Summary: Insikt Group has uncovered a cyber-espionage campaign by TAG-110, a Russia-aligned group targeting Central Asia, East Asia, and Europe. Utilizing custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily focuses on government entities and human rights organizations. The campaign is part of a broader Russian strategy to gather intelligence and maintain influence in the region.…
Read More

Summary:

Russia is intensifying its sabotage operations across Europe, targeting critical infrastructure to destabilize NATO allies and disrupt their support for Ukraine. Recent incidents, such as break-ins at water treatment facilities in Finland and explosions at arms factories in Poland, illustrate Russia’s use of gray zone tactics to undermine Western capabilities without engaging in open conflict.…
Read More

Summary:

In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites to deliver Cobalt Strike malware. The attackers embedded malicious JavaScript that spoofed a TLS certificate error, tricking visitors into downloading a disguised security certificate. This incident highlights ongoing cyber-espionage efforts targeting Tibetan entities, linking TAG-112’s infrastructure to other Chinese operations.…
Read More

Short Summary:

Rhysida ransomware, active since early 2023, utilizes a multi-tiered infrastructure and CleanUpLoader for post-exploitation activities. Recorded Future’s Network Intelligence has enabled early detection of Rhysida victims, providing a crucial window for prevention. The ransomware targets sectors like healthcare and education, affecting both Windows and Linux systems.…

Read More

Short Summary:

The article discusses the challenges organizations face in cybersecurity due to fragmented detection tools and the need for comprehensive threat visibility. It highlights how Recorded Future’s Threat Intelligence Cloud Platform and Collective Insights can bridge these gaps by integrating diverse data sources, enhancing threat detection, and providing actionable intelligence to security teams.…

Read More
Short Summary

The “Marko Polo” group represents a significant cybercriminal threat, employing sophisticated infostealer malware and social engineering tactics to target individuals and businesses, particularly in the cryptocurrency and online gaming sectors. With over 30 unique scams and a diverse malware toolkit, Marko Polo has compromised tens of thousands of devices globally, leading to substantial financial and reputational damage.…

Read More
Short Summary

The “H1 2024 Malware and Vulnerability Trends Report” highlights the evolving tactics of threat actors, particularly in exploiting zero-day vulnerabilities and the rise of infostealer malware. Key trends include a significant increase in Magecart attacks and the evolution of ransomware tactics, emphasizing the need for organizations to strengthen their cybersecurity measures.…

Read More

Short Summary:

The resurgence of Intellexa’s Predator spyware, following a decline due to US sanctions, poses renewed privacy and security risks, particularly to high-profile individuals. Recent findings indicate that Predator’s infrastructure has evolved to evade detection, complicating tracking efforts. Cybersecurity best practices are essential for mitigating these risks as global regulation efforts continue to lag behind the spyware’s advancements.…

Read More
Short Summary

Insikt Group has reported a rise in cyber threat activity from GreenCharlie, an Iran-nexus group targeting US political and government entities. They employ sophisticated phishing operations and malware like GORBLE and POWERSTAR, utilizing dynamic DNS providers for their infrastructure.

Key Points Group Identity: GreenCharlie, linked to Iran and associated with Mint Sandstorm, Charming Kitten, and APT42.…
Read More

“`html

Short Summary

The Recorded Future Payment Fraud Intelligence team has uncovered the ERIAKOS campaign, a sophisticated scam e-commerce network targeting Facebook users. Detected on April 17, 2024, this campaign involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data, primarily from mobile users.…

Read More

Summary

Between Q4 2023 and Q1 2024, cybercriminals increasingly used QR codes and AI-generated phishing tactics to target executives, exploiting AWS SNS for malicious SMS and VAST tags for malvertising. These sophisticated methods enable threat actors to bypass security measures, capture multi-factor authentication (MFA) tokens, and deceive users more effectively.…

Read More

Insikt Group examines a large-scale Russian-language cybercrime operation using fake Web3 gaming initiatives to distribute malware designed to steal information from both macOS and Windows users. These Web3 games, which are based on blockchain technology, offer the potential for financial gains through cryptocurrency earnings.

Web of Deceit: The Rise of Imitation Web3 Gaming Scams and Malware Infections

The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity.…

Read More

Summary

Recorded Futures Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.…

Read More

Summary

Insikt Group's research reveals that OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights organizations operating in Yemen. They use malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution. Notable organizations affected include CARE International and the Norwegian Refugee Council.…

Read More

From November 2023 to April 2024, Insikt Group identified cyber-espionage activities conducted by RedJuliett, a likely Chinese state-sponsored group, primarily targeting government, academic, technology, and diplomatic organizations in Taiwan. RedJuliett exploited known vulnerabilities in network edge devices such as firewalls, virtual private networks (VPNs), and load balancers for initial access.…

Read More

Recorded Futures Insikt Group identified that Vortax, a purported virtual meeting software, spreads three infostealersRhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). This extensive campaign targets cryptocurrency users, exploiting macOS vulnerabilities. Operated by the threat actor markopolo, this campaign has significant implications for macOS security, indicating a potential increase in AMOS attacks.…

Read More

Insikt Group tracks the evolutions of GRU's BlueDelta operational infrastructure, targeting networks across Europe with information-stealing Headlace malware and credential-harvesting web pages. BlueDelta deployed Headlace infrastructure in three distinct phases from April to December 2023, using phishing, compromised internet services, and living off the land binaries to extract intelligence.…

Read More

In recent research, Recorded Future's Insikt Group uncovered a sophisticated cybercriminal campaign led by Russian-speaking threat actors from the Commonwealth of Independent States (CIS). These threat actors leveraged a GitHub profile to impersonate legitimate software applications like 1Password, Bartender 5, and Pixelmator Pro to distribute various malware types, such as Atomic macOS Stealer (AMOS) and Vidar.…

Read More

SolarMarker, a malware known for stealing information, utilizes an evolving, multi-tiered infrastructure that has been active since 2021. This malware, also known as Yellow Cockatoo and Jupyter Infostealer, targets sectors such as education, healthcare, and SMEs. To avoid detection, it employs advanced evasion techniques like Authenticode certificates and large zip files.…

Read More

In early March 2024, Insikt Group identified a malign influence network, CopyCop, skillfully leveraging inauthentic media outlets in the US, UK, and France. This network is suspected to be operated from Russia and is likely aligned with the Russian government. CopyCop extensively used generative AI to plagiarize and modify content from legitimate media sources to tailor political messages with specific biases.…

Read More

New research from Recorded Futures Insikt Group focuses on the growing threat of a possible "mobile NotPetya" event. Through zero-click exploits, a self-propagating mobile malware could infiltrate smartphones at scale. The threat has increased sharply in the past few years as spyware companies continually refine zero-click exploits.…

Read More

Insikt Group examines a large-scale Russian-language cybercrime operation using fake Web3 gaming initiatives to distribute malware designed to steal information from both macOS and Windows users. These Web3 games, which are based on blockchain technology, offer the potential for financial gains through cryptocurrency earnings.

Web of Deceit: The Rise of Imitation Web3 Gaming Scams and Malware Infections

The campaign involves creating imitation Web3 gaming projects with slight name and branding modifications to appear legitimate, along with fake social media accounts to bolster their authenticity.…

Read More

Safeguarding sensitive data, maintaining brand reputation, and cultivating customer trust pose continuous challenges for enterprise organizations. However, the dark web, a hidden corner of the internet, poses unique challenges for cybersecurity professionals. Criminal activities such as the sale of stolen credentials and plans for targeted attacks thrive in this dark section of the internet.…

Read More

Check out our on-demand Annual Report webinar or read on for a summary of key topics and themes in the report.

2023 was a year in which cybercrime evolved in significant ways. Our 2023 annual report serves as a playbook of adversaries’ tactics, techniques, and procedures (TTPs) in 2023, with the goal of giving your security team a 360-degree view of the threat landscape.…

Read More

Domestic violent extremists (DVEs) in the United States are increasingly doxing senior leaders from the public and private sectors — publishing their personally identifiable information (PII) with malicious intent and without the leaders’ consent. Historically, DVE doxing attempts usually targeted other DVEs and political opponents, but recent trends show a broadening scope of targets, including government officials, executives, and heads of various institutions.…

Read More

New Insikt research examines 2023, a year of unexpected outcomes and escalating cybersecurity threats. Throughout the year, cyber threat actors exploited the prevailing chaos to steal data, conduct espionage, and disrupt geopolitics, an example being nation-states like China targeting Taiwanese semiconductor firms. Additionally, the text highlights the rise in exploitation of "as-a-service" enterprise software and shared cloud infrastructure, which led to an increase in weaponized vulnerabilities and high-profile cyberattacks, such as the MOVEit exploit by the ransomware gang CL0P.…

Read More

New research from Recorded Futures Insikt Group outlines a collaborative investigation by threat intelligence analysts and R&D engineers into the potential malicious uses of artificial intelligence (AI) by threat actors. They experimented with a variety of AI models, including large language models, multimodal image models, and text-to-speech models, without any fine-tuning or additional training, to mimic the resources threat actors might realistically have.…

Read More

New Insikt Group Research provides updated insights on the recent i-SOON leak. On February 18, 2024, an anonymous leak of documents from Anxun Information Technology Co., Ltd. (i-SOON), a Chinese IT and cybersecurity company, shed light on China’s state-sponsored cyber espionage operations. The leak is significant as it reveals the connections between i-SOON and several Chinese state-sponsored cyber groups such as RedAlpha, RedHotel, and POISON CARP, indicating a sophisticated network of espionage operations that includes the theft of telecommunications data for tracking individuals.…

Read More

New research from Recorded Future’s Insikt Group examines newly discovered infrastructure related to the operators of Predator, a mercenary mobile spyware. This infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.…

Read More

Recorded Future’s Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine.…

Read More

Available in the following solutions: Ransomware Mitigation, Automated Security Workflows, and Mitigate Supply Chain Risk

Available in the following modules: Threat Intelligence, and Geopolitical Intelligence

In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks.…

Read More

The report discusses Iranian intelligence and military entities associated with the Islamic Revolutionary Guard Corps (IRGC) involved in cyber activities targeting Western countries through their network of contracting companies. Four known intelligence and military organizations linked to the IRGC engage with cyber contractors. Iranian threat groups linked to the network of contracting parties have launched espionage and ransomware attacks and are leading efforts to destabilize target countries through information operations.…

Read More

New Insikt Group research discusses the frequent abuse of GitHub's services by cybercriminals and advanced persistent threats (APTs) for various malicious infrastructure schemes. These include payload delivery, dead drop resolving (DDR), full command-and-control (C2), and exfiltration. GitHub's popularity among threat actors lies in its ability to allow them to blend in with legitimate network traffic, making detection and attribution challenging for defenders.…

Read More

In its 2023 Adversary Infrastructure report, Insikt Groups outlook for the infrastructure landscape in 2024 suggests a continuation of the evolving nature of cyber threats, with an emphasis on government efforts to combat malicious activities. Anticipated increases in takedowns of malicious infrastructure reflect a growing awareness among governments of the devastating impacts of ransomware and other destructive attacks.…

Read More

In a new report, Recorded Futures Insikt Group examines North Koreas success in its cybercriminal operations targeting the cryptocurrency industry. Since 2017, North Korea has significantly increased its focus on the cryptocurrency industry, stealing an estimated $3 billion worth of cryptocurrency. Initially successful in stealing from financial institutions through the hijacking of the SWIFT network, North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally.…

Read More

As Black Friday and the holiday shopping season approaches, the threat of online scams is on the rise, with a 22% increase in consumer scam losses reported during the 2022 Black Friday and Cyber Monday sales. Recorded Futures Insikt Group has analyzed recent high-impact scam website campaigns, revealing three key themes in how scammers operate and offering insights into how consumers and businesses can protect themselves.…

Read More

Ad fraud, driven by automation, is a pervasive issue in online advertising, involving the inflation of performance metrics through automated bot software and tools. The increasing accessibility of automation solutions has lowered barriers to entry for fraudsters, making ad fraud a more significant threat. Ad fraud results in significant financial losses, estimated to reach $100 billion by the end of 2023, directly impacting advertisers and publishers.…

Read More

Recorded Future's research group, Insikt Group, has identified an application disseminated on a Telegram Channel used by members/supporters of the Hamas terrorist organization.

The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization.…

Read More

Recorded Future’s Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.…

Read More

Insikt Group has identified and analyzed a network named "Empire Dragon," which is believed to be a coordinated and inauthentic operation likely aligned with the Chinese government and based in China. This network has been active since early 2021 and appears to engage in information operations (IOs) aimed at manipulating global audiences through various languages, topics, and platforms.…

Read More

New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel’s operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors.…

Read More

Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security.…

Read More