Costin Raiu

Director, Global Research & Analysis Team

Costin specializes in analyzing advanced persistent threats and high-level malware attacks. He is leading the Global Research & Analysis Team (GReAT) at Kaspersky that researched the inner workings of Stuxnet, Duqu, Carbanak and more recently, Lazarus, BlueNoroff, Moonlight Maze and the Equation group. Costin’s work includes analyzing malicious websites, exploits and online banking malware. Costin has over 24 years of experience in anti-virus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO) and a reporter for the Wildlist Organization International. Before joining Kaspersky, Costin worked for GeCad as Chief Researcher and as a Data Security Expert with the RAV antivirus developers group. Costin joined Kaspersky Lab in 2000 and became the Director of the Global Research & Analysis Team in 2010. Some of his hobbies include chess, photography and the Science Fiction literature.

@craiu

Reports

In this report we focus on tactics, techniques, and procedures (TTPs) of the DeftTorero (aka Lebanese Cedar or Volatile Cedar) threat actor, which targets Middle East countries.

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies.

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Costin Raiu

Looking at Big Threats Using Code Similarity. Part 1

PuzzleMaker attacks with Chrome zero-day exploit chain

Hunting APTs with YARA

An analysis of Regin’s Hopscotch and Legspin

Penquin’s Moonlit Maze

Publications

MysterySnail attacks with Windows zero-day

Applied YARA training Q&A

PuzzleMaker attacks with Chrome zero-day exploit chain

Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild

Sunburst backdoor – code overlaps with Kazuar

Sunburst: connecting the dots in the DNS requests

Looking at Big Threats Using Code Similarity. Part 1

YARA webinar follow up

Hunting APTs with YARA

APT review of the year

Kaspersky Security Bulletin: Threat Predictions for 2018

The Festive Complexities of SIGINT-Capable Threat Actors

Reports

DeftTorero: tactics, techniques and procedures of intrusions revealed

Kimsuky’s GoldDragon cluster and its C2 operations

VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges

Andariel deploys DTrack and Maui ransomware

Subscribe to our weekly e-mails