Go to listing page

Cyware Daily Threat Intelligence, February 28, 2022

Cyware Daily Threat Intelligence, February 28, 2022

Share Blog Post

The cascading effects of the war between Russia and Ukraine are intensifying with each passing day. In a new update, Facebook took action against the notorious Belarusian Ghostwriter hacking group by blocking multiple accounts and phishing domains. The group has been held responsible for targeting Ukrainian officials and military personnel in an attempt to pilfer their personal details.

Apart from this, the threat landscape witnessed the emergence of a new version of the Jester Stealer malware that is gaining popularity on underground cybercrime forums. Two new backdoors—GRAMDOOR and STARWHALE—associated with the Iranian UNC3313 threat actor group have also come under the lens of security experts.

Top Breaches Reported in the Last 24 Hours

Toyota Motor Corp attacked
Toyota Motor Corp has suspended its operations after a supplier of plastic parts and electronics components were hit by a cyberattack. This affected the outputs for around 13,000 cars. Plants operated by Toyota’s affiliates Hino Motors and Daihatsu are affected by the attack.

Nvidia strikes back at Lapsus$
In an interesting encounter, Nvidia took action against the Lapsus$ ransomware gang by hacking back their networks and encrypting the data. It all started after the gang targeted the firm and stole 1TB of data related to Nvidia employees.

Ghostwriter campaign blocked
Facebook has blocked multiple accounts and phishing domains, associated with the Belarusian-linked hacking group Ghostwriter (aka UNC1151), designed to target Ukrainian officials and military personnel. Additionally, it also confirmed a spear-phishing campaign by the group that tricked Ukrainian military personnel into sharing their personal information.

Top Malware Reported in the Last 24 Hours

Jester Stealer updated
A new version of an info-stealing malware called Jester Stealer has been observed to be active since January. The new malware version, tracked as, is available for sale in the underground cybercrime forums. Jester Stealer is capable of pilfering data from web browsers, email clients, crypto wallets, and password managers.

Trojanized PyPi packages
A malicious Python package called ‘aiohttp-socks5’ is being used to drop a RAT on compromised systems. The malicious package is primarily targeting Linux, Termux, and macOS systems. Besides deploying the RAT, the package also drops other malicious executables capable of collecting files, screenshots, cookies, credentials, and other sensitive data.

Two new backdoors spotted
Iran-linked UNC3313 threat actor group has been found deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE. These backdoors were used as part of an attack against an unnamed government entity in the Middle East in November 2021.

Top Vulnerabilities Reported in the Last 24 Hours

RCE flaw in Okta platform
The U.K.’s NHS digital agency issued an advisory regarding an RCE flaw in the Okta Advanced Server Access authentication management platform. Tracked as CVE-2022-24295, the flaw affects the versions prior to 1.57.0 of the product. Successful exploitation of the flaw can enable attackers to execute malicious code remotely via a specially crafted URL. Okta has released security updates to address the flaw.  


jester stealer
ghostwriter hacking group
unc3313 threat actor group

Posted on: February 28, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.