The attacks involved compromising websites, such as the Kagyu International Monlam Trust's website, to specifically target users in India, Taiwan, Hong Kong, Australia, and the U.S.

Users should exercise caution when using third-party app stores or purchasing cheap devices from unknown brands, as they may be at a higher risk of malware and other security threats.

ESET Research has discovered a cluster of malicious Python packages in PyPI, the official Python package repository. These packages target both Windows and Linux systems and deliver a custom backdoor.

These apps trick users into providing sensitive personal and financial information, which is then used to blackmail them. The apps focus on users in Southeast Asia, Africa, and Latin America.

The activation of the kill switch disabled various system services, replaced the original malware, and maintained persistence, suggesting a deliberate dismantling of the botnet.

The vulnerability, assigned CVE-2023-5631, allowed attackers to execute arbitrary JavaScript code in the context of a Roundcube user's browser window through a specially crafted email.

While the specific APT group behind the campaign could not be identified, there is medium confidence that it is a China-aligned threat group based on the use of a variant of Korplug, which is commonly associated with such groups.

The attack involved the deployment of a sophisticated backdoor called LightlessCan, which mimics native Windows commands and implements techniques to avoid detection by security monitoring software.

The backdoor does not have traditional commands implemented; instead, it dynamically receives commands from a command and control server in the form of additional modules.

The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates.