large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Spark Backdoor The Molerats threat group targeted multiple sectors across six countries with spear-phishing emails containing malicious attachments or links to exfiltrate sensitive information. The actor, also known as the Gaza Hacking Team and the Gaza Cybergang, infected systems with the Spark backdoor which has been attributed to the group and used in previous attacks since at least 2017. Molerats has been attacking multiple sectors since at least 2011 and use various public and custom backdoors during thei...
Operation Coronavirus Outbreak Threat actors are taking advantage of the current COVID-19 pandemic to infect unsuspecting victims with malware from multiple families including Emotet, Nanocore, and Parallax. The attacks focus on malicious attachments in spear-phishing emails with corona virus related themes that appear to have been sent from health organizations, delivery companies, and state governments.
Operation Decoy Rocket Loader A JavaScript file disguised as Cloudflare's Rocket Loader library was injected into compromised Magento websites. The threat actor infected multiple e-commerce sites with the malicious skimmer and used decoy domains to exfiltrate stolen data.
Operation Armenian Watering Holes Several high-profile websites were used by the Turla threat group to target the government sector of Armenia with malware disguised as Adobe Flash updates. The compromised sites hosted malicious JavaScript which loaded code from a secondary website. The malware exfiltrated a range of data including system information, screen resolution, and the browser's plugin list to the actor's command and control server. Visitors deemed interesting were served with a fake Adobe Flash update warning w...
Operation Vicious Panda The Mongolian public sector was targeted with RTF attachments disguised as documents sent from the Mongolian Ministry of Foreign Affairs. The threat actor behind the attack used the COVID-19 pandemic as a lure and infected victims with a remote access trojan capable of exfiltrating, creating, moving, and deleting files and folders. The Royal Road RTF Weaponizer tool was used to create the malicious documents which contained embedded objects that exploited the Equation Editor flaws in Microsoft W...
Operation Higesa 2020 The DarkHotel threat group, also known as Higesa, targeted various entities across multiple countries with spear-phishing emails containing a malicious attachment. Once opened by the victim, the malware dropped the Gh0st RAT trojan to steal a range of sensitive information including screen captures, keystrokes, audio recordings, emails, and files. The actor used Happy New Year themed emails as a decoy and a range of techniques for persistence and defense evasion including hooking, masquerading, ...
Operation BlackTech ELF_TSCookie The BlackTech threat actor has been in operation since at least 2012 and are known to target government agencies and private organizations with multiple malware families including PLEAD and TSCookie. In early 2020 it was discovered the cyber espionage group is also responsible for a variant of TSCookie targeted at the Linux operating system. The new variant has multiple characteristics which are different from the Windows version including only one communication channel, various code changes, an...
Operation Karkoff 2020 APT34, also known as OilRig, targeted the government sector in Lebanon with spear-phishing emails which contained a malicious Microsoft Excel document. The threat actor dropped a new variant of the Karkoff malware family onto victims' computers capable of extracting sensitive information. The malicious software used various techniques for persistence, defense evasion, and exfiltration including scheduled tasks, obfuscation, fallback channels, masquerading, and encryption. The malware used du...
Operation Business As Usual Multiple cyber espionage campaigns attributed to the MuddyWater threat actor were discovered in 2019 and early 2020. The operation used spear-phishing emails with malicious attachments or links and targeted government agencies in multiple countries including Turkey, Jordan, Iraq, Georgia, and Azerbaijan. For persistence and defense evasion the threat actor used various techniques including obfuscation, scripting, registry modifications, and PowerShell.
Operation Cloud Snooper An unknown Advanced Persistent Threat targeted servers hosted on Amazon Web Services with a rootkit that evaded detection by using a unique combination of techniques including routing traffic over common and uncommon ports from the infected hosts to the actor's command and control servers. The operation infected both Linux and Windows targets with backdoors and remote access trojans. Various techniques were used including DLL side-loading, encryption, hooking, and obfuscation.