Expert

Maria Rubinstein

Reports

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

We discovered a campaign delivering the Tomiris backdoor that shows a number of similarities with the Sunshuttle malware distributed by DarkHalo APT and target overlaps with Kazuar.

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Maria Rubinstein

Congratulations, you’ve won! The reality behind online lotteries

Your Nigerian inheritance is waiting!

Your Facebook Account Has Won a Prize!

‘Nigerian’ spam from Egypt and Libya

Changing characters: Something exotic in place of regular Latin script

Publications

Amazon used as bait

Changing characters: Something exotic in place of regular Latin script

The Omnipresent Dad

Fraudsters are playing a different kind of card game

Your Facebook Account Has Won a Prize!

Your Nigerian inheritance is waiting!

Lottery fraudsters freshen up their repertoire

Congratulations, you’ve won! The reality behind online lotteries

Royal spam

‘Nigerian’ spam from Egypt and Libya

Reports

GhostEmperor: From ProxyLogon to kernel mode

DarkHalo after SolarWinds: the Tomiris connection

APT trends report Q2 2021

LuminousMoth APT: Sweeping attacks for the chosen few

Subscribe to our weekly e-mails