and continues to evolve to stay under the radar of security researchers. The latest version of the malicious software uses AES encryption and the third-party library libtomcrypt for decryption. The malware uses various techniques for persistence and defense evasion including software packing, installing a new service, and modifying the registry.