SecureList
OCTOBER 26, 2021
In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar.
SecureList
APRIL 27, 2021
Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented.NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our telemetry revealed that the threat group’s latest endeavors are focused on going after entities within one country – Tunisia.
SecureList
APRIL 27, 2022
We recently identified additional malicious activities, conducted by Tomiris operators since at least October 2021, against government, telecoms and engineering organizations in Kyrgyzstan, Afghanistan and Russia. We exposed similarities between DarkHalo’s SunShuttle backdoor and the Tomiris implant. Final thoughts.
Expert insights. Personalized for you.
142 
Let's personalize your content