May 2022: Cyberattacks and malware to watch closely

The threat is still present this month, we focus here on the major international threats, but all areas are concerned.

Even if today some groups are targeting Asia, they are still very prolific and sophisticated, with a desire to expand to other countries. This requires once again all our vigilance.

Cyber Gangs, the mafias of the future?
Cybercriminals are happy to go without a break

The threat


APT34 (OilRig/COBALT GYPSY/IRN2/HELIX KITTEN) is an Iranian group that has made news with a new backdoor named Saitama.  Saitama exploits the DNS protocol for its command and control (C2) communications

In this spear-phishing campaign, the group targeted the Jordanian Ministry of Foreign Affairs.

Usually, it targets countries around the world with a prevalence for the Middle East. Its preferred sectors are government entities, energy, chemicals, and the telecommunications sector.

It is not new as it has been in the news since 2014, especially with its social engineering technique.

In its latest campaigns, members of the group created a fake social network and then posed as a representative of the University of Cambridge. They relied on LinkedIn by creating fake profiles.

Cobalt Mirage, alias Charming Kitten, Phosphorus, APT35 or Newscaster is suspected of being financed by the Iranian state. It targets the American continent, as proven by its latest campaign. However, they are not content with just one region, as they also target Europe, Israel, and Australia.

Their motivation is twofold: both financial and cyber espionage. This gang is quite recent, it appeared in 2020. It is known for its phishing techniques. The most famous being those bypassing Gmail and Yahoo’s 2FA in December 2018 or in March 2019 against Microsoft.


SideWinder (RattleSnake and T-APT-04) is one of the most aggressive threat actors in the last two years. This group is suspected to be of Indian origin.

It primarily targets military and law enforcement in Pakistan, Bangladesh, and other South Asian countries.

The group’s target industries are primarily related to police, military, maritime and naval forces, but they are broadening their spectrum to include foreign affairs, scientific organizations, as well as the defense sector, aerospace and even the computer industry and law firms.

Since mid-March 2022, taking advantage of the Ukrainian crisis, they have launched spear phishing campaigns by distributing malware to steal sensitive information.

The level of sophistication of this group remains relatively high (obfuscation, encryption, multi-layered malware, infrastructure chain splitting). Being active since 2012, they have been able to perfect their techniques.

Bitter APT (APT-C-08 or T-APT-17), is believed to be of South Asian origin (India?). They reportedly operate under a mandate to understand China’s international objectives.

Their motivation seems to be intelligence gathering and espionage.

Their victims are mainly centered on China, Pakistan, and Saudi Arabia. They specifically target Bangladeshi government organizations, energy, engineering, and government sectors.

They are prolific as they have conducted extensive campaigns.

The current campaign since August 2021 targets Bangladeshi government organizations. For this they send spear phishing emails to high-ranking officers of Rapid Action Unit of Bangladesh Police Battalion (RAB).

Prior to this campaign they made news in 2021 by exploiting zero-day flaws- CVE-2021-1732 and CVE-2021-28310. In June 2020 they conducted a cyber espionage campaign targeting Microsoft Windows PCs in government and telecom entities in China and Pakistan.

There is a growing rivalry between India and China and Pakistan. India is becoming one of the South Asian nations with advanced cyber capabilities. Cybercrime is expanding its horizons to targets in the Middle East.


State of emergency in Costa Rica

The recent Conti ransomware attack has triggered a state of emergency in Costa Rica.  The incident affected, among others, the Ministry of Labor and Social Security, the Ministry of Science, Innovation, Technology and Telecommunications


Microsoft discovered more than 35 unique ransomware families and 250 unique threat actors last year. Most exploited Cobalt Strike and several legitimate enterprise tools to gain initial access and persistence on networks.

Supply Chain Attack

Dis-Chem, the giant drug distribution, South African organization was the victim of a cyber attack via its third-party service provider.  3.6 million data compromised.


  • The attackers are very aggressive, extremely fast. Organizations still seem to be unprepared. The incident in Costa Rica and in Latin America as a whole proves it.
  • It is clear that the Ukrainian crisis has not helped to reduce the number of attacks. Many groups are taking advantage of the conflict to perfect their attacks, even using false flags.
  • Iranian hackers are on the lookout.
  • Intrusion vectors are still phishing and vulnerable systems.

Considering the increase in the volume of targets by offensive groups, and the different methods used, TEHTRIS continues to believe that the best strategy lies in the implementation of operational capabilities capable of detecting and responding to incidents, with a true holistic vision, linking multiple sensors (network probes, system probes, logs, etc.)

Moreover, only an automatic neutralization without human action can guarantee a real efficiency given the lightning effect observed on the attacks of the moment when the small groups penetrate companies and put on sale their stolen data on very short cycles.