Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation WinRAR Goldmouse The attack campaign targets victims in the Middle East with malicious Microsoft Word documents located inside of an archive and takes advantage of a flaw in WinRAR. Once decompressed the malware creates an entry in the computers start up folder and is executed at next login or next reboot. The final payload is the njRAT backdoor which stops the local firewall and then starts a keylogger to steal sensitive information.
Operation Hidden Python The operation targets victims with a compressed file containing a malicious .hwp document and an executable that attempt to take advantage of a flaw in WinRAR. The archive file is labeled "North America Second Summit .rar" and is password protected to avoid detection. Once executed by the victim the malware creates a startup task and is active once the infected system is rebooted.
Operation LightNeuron The campaign targets Microsoft Exchange servers to install a custom backdoor labeled "LightNeuron." The malware can perform several tasks including spying, modifying, and deleting incoming and outgoing email. The commands used in the attack are hidden in PDF or JPG attachments using steganography. The malicious software can also be used as a backdoor to add, delete, and copy files and execute process’s and executable's.
Operation Bluetooth Harvester The attack uses malware targeting Bluetooth devices by leveraging Windows Bluetooth APIs to gather a range of information from the infected host including device name, address, and class as well as if the device is connected, authenticated, and remembered. The campaign focuses on companies in Vietnam, Russia, Hong Kong, and North Korea in an attempt to steal sensitive information.
Operation Email Stealer The campaign targets the banking sector with spear-phishing emails containing malicious attachments in attempt to steal emails and account passwords from the infected host. The malware is signed by a well-known SSL Certificate Authority to avoid detection but sends back the stolen information to command and control servers unencrypted. The threat actor deletes the files used in the operation from the infected computer to remain undiscovered.
Operation Trojanized TeamViewer The campaign targeted multiple embassies and government officials in Europe with a malicious attachment carried in spear-phishing emails. The fake documents contained malicious macros which dropped a weaponized TeamViewer application as the final payload. The malware uploaded a range of information from the infected host including screenshots and TeamViewer credentials.
Operation FIN7.5 The threat group continues to attack hundreds of companies with spear-phishing emails although members were arrested in 2018. The social-engineering campaign carried out conversations via email for weeks before infecting the victims with malware to drop various modules that collected screenshots and system information. The malicious software also installed a meterpreter shellcode and an implant to stay persistent.
Operation WebStorage The campaign uses compromised routers and man-in-the-middle attacks to target legitimate ASUS WebStorage software to distribute the Plead malware. The backdoor is created and executed by a legitimate process which is digitally signed by ASUS Cloud Corporation. The operation targets government agencies and private organizations in Asia.
Operation SharePoint Middle East The campaign targeted Microsoft SharePoint servers located at Middle Eastern government organizations to steal sensitive information. The threat actors installed web shells on the compromised servers by taking advantage of flaws that have been patched by the vendor. Various tools were used in the operation including custom backdoors and Mimikatz to traverse the network.
Operation BlackWater The campaign used trojanized documents attached to phishing emails to steal sensitive information from victims located in the Middle East. The malicious software triggered a PowerShell script after the victim enabled macros. A range of data from the infected host is collected including detailed system information, ip addresses, and usernames.