Nation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn Storm had access to a criminal proxy botnet of Ubiquiti EdgeRouters.

In 2022, Earth Hundun began using the latest version of Waterbear (aka Deuterbear) which has several changes, including anti-memory scanning and decryption routines, that distinguish it from the original Waterbear.

Contrary to what the group themselves have stated, activities observed post-disruption would indicate that Operation Chronos has a significant impact on the group’s activities.

The adversarial collective is known to rely on a combination of living-off-the-land binaries (LOLBins) and custom malware to realize its goals. Also adopted are techniques like DLL hijacking and API unhooking.

Agenda ransomware group uses RMM tools, as well as Cobalt Strike for deployment of the ransomware binary. It can also propagate via PsExec and SecureShell, while also making use of different vulnerable SYS drivers for defense evasion.

Threat actors can exploit CVE-2024-27198 to perform a variety of malicious operations, including dropping the Jasmin ransomware, XMRig miner, Cobalt Strike beacons, SparkRAT backdoor, and executing domain discovery and persistence commands.

Recently, researchers came into possession of a sample believed to represent a new evolution of LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions.

The APT campaign targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. It exploits public-facing servers and sends spear-phishing emails to deliver backdoors.

The attack chain involves phishing emails with malicious attachments, the use of curl and Program Compatibility Assistant (PCA) in Windows to deliver and execute malicious payloads, and unauthorized command execution using Impacket.

The Zero Day Initiative (ZDI) recently discovered a DarkGate campaign in mid-January 2024, leveraging CVE-2024-21412 with fake software installers distributed via Google DoubleClick Digital Marketing open redirects.