PT ESC Threat Intelligence
Desert Dexter. Attacks on Middle Eastern countries
In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then.
Read full reportThe evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT
In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group.
Read full reportMalicious packages deepseeek and deepseekai published in Python Package Index
As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.
Read full reportCloud Atlas: sheet happens
In November 2024, employees of a Russian government agency discovered a phishing campaign and turned to the PT ESC IR team for assistance in investigating the malicious activity.
Read full reportTaxOff: um, you've got a backdoor...
In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies. We were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which we named Trinper after the artifact used to communicate with C2.
Read full reportDarkHotel. A cluster of groups united by common techniques
In early September 2024, specialists at the Threat Intelligence (TI) Department of Positive Technologies Expert Security Center (PT ESC) uncovered a suspicious VHDX virtual disk image—an extremely rare occurrence when viewing a data stream. Following analysis of the VHDX and all its associated files, they were able to attribute the attack to the APT-C-60 group. ThreatBook experts described one of the latest similar campaigns in July 2023. However, the PT ESC team has found some differences from that earlier campaign both in the file hierarchy on the disk and in the commands and tools used. In this article, we have outlined the structure of the files on the virtual disk, the analysis of the attack chain, the search for additional files, the reasons why we believe this attack can be attributed to the APT-C-60 group, as well as how these attackers are connected to the DarkHotel group.
Read full reportKids, Don't Copy! The "New" Techniques of the PhaseShifters Group
In the process of monitoring attacks on Russian organizations, specialists from the Threat Intelligence department of the Positive Technologies Expert Security Center discovered phishing emails and files addressed to various Russian companies, including state-owned ones. After analyzing the context of the attack, as well as the downloaded malware, we were able to attribute these files to the PhaseShifters group.
Read full reportFake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability
Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications.
Read full reportAsia's SMS stealers: 1,000 bots and one study
Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which we recently discovered and set out to study. While researching bots on Telegram, we found that many are from Indonesia. We were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so we decided to get to the bottom of this "Indonesian tsunami."
Read full reportExCobalt: GoRed, the hidden-tunnel technique
While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
Read full reportGet in touch
Fill in the form and our specialists
will contact you shortly