Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Soft Cell The campaign has been active since at least 2012 and targets telecommunications providers in multiple countries. The attackers behind the operation use a range of tools including modified versions of China Chopper, Nbtscan, Mimikatz, and hTran. Also used in the attacks are the PoisonIvy RAT, WMI, PsExec, and Winrar. The goal of the operation is to steal sensitive information including credentials, PII, billing data, and call records as well as other information.
Operation Tripoli A large-scale campaign was discovered that used Facebook pages to spread malware to mobile and desktop environments with a focus on Libya. The social media pages included malicious links to documents that contained fake information about the latest airstrikes and the capturing of terrorists. The threat actor also set up a fake Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar, which had more than 11,000 followers.
Operation Buhtrap Zero-Day The campaign used a zero-day privilege escalation vulnerability in Microsoft Windows to carry out attacks against government institutions. The threat actor behind the operation used decoy documents to install malicious software to steal sensitive information including contact information and passwords. Additional malware installed included backdoors and a Meterpreter reverse shell.
Operation Topinambour A new campaign was discovered that has been in operation since early 2019. The threat actor behind the operation uses multiple tools including one dropper known as “Topinambour”. Successful exploitation allows the attacker to gain access to sensitive data as well as upload, download, and execute files under their control.
Operation Oto Gonderici The operation targets large organizations in Turkey with spam email messages containing malicious attachments. The attacks drop multiple RATs onto the infected system including the Adwind and FareIt remote access trojans. The threat actor uses an uncommon method to evade detection known as Excel formula injection.
Operation Sea Turtle DNS Hijacking The threat actor behind the campaign used a new DNS hijacking technique to carry out their attacks. The technique compromised name server records and responded to DNS requests with falsified A records which in turn pointed users to servers under the control of the attackers. Multiple sectors were targeted in the operation including government, energy, aviation, and think tanks.
Operation Ratsnif OceanLotus The threat group behind the campaign is using the Ratsnif remote access trojan family to carry out attacks that perform a range of malicious activity including packet sniffing, ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing. The group of trojans have been under active development since 2016.
Operation AndroMut The threat actors behind the operation introduced another new downloader malware, AndroMut, which has some similarities in code and behavior to Andromeda, a long-established malware family. Researchers observed AndroMut download malware referred to as “FlawedAmmyy.” FlawedAmmyy is a full-featured RAT that was first observed in early 2016 and is based on the leaked source code of a legitimate shareware tool, Ammyy.
Operation Multiple Threat Groups Equation Editor Multiple threat groups with ties to China have updated their arsenal to include the exploit for the Microsoft Equation Editor vulnerability classified under CVE-2018-0798. Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory.
Operation Gelup FlowerPippi The threat actor behind the campaign targeted Middle Eastern countries that delivered more than 90% of the total spam emails to the UAE, Saudi Arabia, and Morocco. The spam emails contained either an .html or .xls file attachment. The HTML file lead to a download of another Excel file embedded with a malicious Excel 4.0 macro, which then downloaded a FlawedAmmyy downloader (in .msi file) that lead to the FlawedAmmyy payload. The direct .xls attachments were equipped with a VBA macro which fetche...