Cybercriminals are using short-lived malware to target thousands of industrial firms around the world. The malware is looking for corporate credentials to sell them online to other threat actors for money.

Wide outreach of short-lived campaigns

Kaspersky conducted an analysis of the malware samples spotted in the first half of 2021 on ICS systems and shared their study as detailed below. 
  • Researchers observed that 21.2% of these samples had a lifespan of 25 days, and then they were replaced with a new one.
  • The malware were not distributed widely in these campaigns. Only up to 100 devices were infected, of which 40-45% of devices were related to ICS.
  • More than 2,000 corporate email accounts were compromised by hackers to send malicious attachments in spear-phishing emails and steal corporate data.

Modus operandi

According to researchers, low-skilled hackers and small groups ran these campaigns to compromise thousands of industrial enterprises.
  • After getting inside the targeted network, the attackers move laterally and infect corporate email services to spread the malware to other organizations.
  • The targeted devices include HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration, and devices to develop software for industrial systems.

The motive

According to experts, attackers leveraged short-lived campaigns only to make quick profits.
  • The lifespan was very short even though the used malware belonged to well-known commodity families such as AgentTesla, Masslogger, HawkEye, Formbook, Azorult, Lokibot, and Snake.
  • Attackers also used the stolen data from corporate networks to perform financial fraud or sell the obtained RDP, SSH, VPN, and SMTP credentials online.
  • The report revealed that criminals have stolen the aforementioned credentials from about 7,000 corporate accounts.
  • These credentials have been sold earn across 25 marketplaces.


Cybercriminals seem to be focusing more on stealing corporate accounts that can be sold online for a profit. Thus, organizations should be wary of such attacks and be ready with countermeasures. For example, train employees to identify phishing emails, limit access, and make 2FA mandatory.
Cyware Publisher