MontysThree, a newly discovered threat group, is known to be carrying out espionage campaigns since 2018. Recently, the group has been found using new tools and legitimate public cloud services for targeted industrial espionage attacks, which is rare among the advanced persistent groups.

Attack vector

The threat group uses a never seen before malware toolkit named MT3, which has a set of C++ modules, including a loader, kernel, HttpTransport, and LinkUpdate.
  • The malware toolkit uses custom steganography and multiple encryption schemes, such as 3DES and RSA algorithms.
  • The threat actors use a self-extracting archive (SFX) inside the RAR file to spread their initial loader module. The loader hides itself using steganography.

The operating technique

  • The malware modules are delivered via emails that have savvy lures related to employee contact lists, technical documentation, and medical test results to fool industrial employees into downloading it.
  • Further, the malware uses a modifier for Windows Quick Launch to gain persistence on the infected system, in which a user unknowingly executes the initial module whenever they run legitimate applications.

Recent attacks

Being targeted by APTs is a bit rare for industrial organizations. However, several other threat groups have been observed doing this in recent times.
  • Recently, an APT-style cyberespionage campaign had been found to be targeting an international architectural and video production company via a third-party MAXScript exploit PhysXPluginMfx.
  • In August, Russian hackers were found targeting the networks of critical infrastructure providers and organizations in the energy sector.


Threat groups are now changing their tactic and moving on from their traditional targets to industrial entities. In order to combat such challenges, experts suggest deploying intrusion prevention and detection systems. In addition to this, applying network segregation and encryption for sensitive information is recommended.

Cyware Publisher