PT ESC Threat Intelligence
Crypters And Tools. Part 2: Different Paws — Same Tangle
In the first part of our research, we analyzed the crypter, Crypters And Tools, which we discovered during investigations into attacks carried out by various threat actors. That article focused on the crypter's internal architecture and its supporting infrastructure. In this second part, we turn our attention to the threat groups that have leveraged the crypter in real-world attacks, their interconnections and distinguishing characteristics, as well as to some of the individual users of Crypters And Tools — several of them appear to be affiliated with the threat groups discussed.
Read full reportCrypters And Tools. One tool for thousands of malicious files
This article is for informational purposes only and does not encourage or condone illegal activities. Our goal is to report on an existing tool used by cybercriminals to generate malicious attack chains aimed at breaching organizations and to warn about the widespread use of such tools globally.
Read full reportDesert Dexter. Attacks on Middle Eastern countries
In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then.
Read full reportThe evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT
In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group.
Read full reportMalicious packages deepseeek and deepseekai published in Python Package Index
As part of our threat research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems.
Read full reportCloud Atlas: sheet happens
In November 2024, employees of a Russian government agency discovered a phishing campaign and turned to the PT ESC IR team for assistance in investigating the malicious activity.
Read full reportTaxOff: um, you've got a backdoor...
In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies. We were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which we named Trinper after the artifact used to communicate with C2.
Read full reportDarkHotel. A cluster of groups united by common techniques
In early September 2024, specialists at the Threat Intelligence (TI) Department of Positive Technologies Expert Security Center (PT ESC) uncovered a suspicious VHDX virtual disk image—an extremely rare occurrence when viewing a data stream. Following analysis of the VHDX and all its associated files, they were able to attribute the attack to the APT-C-60 group. ThreatBook experts described one of the latest similar campaigns in July 2023. However, the PT ESC team has found some differences from that earlier campaign both in the file hierarchy on the disk and in the commands and tools used. In this article, we have outlined the structure of the files on the virtual disk, the analysis of the attack chain, the search for additional files, the reasons why we believe this attack can be attributed to the APT-C-60 group, as well as how these attackers are connected to the DarkHotel group.
Read full reportKids, Don't Copy! The "New" Techniques of the PhaseShifters Group
In the process of monitoring attacks on Russian organizations, specialists from the Threat Intelligence department of the Positive Technologies Expert Security Center discovered phishing emails and files addressed to various Russian companies, including state-owned ones. After analyzing the context of the attack, as well as the downloaded malware, we were able to attribute these files to the PhaseShifters group.
Read full reportFake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability
Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications.
Read full reportGet in touch
Fill in the form and our specialists
will contact you shortly