Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Platinum Titanium Trojan The Platinum group targeted South and Southeast Asia with a backdoor using a series of complex steps to stay under the radar. The infection chain hid by mimicking common applications related to sound drivers and DVD creation software.
Operation Lazarus October 2019 The Lazarus Group, also known as Hidden Cobra, has been in operation since at least 2009 and continue to attack a range of entities into late 2019. The threat actor uses a range of tools in their operation including keyloggers, botnets, remote access trojans, and various malware families.
Operation DarkUniverse APT Framework The DarkUniverse APT group targeted civilians and military organizations with spear-phishing emails with an attached malicious Microsoft Office document that contained an embedded executable file. Cloud storage was mainly used for command and control servers which were used to upload and download a range of modules and sensitive information.
Operation Behind The First Stone The Lazarus Group targeted multiple sectors with spear-phishing emails containing a malicious Microsoft Office Word attachment. The attackers focus was to collect, encrypt, and exfiltrate sensitive information from the victims. To stay persistent and under the radar the group used shortcuts, encoded the collected data, and used standard ports and protocols.
Operation NukeSped The NukeSped remote access trojan has been attributed to the Lazarus threat group who have been in operation since at least 2009. The RAT contains a range of features including creating, iterating, and terminating processes and moving, reading, and writing files on the infected host.
Operation BadPatch B3hpy A cyber espionage campaign with possible ties to the Gaza hackers group was discovered targeting entities in the Middle East. The python compiled malware labeled "B3hpy" used in the operation contains some of the same tactics, techniques, and procedures used during the BadPatch campaign that was carried out in 2017.
Operation Attor Espionage Platform The Attor espionage platform has been in operation since at least 2013 and targets multiple sectors in Eastern Europe and Russia. The malware takes screenshots of specific software including web browsers and email, instant messaging, social networking, VoIP, online payment system, and search engine applications. The framework consists of a dispatcher and loadable plugins including a GSM fingerprinting component to gather metadata about connected devices.
Operation LOWKEY The APT41 threat actor used malware known as LOWKEY to target specific entities. The passive backdoor can perform a range of commands including stopping processes, downloading and uploading files, and creating a reverse shell. The malicious software listens on port 53 or port 80 to be activated and uses multiple named pipes for communication.
Operation Winnti Microsoft SQL The Winnti threat group, also known as Axiom, targeted Microsoft SQL servers with a backdoor known as "skip-2.0." The malware is capable of copying, modifying or deleting database content and used various techniques to remain persistent and evade detection including DLL search order hijacking, hooking, event log blocking, and software packing.
Operation WizardOpium A Google Chrome zero-day vulnerability is being leveraged in targeted attacks. The flaw is classified under CVE-2019-13720 and affects versions prior to 78.0.3904.87 on Microsoft Windows, Mac, and Linux hosts. The use-after-free defect lies in the audio component. Successful exploitation could result in arbitrary code execution.