Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation BIOLOAD The FIN7 threat actor, also known as Anunak, targeted entities to drop a malicious backdoor. The group placed a loader DLL file in the "%WINDR%\System32" directory and used a technique known as DLL search order hijacking to abuse the FaceFodUninstaller.exe application. Various techniques were used for persistence and execution including scheduled task, obfuscation, and masquerading.
Operation BRONZE PRESIDENT NGOs The BRONZE PRESIDENT threat group targeted non-governmental organizations and the political and law enforcement sectors in Asia. The actor used a range of custom and off the shelve tools including Cobalt Strike, PlugX, ORat, RCSession, Nbtscan¸ and Nmap for persistence, lateral movement, defense evasion, and the collection of sensitive information.
Operation Escalation Middle East Threat actors are suspected to ramp up attacks amid the high tensions in the Middle East. The groups will use a range of techniques to carry out the campaigns including spear-phishing, obfuscation, data compression, PowerShell, and scripting for initial access, persistence, defense evasion, lateral movement, and exfiltration of sensitive information.
Operation Burisma Holdings The APT28 threat group, also known as Sofacy or Fancy Bear, are suspected to have launched a phishing campaign against the Ukrainian oil & gas company Burisma Holdings and its subsidiaries. The actor used malicious domains in the attacks to steal usernames and passwords allowing the attackers to gain access to victim's email accounts.
Operation ZxShell RootKit Emissary Panda, also known as APT27 and Lucky Mouse, targeted entities with the ZxShell remote access trojan. The malicious software used various techniques for file redirection and hiding network connections including obfuscation, hooking, and hidden files and directories.
Operation PowDesk The APT34 threat group, also known as OilRig or Helix Kitten, are suspected to have targeted companies in the IT sector with malware known as PowDesk. The malicious software targeted systems with the LANDesk Management Agent installed and exfiltrated system information to command and control servers under the actor's control. The group used various techniques including PowerShell and commonly used ports to carry out the operation.
Operation Sinkholed 50 domains with ties to the Thallium threat group, also known as APT37 and Reaper, were taken offline in late 2019. The actor used the domains to attack various sectors located in the United States, Japan, and South Korea to steal user credentials and drop malware capable of stealing sensitive information.
Operation Target Pakistan Group 21 targeted a range of sectors in South Asia with spear-phishing emails containing a malicious attachment which dropped a backdoor on the infected system to steal sensitive information. The threat actor has been in operation since at least 2017 and uses various techniques for persistence and defense evasion including PowerShell, mshta, obfuscation, and scheduled tasks.
Operation JhoneRAT Middle East An unknown threat actor targeted multiple countries in the Middle East with various malicious Microsoft Office documents. The decoy files were used to drop the JhoneRAT remote access trojan and exfiltrate sensitive information from infected hosts. The group used various techniques to stay under the radar including cloud service providers, obfuscation, and data encoding.
Operation ServHelper Evolves The TA505 threat actor targeted multiple sectors around the world with spear-phishing emails to drop the ServHelper backdoor. The group's focus is financial gain and are also suspected to be behind other malware families including Dridex and Locky. Many techniques were used in the attacks including PowerShell, scripting, hooking, and data encoding/obfuscation.