in ,

APT Trend Report for the First Quarter of 2024



Just released



Introduction: Threat actors first started distributing malicious APKs through Google Play in 2018, but in 2019 turned to fake malicious web pages to imitate legitimate resources associated with the most common Italian Internet service providers.


Observation and discovery

The Gelsemium group performs server-side attacks, effectively spawning webshells and deploying various custom and public tools through secret techniques and techniques. The two main implants, SessionManager and OwlProxy, were first detected in 2022 following the exploit of a ProxyLogon type vulnerability in Exchange Server.

The latest investigation was triggered by the discovery of suspicious activity on a server located in Palestine in November 2023, which detected traces of a breach attempt that occurred on October 12, 2023. The service method of the payload is very unique, hidden as a font file, mainly compressed and encrypted.

Careto is a highly sophisticated threat group that has been targeting various well-known companies since 2007. However, the last operations observed by this threat group were in 2013. Since then, no information about Careto activities has been seen.

Notable in recent threat tracking is the use of custom techniques by Careto actors, such as using the MDaemon email server to maintain a foothold within the organization or leveraging the HitmanPro Alert driver to achieve persistence.

In summary, Careto uses three sophisticated implants to carry out its malicious activities, which we refer to as “FakeHMP,” “Careto2,” and “Goreto.”

middle East

In March, security researchers discovered a new malware campaign targeting government entities in the Middle East. We call it “DuneQuixote”. The investigation found more than 30 samples of DuneQuixote droppers in active use at the event. These implants represent tampering with the installer files of a legitimate tool called “Total Commander.” They carry malicious code used to download additional payloads, at least some of which are samples of the backdoor known as “CR4T.”

At the time of discovery, only two such implants were identified, but we strongly suspect there are others that may appear in the form of completely different malware. The group prioritizes preventing the collection and analysis of its implants – the DuneQuixote campaign demonstrated practical and well-designed evasion methods in both network communications and malware code.

In our previous report on the Oilrig APT we discussed how IT service providers could potentially be used as a pivot point to reach out to their customers as the ultimate target, and we continually track threat actor activity to identify relevant infection attempts. Another campaign was detected during this process, possibly by the same threat actors, but this time targeting an Internet service provider in the Middle East. In this new campaign, the attackers used a .NET-based implant that was implemented using VB and PowerShell. The implant, named “SKYCOOK” for its functionality, is a remote command execution and information-stealing utility. The attacker also used an automatic hotkey (AHK) based keylogger, similar to those used in previous intrusions.

Southeast Asia and the Korean Peninsula

We have been tracking the activities of DroppingElephant for the past few years. Recently, multiple Spyder backdoor samples have been detected in their operations, along with Remcos RAT and in a few cases other malicious RAT tools. Threat actors have been observed abusing the DISCORD CDN network and leveraging malicious .DOC and .LNK files to deliver these remote access tools to victims in South Asia.QianshinDetails of the Spyder backdoor and its use against multiple entities in South Asia. In our report, we share newly discovered IoCs and the types of organizations targeted based on telemetry.

At the end of 2023, we discovered a malware variant orchestrated by the Kimsuky group that leveraged legitimate software unique to South Korea to spread. While the precise method used to manipulate the legitimate program as the initial infection vector remains unclear, we confirmed that the legitimate software established a connection to the attacker's server. It then retrieved the malicious files, thus initiating the first stage of the malware.

The initial stage of the malware acts as a traditional installer designed to introduce complementary malware and establish persistence mechanisms. After the installer is executed, subsequent stage loaders are generated and added to Windows services for automatic execution. The final payload in this sequence is previously unknown Golang-based malware dubbed “Durian.” Durian has comprehensive backdoor capabilities that can execute sent commands, download additional files, and exfiltrate files.

With Durian's help, the operators implemented various preliminary methods to maintain contact with the victims. First, they introduced additional malware called “AppleSeed,” an HTTP-based backdoor commonly used by the Kimsuky group. Additionally, they integrate legitimate tools, including ngrok and Chrome Remote Desktop, as well as custom proxy tools to gain access to targeted computers. Ultimately, the attackers planted malware to steal data stored by the browser, including cookies and login credentials.

Based on telemetry data, we identified two victims of the South Korean cryptocurrency industry. The first leak occurred in August 2023, and the second leak occurred in November 2023. Notably, our investigation did not uncover any additional victims during these incidents, indicating a highly focused targeting approach by the attackers.

Given that this attacker specifically used AppleSeed malware, a tool historically associated with the Kimsuky group, it is highly likely that these attacks can be attributed to Kimsuky. Interestingly, however, there is a subtle connection to the Andariel organization.

Andariel is known for employing a custom proxy tool called “LazyLoad” and appears to have similarities to the attackers in this attack, as we observed during our research that the attackers also used LazyLoad. This subtle connection warrants further exploration of potential collaboration or shared tactics between these two threat groups.

ViolentParody is a backdoor detected within a Korean gaming company. The latest deployment was in January this year. Threat actors distribute this backdoor across an organization's network by infecting a batch file located on an internal network share. Execution of said infected .BAT file causes the MSI installer to be launched, which in turn removes the backdoor on the computer and configures it to persist via scheduled tasks and COM objects.

Analysis of this backdoor shows that it can collect reconnaissance data on infected machines, perform file system operations and inject various payloads. We also observed the threat actors behind this backdoor launching penetration testing tools such as Ligolo-ng, Inveigh, and Impacket. We attribute the activity described in the report to Winnti, but with less confidence.

In recent months, threat actor SideWinder has launched hundreds of attacks against well-known entities in Asia and Africa. Most attacks start with a spear phishing email containing a Microsoft Word document or a ZIP archive (which contains an LNK file). The attachment initiates a chain of events that leads to the execution of multiple intermediate stages using different JavaScript and .NET loaders, ultimately ending with a malicious implant developed in .NET that runs only in memory.

During the course of our investigation, we observed a sizable infrastructure consisting of many different virtual private servers and dozens of subdomains. Many of the subdomains are believed to have been created for specific victims, and the naming scheme suggests that the attackers are trying to disguise malicious communications as legitimate traffic from websites associated with government entities or logistics companies.

SideWinder has historically targeted government and military entities in South Asia, but in this case the scope of targets has expanded. The hacker also compromised Southeast Asia and Africa. Additionally, we see damage to different diplomatic entities in Europe, Asia and Africa. The expansion of the target range also includes new industries, as evidenced by the discovery of new targets in the logistics sector, more specifically maritime logistics.

The Lazarus group has various malware clusters in its arsenal and is constantly updating its features and techniques to evade detection. However, the attacker can sometimes be observed using its older malware.

Hackers were recently detected testing their tool ThreatNeedle. Malware authors utilize binding tools to create initial stages of malware to deliver and plant the final payload. The main goal of the binding tool is to assemble the malware installer, actual payload, and configuration.

In addition, we found various malicious files in affected computers that obtain the next stage of the payload after sending the victim's profile. This downloader malware is typical of Lazarus’ modus operandi. However, the organization now adopted a more complex HTTP communication format to evade detection at the network level. By investigating the command and control (C2) resources used by the attackers, we discovered that NPM packages contain malicious JavaScript code that can deliver malware without notifying users. Most of these are disguised as cryptocurrency-related programs and are capable of downloading additional payloads from attacker-controlled servers. This is a strategy that is highly similar to plans observed and reported in the past.


Hacktivism, a combination of hacking and activism, is often left out of a company's threat profile. Such threat actors are typically active in all types of crises, conflicts, wars, and protests, with the goal of using digital means to send political, social, or ideological messages.

SiegedSec stepped up its international hacking intrusions and activities in 2023. This small group has been active since 2022 and mainly conducts hacking and leak operations. Like past hacktivist groups such as LulzSec, what began as hacking leaks and destructive operations “for lulz” later evolved into multiple offensive operations pursuing social justice-related goals on a global scale.

The activities also led to coordination with other cybercriminal groups as part of the “Five Families” hacktivist group, although SiegedSec was later ousted for alleged misconduct.

Their recent offensive activities depend on current socio-political events. Web application-centric attack campaigns target corporate, industrial, and government infrastructure and exfiltrate stolen sensitive information. Currently, members of the organization are still at large.

During the conflict between Israel and Hamas, there was an increase in hacker activity from around the world, including denial of service (DoS and DDoS), network tampering, doxxing, and recycling of old vulnerabilities. The targets and victims are primarily Israeli and Palestinian infrastructure. But with supporters on both sides of the conflict, hacktivists are also targeting infrastructure that supports the state.

In order to reduce the exposure of such threat actors, it is first important to update the threat/risk profile when similar incidents occur.

Second, it is critical to understand the technical risks associated with your respective country or institution and prevent unauthorized access by ensuring secure access and updating software.

Third, DoS/DDoS readiness is critical. Although these attacks are temporary, simply denying access for a limited period of time until normal services are restored, the corresponding tools are widely available, and their devastating impact on business operations can vary depending on the duration and scale of the attack. . Therefore, measures must be taken to mitigate application and traffic attacks.

Finally, data breaches are almost inevitable these days. Hackers may simply start with stolen credentials to gain full enterprise access and exfiltrate sensitive data. This data may then be recycled at future events to connect hot topics of compromise with the message of hacktivism so that it can be widely heard. The best way to mitigate this situation is to prevent data leakage in the first place. Implementing methods to monitor network flows can help identify unusually large outbound data flows that may be blocked early on.

Other findings

In 2019, an ongoing campaign exploited a then-new Android malware dubbed “Spyrtacus” that was used to target individuals in Italy. This tool has similarities with HelloSpy, a notorious tracking software used to monitor infected devices remotely.

The threat actors first started distributing malicious APKs through Google Play in 2018, but in 2019 turned to fake malicious web pages to imitate legitimate resources associated with the most common Italian Internet service providers. We have been continuously monitoring this threat for several years. A previously unknown Spytacus agent developed for Windows was observed. During the course of the investigation, additional subdomains were discovered, indicating the presence of implants targeting iOS and macOS and may indicate that the group's activities have expanded to other countries in Europe, Africa, and the Middle East.

write at the end

While some threat actors' TTPs have remained consistent over time, such as relying heavily on social engineering as a means to gain a foothold within a target organization or compromise personal devices, other threat actors have updated their toolsets and expanded their range of activities.

Here are the key trends to see in the first quarter of 2024:

· Key highlights of the quarter include Kimsuky's use of the Golang-based backdoor Durian in supply chain attacks in South Korea, as well as activity targeting the Middle East, including APTs such as Gelsemium, but also hacking attacks.

· The Spyrtacus malware used to target Italian individuals demonstrates that threat actors continue to target multiple platforms, including mobile malware.

· APT activity remains very geographically dispersed. This quarter, activity in Europe, the Americas, the Middle East, Asia and Africa is highlighted in the report.

· Hackers are targeting various sectors including government, diplomacy, gaming, maritime logistics and ISPs.

· Geopolitics remains a key driver of APT development, and cyber espionage remains the primary target of APT activities.

· Hacking activity primarily revolves around the Israel-Hamas conflict, but not exclusively, as SiegedSec’s activity shows.

This article is translated from: If reprinted, please indicate the original address

  • share to



Thank you for your support, I will continue to work hard!

Scan the code to support

OpenWeChatScan and click on the upper right corner to share.

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Say “no” to unauthorized devices, Apple and Google jointly launch new anti-tracking features

Ransomware attack on Singing River Health System impacted 895,000 people