On the 7th of November 2023, an Agent Tesla campaign started against Australian organizations, and the same actor performed another campaign targeting mainly Australian entities.

Magnet Goblin is a financially motivated threat actor that rapidly exploits 1-day vulnerabilities in public-facing services to initiate attacks. This actor has targeted Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ.

The "Angel Drainer" phishing group is notorious for draining cryptocurrency wallets through sophisticated schemes, charging a percentage of the stolen amount from hackers.

An attacker can set up a server that they control, listening on port 80, and put its IP address in the above “server alias” field. Then they can send the database file, including the linked table, to the victim.

The campaign, which targets high-profile organizations in the Middle East, has been using the LIONTAIL malware framework installed on Windows servers. LIONTAIL uses Windows HTTP stack driver HTTP.sys to load memory-resident payloads.

ReadyToRun (R2R) stomping is a new method that allows for hidden implanted code in .NET binaries, altering the original intermediate language (IL) code and prioritizing pre-compiled native code for execution.

The main tool used in the campaign is a backdoor called CurKeep, which collects information about infected machines and allows remote control. The campaign also utilizes other loaders and downloaders, all connected to the same infrastructure.

The attackers employed highly obfuscated BAT files and multi-layered obfuscation techniques to evade detection and load the Remcos malware into memory, bypassing traditional antivirus and endpoint security solutions.

In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia.

The attacks on Iran were found to be tactically and technically similar to previous activity against multiple private companies in Syria which was carried at least since 2019.