Extending AutoFocus Threat Intelligence With New Tag Types

In previous posts we have discussed how AutoFocus accelerates the analysis, hunting, and incident response workflows by providing full context for threat events seen on your network, as well as high-level visibility into how targeted a threat is against you or your industry peers. This visibility into the threat landscape enables teams to move away

Operation Ke3chang Resurfaces With New TidePool Malware

Introduction Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago. However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal. We’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang

Attack Campaign on the Government of Thailand Delivers Bookworm Trojan

Unit 42 recently published a blog on a newly identified Trojan called Bookworm, which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors’ campaigns. In this blog, we will discuss the current attack campaign along with the associated threat infrastructure and the actor’s tactics, techniques

Bookworm Trojan: A Model of Modular Architecture

Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have