Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Schools And Universities Under Attack The Silent Librarian threat actor, also known as TA407 and Cobalt Dickens, targeted the academia sector with spear-phishing emails with links to malicious websites which mimicked multiple universities around the world. The group hosted the fake domains under the .me, .tk, and .cf top level domains and used the sites to capture credentials from unsuspecting victims. The domains used in the operation were hosted on Cloudflare and on servers located in Iran.
Operation Quicksand A cyber espionage campaign aimed at organizations in Israel and around the world was discovered and attributed to the MuddyWater threat actor. Two primary attack vectors were used during the operation to install the PowGoop malicious software including exploiting flaws in Microsoft software and sending decoy documents through spam emails. The various tools and techniques used during the attacks were web shells, backdoors, droppers, macros, and PowerShell and VBA code.
Operation Space Race Individuals in the Italian aerospace sector were targeted with social engineering attacks delivered through the LinkedIn social network. The threat actor contacted the targets through internal private messages and impersonated a Human Resource recruiter to convince victims to download an attachment containing information about a bogus job offer. The multi-staged operation used PowerShell scripts and executable files to install a RAT (Remote Administration Tool) that was used to exfiltrate sensit...
Golang-Based RAT In 2019, a new type of RAT written in Go was discovered, that abuses the Oracle WebLogic RCE vulnerability (CVE-2019-2725). This type of RAT currently does not attempt to deploy cryptominers or other malware, unlike other attacks that have used this vulnerability. The malware installs itself on a system with an exposed vulnerable Oracle WebLogic server. After exploitation, the malware will function as a regular RAT. According to reports, this malware is still under development, so new functional...
PoetRAT PoetRAT is a remote access trojan that targets both the energy and government sector. The PoetRAT malware has been seen being distributed via spam phishing emails with links to malicious URL. This tactic relies on user execution from users that fall victim to social engineering techniques such as emails or messages delivered through social media. Once a system is compromised the PoetRAT malware will download additional tools for persistence, keylogging and data exfiltration.
IAmTheKing APT Multiple malware families have been attributed to the IAmTheKing APT group including KingOfHearts, QueenOfHearts, QueenOfClubs, and JackOfHearts. The malicious software targets various entities with a focus on organizations in Russia. The malware captures screenshots, uploads and downloads files, dumps credentials, and exfiltrates stolen information. Various tools are used by the threat actor including ProcDump, PsExec, LaZagne, and Mimikatz.
Oil And Gas Industries Targeted With Azorult Threat actors have targeted oil and gas supply chains in the Middle East with an Azorult payload. Taking advantage of revised partnerships, threat actors have targeted the organizations with impersonation attempts to try and infiltrate their infrastructure. Delivering PDF documents through targeted phishing attempts, unsuspecting users were led to download a malicious Azorult payload via an archive hosted on various command and control servers.
Eager Beaver TA505 The TA505 threat group has been in operation since at least 2014 and continue to release new campaigns aimed at entities in multiple countries including Canada, Germany, South Korea, the UK, and the United States. Custom malware is used during the attacks including the Get2 downloader and the SDBBot remote access trojan. The actor is also known to use a PuTTY SFTP client to exfiltrate sensitive information from infected networks. The initial vector consists of malicious documents that appear leg...
BAHAMUT Hack-For-Hire The BAHAMUT threat group targeted multiple entities including government, citizens, and major industry companies with spear-phishing emails, disinformation campaigns, fake news sites, and bogus mobile apps. The cyber espionage operation deployed malicious software aimed at Microsoft Windows, Google Android, and Apple devices and sought out sensitive information including credentials. The threat actor focused on the Middle East and Asia and used zero-day exploits and anti-forensic/AV evasion ...
Operation Earth Kitsune Multiple vulnerabilities classified under CVE-2019-5782, CVE-2020-0674, CVE-2016-0189¸ and CVE-2019-1458 are being used to redirect users to malicious websites and drop a backdoor onto the victim's system. The flaws lie in Google Chrome, Microsoft Internet Explorer, and the Windows operating system. The malware collects and exfiltrates a range of data including system information, network configuration, screenshots, and network connections. The threat actor behind the attacks is using compro...