Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaign Description
Operation DNSpionage The campaign targets government and private companies in the Middle East. The threat actors behind the operation use malicious Microsoft Office documents with embedded macros hosted on fake websites to infected users with malware intended to steal a range of sensitive information. The actors are also known to compromise DNS nameservers to redirect traffic to IP addresses under their control.
Operation Sharpshooter The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor...
Operation Shamoon v3 A new variant of Shamoon was discovered in late 2018 targeting several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe. Similar to the previous wave, Shamoon Version 3 uses several mechanisms as evasion techniques to bypass security as well as to circumvent analysis and achieve its ends.
Operation Cobra Venom The campaign was carried out by attackers impersonating the South Korean Ministry of Unification. The phishing operation consisted of email attachments containing two malicious executables disguised as PDF documents. Successful exploitation could allow the threat actor to steal sensitive information and drop additional files allowing complete compromise of the infected computer.
Operation RogueRobin 2019 The campaign infects users with malicious macro enabled Microsoft Excel documents to gain a foothold into the network. The C# payload used in the attacks run a series of commands to detect if the code is being analyzed in a sandbox including checking for virtualized environments, querying system information, determining the total number of CPU cores, and checking for process names containing the words “Wireshark” or “Sysinternals." The malicious software is capable of communicating with its...
Operation Holiday Wiper The campaign uses spear-phishing emails with malicious attachments targeting vulnerabilities in Microsoft Office. The command and control server used in the attack is reported to be a Korean medical website and is used to download a payload which is disguised as a Korean security program.
Operation Extreme Job The campaign targets security companies in South Korea with Microsoft Word documents containing malicious macros. The spear-phishing attack requires the victim to acknowledge the "enabling of macros" warning message before infecting the system with a fake "Java Update Scheduler" file.
Operation KEYMARBLE 2019 The campaign targets companies in Russia with Microsoft Office documents containing malicious macros. The operation requires the victim to accept the "enable macro security warning" before the system is infected. The final payload used in the attacks is a new version of the KEYMARBLE backdoor. The attackers use Dropbox in the second stage of the infection chain and also use a benign PDF file as a decoy document to make the files used in the campaign appear legitimate.
Operation OceanLotus KerrDown The campaign mainly targets individuals who speak Vietnamese with either Microsoft Office documents with malicious macros or RAR archives containing a Microsoft Word 2007 executable file. The threat actor behind the operation has been using the “KerrDown” malware family since at least early 2018 and target a range of sectors and individuals connected to Vietnam. The attacks use a variant of Cobalt Strike Beacon as the final payload.
Operation Kitty Phishing The campaign's goal is to steal confidential information and targets a range of sectors including government and defense with a focus on South Korean users. The threat actors behind the attacks also attempt to steal Ethereum and Bitcoin from cryptocurrency exchanges and individual users. The malware used in the operation is delivered using phishing emails with a zip attachment containing two remote access Trojans disguised as Hangul Word Processor (HWP) documents.