SecureList

APRIL 27, 2021

Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented.NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Moreover, the malware mentioned by Google matched ThreatNeedle – malware that we have been tracking since 2018.

Malware 137

Malware Spyware Government Social Engineering 137

SecureList

APRIL 27, 2022

We had initially analyzed this Delphi malware in April 2018. We recently identified additional malicious activities, conducted by Tomiris operators since at least October 2021, against government, telecoms and engineering organizations in Kyrgyzstan, Afghanistan and Russia. Final thoughts.

Malware 129

Malware Firmware Government Phishing 129

SecureList

OCTOBER 26, 2021

In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar.

Malware 139

Malware Government Surveillance Spyware 139