Posts created by: Bryan Lee

The DarkHydrus group has begun using a new version of the RogueRobin backdoor. This version is written in C# and in addition to using DNS Tunneling for command and control, can also use Google Drive.

The Sofacy group continued their global attack campaigns between October and November, primarily targeting NATO-aligned nation states and former USSR states and delivering Zebrocy or Cannon.

Unit 42’s continued look into Sofacy reveals global attacks and wheels out new ‘Cannon’ trojan.

Unit 42 uncovers NOKKI, a type of malware with ties to the previously discovered KONNI malware family, used to attack Eurasia and Southeast Asia.

The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing

Unit 42 uncovers DarkHydrus, a new threat actor group targeting Middle East government.

The OilRig group continues to adapt their tactics and bolster their toolset with newly developed tools. Get the full report from Unit 42.

Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.

Unit 42 examines recent Sofacy group activities including multiple attacks to government entities.

Unit 42 details findings on the OilRig group’s attempted delivery of a new Trojan that we are tracking as OopsIE

OilRig group steps up attacks with new delivery documents and new injector trojan.

Striking oil: a closer look at adversary infrastructure.

Unit 42 uncovers TwoFace: a two-layered webshell used to remotely access the network of a targetd organization in the Middle East.

New research from Unit 42: OilRig uses ISMDoor variant; possibly linked to Greenbug threat group.

Unit 42’s continued investigation into Shamoon 2 has unearthed more details into the method by which the threat actors delivered the Disttrack payload.