APT QUARTERLY HIGHLIGHTS : Q4 2024

APT QUARTERLY HIGHLIGHTS : Q4 2024

EXECUTIVE SUMMARY

In Q4 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia intensified their cyber operations, showcasing increasingly sophisticated techniques across cyber espionage, credential theft, and disruptive attacks. Their evolving tactics highlight a persistent and growing threat to governments, critical infrastructure, defense, financial institutions, and research entities worldwide.

Iranian threat actors demonstrated advancements in cyber espionage and disruptive operations, charming Kitten expanded its BellaCPP malware for persistent access, and TA455 deployed SnailResin in fake job campaigns mimicking North Korean techniques. Emennet Pasargad escalated psychological operations and hack-and-leak campaigns targeting Israel, the U.S., and Europe, leveraging front companies to mask infrastructure. Additionally, UNC1860 acted as an initial access broker in the Middle East, deploying TemplePlay and ViroGreen to maintain network persistence. Iranian groups also intensified brute-force and MFA push-bombing attacks against critical infrastructure, selling stolen credentials to cybercriminal forums, further amplifying Iran’s role in state-aligned cyber operations.

Russian state-sponsored threat actors focused on espionage, credential theft, and disruptive operations targeting Europe, Central Asia, and the U.S. APT29 executed phishing campaigns leveraging Zero Trust Architecture (ZTA) themes to steal Windows credentials via RDP. Sandworm exploited fraudulent Army+ websites to target Ukrainian soldiers with NSIS-based malware. RomCom deployed two zero-day vulnerabilities (CVE-2024-9680 in Mozilla and CVE-2024-49039 in Windows) to deliver its backdoor without user interaction. BlueAlpha refined its GammaDrop malware distribution through Cloudflare Tunnels and HTML smuggling, while APT28 used HATVIBE and CHERRYSPY malware to sustain long-term intelligence collection in Central Asia and Europe. These activities reinforce Russia’s investment in cyber capabilities, blending malware sophistication, social engineering, and infrastructure obfuscation to maintain geopolitical influence.

Meanwhile, Chinese APT groups intensified cyberespionage across Southeast Asia, Taiwan, and Japan, targeting government, telecommunications, and military sectors. Earth Estries exploited VPNs, firewalls, and email servers to deploy SNAPPYBEE, DEMODEX, and GHOSTSPIDER for persistent access. Earth Kasha pivoted to spear-phishing attacks, deploying ANEL and NOOPDOOR to infiltrate Japan’s national security sector. Evasive Panda (Bronze Highland, Daggerfly, StormBamboo) hijacked cloud sessions in Taiwan using its CloudScout toolset. Meanwhile, the Volt Typhoon revived botnet operations, compromising Cisco RV320/325 routers and Netgear firewalls for stealthy command-and-control (C2) communication. Gelsemium APT expanded into Linux-based attacks with WolfsBane and FireWood, reflecting a growing trend of APT groups diversifying attack surfaces. These activities underscore China’s focus on long-term intelligence collection and network infrastructure exploitation to reinforce its regional and global cyber objectives.

Finally, North Korean APT groups continued to advance cyberespionage, ransomware operations, and financial cybercrime. Lazarus Group extended its DeathNote (Operation DreamJob) campaign, targeting nuclear sector employees via fake job opportunities, deploying trojanized VNC tools and advanced malware. The group also exploited a Google Chrome zero-day (CVE-2024-4947, CVSS 9.6) via a fake DeFi game to compromise cryptocurrency sector individuals. Additionally, Lazarus developed a macOS persistence technique, hiding malicious code in extended attributes (EAs) to evade detection. Meanwhile, Kimsuky ramped up credential theft operations, spoofing Russian domains to bypass email security measures. Notably, Jumpy Pisces (Andariel) collaborated with the Play ransomware operation, illustrating North Korea’s increasing reliance on ransomware to evade sanctions and generate revenue. These developments highlight Pyongyang’s evolving cyber strategy, combining espionage, financial theft, and disruptive cyber operations against high-value targets globally.

This report provides a comprehensive analysis of the evolving APT landscape in Q4 2024, reinforcing the urgent need for proactive cybersecurity strategies, user education, and continuous security updates to counter increasingly sophisticated state-sponsored threats.

KEY TRENDS OBSERVED IN Q4 2024

• Increased Focus on Credential Theft & Social Engineering: APT groups across Iran, North Korea, and Russia ramped up phishing, MFA push-bombing, and fake job scams to steal credentials, enabling espionage and lateral movement.
• Growing Exploitation of Zero-Day Vulnerabilities: RomCom (Russia) and Lazarus (North Korea) actively exploited zero-day vulnerabilities in Mozilla, Windows, and Google Chrome for stealthy malware deployment, highlighting the persistent use of unknown exploits before patching.
• State-Sponsored Ransomware Expansion: North Korean APT Jumpy Pisces (Andariel) collaborated with Play ransomware, demonstrating an increasing reliance on ransomware as a sanctions-evasion and revenue-generation strategy.
• Cloud Services Becoming a Prime Target: Evasive Panda (China) hijacked authenticated cloud sessions (Google Drive, Outlook, Gmail) using CloudScout malware, reflecting a shift toward cloud-based cyber-espionage operations.
• Rise in Psychological & Influence Operations: Iranian APTs like Emennet Pasargad intensified hack-and-leak campaigns against Israel, the U.S., and Europe, blending cyber intrusion with disinformation strategies.
• Geopolitically Driven Espionage Targeting Strategic Sectors: APT groups from China, Russia, Iran, and North Korea maintained persistent access to government, aerospace, energy, defense, and financial institutions, focusing on intelligence collection and disruption.

IRANIAN APT ACTIVITIES

Targeted Country

• United States
• Israel
• United Arab Emirates (UAE)
• Saudi Arabia Egypt
• Turkey
• Iraq
• Jordan
• Albania
• Azerbaijan
• France
• Sweden
• Europe (Broadly)

Targeted Technology

• Microsoft Active Directory (ADFS)
• Microsoft Remote Desktop Protocol (RDP)
• GitHub
• Microsoft Azure
• Cloudflare
• PowerShell
• Windows Kernel Drivers
• HTML Smuggling
• Zerologon
• SSH Tunneling
• DNS Tunneling

Targeted Industries

• Goverment
• Military
• Aerospace
• Defense
• Financial Services
• Healthcare Technology and IT Services
• Research Institutions
• Education
• Human Rights Organizations
• Energy and Oil & Gas
• Media and Telecommunications

UNC1860 (OilRig)

In Q4 2024, researchers uncovered the continued operations of UNC1860, an Iranian state-sponsored APT group acting as an initial access provider for high-profile networks in the Middle East, particularly targeting government and telecommunications sectors. Suspected to have ties to Iran’s Ministry of Intelligence and Security (MOIS), UNC1860 shares characteristics with other Iran-affiliated threat actors and employs a sophisticated toolset to maintain long-term persistence. Their arsenal includes advanced malware controllers like TemplePlay and ViroGreen, which facilitate remote access via RDP and enable control over previously installed malware. The group gains entry through opportunistic exploitation of vulnerable internet-facing servers, deploying web shells and stealthy passive implants that avoid detection better than traditional backdoors. Their use of Windows kernel-mode drivers extracted from legitimate Iranian antivirus software, alongside droppers like StayShante and SasheyAway, enables seamless hand-offs between operators. Notably, TemplePlay acts as a middlebox for accessing otherwise unreachable servers, while ViroGreen targets SharePoint servers vulnerable to CVE-2019-0604 (CVSS 9.8), offering extensive post-exploitation capabilities, including vulnerability scanning, payload deployment, and command execution. UNC1860 further enhances its evasion tactics by utilizing passive implants that avoid outbound traffic, encrypted HTTPS communication, undocumented I/O control commands, and tools like TempleLock, RotPipe, and TempleDrop. Given the group’s technical sophistication and their focus on establishing long-term footholds in critical networks, UNC1860 remains a key asset in Iran’s cyber operations, supporting espionage and potential disruptive activities amid ongoing regional tensions.

WIRTE APT GROUP

In Q4 2024, the WIRTE APT group, believed to be linked to Hamas and part of the Gaza Cybergang cluster, intensified its cyber espionage and disruption efforts amid escalating Middle Eastern tensions. Active since 2018, WIRTE has traditionally focused on politically motivated intelligence gathering but has recently expanded its operations to include destructive attacks against Israel. The group targeted entities in the Palestinian Authority, Jordan, Egypt, and Saudi Arabia, deploying a custom loader, IronWind, alongside the SameCoin wiper malware, which was used in attacks on Israeli targets in February and October 2024. A new infection chain observed in September leveraged a PDF lure leading to a RAR file titled “RAR 1178 – Beirut – Developments of the War in Lebanon 2,” containing three components enabling DLL sideloading: PinEnrollmentBroker.exe (a renamed legitimate executable), a PDF lure, and propsys.dll (the primary infection mechanism). Once executed, the malware decrypted and executed the next-stage payload, the Havoc Demon agent, an open-source post-exploitation tool designed for persistence, data exfiltration, and lateral movement. In October 2024, WIRTE launched a targeted attack against Israeli hospitals and municipalities using a SameCoin Wiper variant sent from the email address of an Israeli reseller. This new wiper introduced an encryption function previously seen only in WIRTE’s malware. The group continues to deploy a versatile toolkit for both espionage and sabotage, relying on wipers, backdoors, phishing pages, and advanced techniques such as user-agent filtering, HTML payload obfuscation, and news site redirection. Indicators of activity suggest ongoing operations in Iraq, Saudi Arabia, and Egypt, reinforcing WIRTE’s persistent and evolving cyber threat across the region.

TA455

In Q4 2024, researchers uncovered a sophisticated cyber-espionage campaign, dubbed the “Iranian Dream Job campaign,” planned by TA455, an Iranian threat actor linked to the Charming Kitten APT group targeting the aerospace, aviation, and defense sectors across the Middle East including Israel, the UAE, Turkey, India, and Albania. This operation leveraged fake job offers to lure victims into downloading malicious ZIP files from fraudulent recruitment websites and LinkedIn profiles. The campaign deployed SnailResin malware, which activates the SlugResin backdoor, though initial detections mistakenly attributed it to North Korea’s Lazarus Group, raising questions about deliberate misattribution or shared tactics between Iranian and North Korean actors. TA455 employed advanced evasion techniques, including DLL sideloading and concealment of C2 communications within legitimate services like Cloudflare, GitHub, and Microsoft Azure, making detection difficult. The attack followed a multi-stage infection process, verifying victims’ IP addresses before retrieving C2 details from GitHub, and embedding malware within a mix of benign and malicious files. By leveraging LinkedIn with fake recruiter profiles, the group increased credibility, reducing suspicion around phishing attempts. Additionally, TA455 continually shifted its infrastructure, frequently changing IP addresses, domains, and malware signatures to evade detection. The campaign’s strategic focus on intelligence gathering and potential disruption within aerospace and defense aligns with Iran’s broader geopolitical objectives, underlining the need for persistent monitoring and proactive defenses against TA455’s evolving tactics.

EMENNET PASARGAD

In Q4 2024, Iran-linked cyber-operations group Emennet Pasargad, also known as Cotton Sandstorm, intensified its cyber-espionage and psychological operations against Israel, the U.S., and Europe, aiming to erode public trust through hack-and-leak campaigns and disruptions to essential services, including electoral systems. Expanding beyond its traditional focus, the group has increasingly targeted assets such as IP cameras and organizations in France and Sweden. A joint advisory from the U.S. Departments of Justice and Treasury, alongside the Israel National Cyber Directorate (INCD), highlighted Emennet Pasargad’s use of the front company Aria Sepehr Ayandehsazan (ASA) to provide IT services and infrastructure support to other threat actors across the Middle East. Under this guise, the group has accessed large language model (LLM) services, scanned for vulnerabilities in IP-based devices, and harvested sensitive data. The FBI assesses that Emennet Pasargad strategically blends legitimate intrusions with exaggerated or false claims of network access to amplify psychological impact, creating confusion and fear among targeted populations. Since the escalation of the Israeli-Palestinian crisis in October 2023, Iran-affiliated cyber groups, including Emennet Pasargad, have escalated operations against critical infrastructure sectors in the U.S., Israel, and Europe, particularly in government, energy, and finance. Their tactics range from data theft and denial-of-service (DoS) attacks to ransomware deployments and destructive malware, including the Handala wiper. By leveraging cover hosting providers and using legitimate business fronts like ASA, Emennet Pasargad effectively conceals its infrastructure, bypasses detection mechanisms, and gathers intelligence while maintaining operational secrecy.

CHARMING KITTEN

In Q4 2024, researchers identified BellaCPP, a new C++ variant of the BellaCiao malware family, which has been historically linked to the Iranian APT group Charming Kitten. Initially developed in .NET and first observed in April 2023, BellaCiao enabled persistence via webshells and covert communication channels, primarily targeting entities in the Middle East. The BellaCPP variant, while lacking web shell functionality, retains core operational capabilities and operates as a Windows service using a DLL named adhapl.dll within the system directory. Upon execution, it decrypts key strings via XOR encryption, resolves functions within the DLL and generates domains following a structured pattern—<5 random letters><target identifier>.<country code>.systemupdate[.]info—while interacting with DNS records. If a hardcoded IP address is identified, the malware establishes an SSH tunnel using stolen credentials and network configuration details, mirroring behaviors seen in earlier BellaCiao samples. Historical analysis reveals a structured versioning scheme embedded in PDB paths, using the identifier MicrosoftAgentServices with appended integers, indicating iterative development aimed at refining persistence and intrusion techniques. The presence of shared infrastructure, consistent domain-generation patterns, and the coexistence of older BellaCiao samples on compromised systems support the attribution to Charming Kitten. Despite missing a key DLL for deeper analysis, functional similarities between the .NET and C++ versions suggest with medium confidence that BellaCiao remains a persistent espionage tool, leveraging advanced tunneling capabilities and evolving modularity to enhance its stealth and effectiveness.

IRANIAN HACKERS

In Q4 2024, Iranian hackers increasingly targeted critical infrastructure organizations across sectors such as healthcare, government, IT, engineering, and energy, using brute-force attacks and MFA push bombing to gain initial access. Once inside, they escalate privileges, maintain persistence, and steal credentials, which are then sold on cybercriminal forums to facilitate further attacks by other threat actors. A key tactic, “MFA fatigue” or push bombing, overwhelms a target’s mobile device with repeated access requests until the user approves access out of frustration or error, after which attackers register their own devices in the MFA system for continued access. In some cases, they exploit self-service password reset tools tied to Active Directory Federation Services to reset expired passwords and bypass MFA protections. To maintain and expand access, attackers use tools like PowerShell and Remote Desktop Protocol (RDP) while exploiting vulnerabilities such as Zerologon (CVE-2020-1472, CVSS 10.0) to impersonate domain controllers and elevate privileges. By leveraging “living-off-the-land” techniques, they blend into legitimate network activity, making detection difficult as they gather intelligence on domain controllers, trusted domains, and other network resources. These attacks, flagged in advisories from U.S., Canadian, and Australian agencies, highlight Iran-linked groups’ growing role as initial access brokers, further amplifying the threat to critical infrastructure worldwide.

RUSSIAN APT ACTIVITIES

Targeted Country

• Ukraine Kazakhstan Kyrgyzstan
• Uzbekistan
• Israel
• United States
• France
• Sweden
• Turkey
• Central Asian Nations
• European Countries

Targeted Technology

• Mozilla Firefox, Thunderbird, and Tor Browser
• Microsoft Remote Desktop Protocol (RDP)
• Cloudflare Tunnels
• Nullsoft Scriptable Install System (NSIS)
• Windows OS (Active Directory, mshta.exe, PowerShell)
• Large Language Model (LLM) Services
• Try Cloudflare
• HTTP File Server

Targeted Industries

• Military
• Government
• Defense
• Aerospace
• Energy
• Transportation
• Financial Services
• Education
• Research Institutions
• Human Rights Organizations
• Healthcare
• Technology and IT Services

APT 29

In Q4 2024, Amazon identified internet domains abused by APT29, the Russian Foreign Intelligence Service (SVR)-linked group, in a phishing campaign targeting government agencies, enterprises, and military organizations. Unlike its typical narrowly focused operations, APT29 distributed Ukrainian-language phishing emails on a broader scale, aiming to steal Windows credentials via Microsoft Remote Desktop. The campaign leveraged fraudulent domains designed to mimic AWS, though Amazon itself was not the target, nor were AWS customer credentials at risk. Instead, the attackers used phishing emails that referenced integration issues with Amazon and Microsoft services and the implementation of a Zero Trust Architecture (ZTA). The emails contained Remote Desktop Protocol (RDP) configuration files with names like “Zero Trust Security Environment Compliance Check.rdp,” which, when executed, automatically connected to malicious servers. This granted attackers remote access to the compromised system, including local disks, printers, network resources, and the clipboard, while also enabling the execution of malicious applications and scripts. The campaign underscores APT29’s ongoing efforts to exploit trusted technology themes to enhance the effectiveness of its credential theft and cyber-espionage operations.

UNC2596

In Q4 2024, researchers uncovered a previously unknown vulnerability in Mozilla products, exploited in the wild by the Russia-aligned threat group RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596). This marks at least the second instance of RomCom leveraging a critical zero-day, following its exploitation of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified flaw, CVE-2024-9680 (CVSS 9.8), allows remote code execution within Firefox, Thunderbird, and Tor Browser, and when chained with CVE-2024-49039 (CVSS 8.8), a Windows vulnerability, it enables arbitrary code execution in the logged-in user’s context. This attack vector allowed RomCom to deploy its eponymous backdoor by simply directing victims to a compromised webpage, requiring no user interaction. The attack chain involved a fake website that redirected victims to an exploit server, which, upon successful execution, ran a shellcode to install the RomCom backdoor. This malware enables remote command execution and the downloading of additional modules, supporting both espionage and cybercrime operations. While traditionally engaged in opportunistic cybercrime, RomCom has increasingly shifted towards intelligence-gathering efforts, targeting entities primarily in Europe and North America. The chaining of two zero-day vulnerabilities demonstrates the group’s growing technical sophistication and commitment to stealthy, high-impact cyber operations.

BLUEALPHA

In Q4 2024, BlueAlpha, a Russian state-sponsored cyber threat group linked to the FSB and overlapping with Gamaredon, Shuckworm, Hive0051, and UNC530, evolved its malware delivery chain by leveraging Cloudflare Tunnels to stage GammaDrop malware. This tactic, commonly used by cybercriminals, allows the group to obscure its infrastructure and evade traditional network detection. BlueAlpha exploits Cloudflare’s free TryCloudflare tool, which generates randomized subdomains to proxy malicious traffic through Cloudflare’s network, concealing its staging infrastructure. The group also employs HTML smuggling, embedding malicious JavaScript within HTML attachments to bypass email security systems, with recent refinements in deobfuscation techniques, such as utilizing the onerror HTML event to trigger execution. Their malware suite consists of GammaDrop, a dropper that writes GammaLoad to disk for persistence, and GammaLoad, a custom loader that beacons to its C2 and executes additional payloads. Further complicating analysis, BlueAlpha employs DNS fast-fluxing to obfuscate C2 communications and extensive code obfuscation, including junk code and random variable names. This evolution in tactics highlights BlueAlpha’s increasing sophistication in malware deployment and persistence, posing a heightened threat to targeted organizations.

APT28

In Q4 2024, researchers identified an ongoing cyber-espionage campaign by APT28, a Russia-aligned threat group targeting government entities, human rights organizations, and educational institutions across Central Asia, East Asia, and Europe. This campaign, which aligns with the historical activities of UAC-0063 (attributed to BlueDelta/APT28), employs HATVIBE and CHERRYSPY, two custom malware tools designed for persistence and data exfiltration. HATVIBE, a VBScript-encoded HTML application loader, is delivered through phishing emails or exploited Rejetto HTTP File Server vulnerabilities, achieving persistence via scheduled tasks executed by mshta.exe. It communicates with C2 servers using HTTP PUT requests, providing attackers with system details before deploying CHERRYSPY, a Python-based backdoor that enables encrypted data exfiltration through RSA and AES encryption. Since July 2024, the campaign has compromised 62 victims across eleven countries, with significant incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan. APT28’s operations are likely part of Russia’s broader geopolitical strategy to monitor and influence post-Soviet states, leveraging intelligence from these attacks to bolster military efforts and gain strategic insights into regional dynamics.

CHINESE APT ACTIVITIES

Targeted Country

• Japan
• Tibet
• Southeast Asia
• Taiwan
• United States

Targeted Industries

• Government Political Organizations
• Research Institutions
• Education
• Media
• Religious Organisations
• Critical infrastructure
• Telecommunications

Targeted Technology

• Windows
• Web Browsers
• Web servers
• Linux
• Cloud Services
• Networking devices
• VPN devices
• Routers

EARTH ESTRIES

In Q4 2024, the highly active APT group Earth Estries intensified its cyber-espionage operations, targeting government agencies, telecommunications firms, and NGOs, particularly in Southeast Asia. The group exploited N-day vulnerabilities in VPNs, firewalls, and email servers to gain initial access before deploying custom malware to establish long-term persistence. Their arsenal includes SNAPPYBEE, DEMODEX, and the newly identified GHOSTSPIDER backdoor, which follows a modular, staged infection process. GHOSTSPIDER is initially executed via regsvr32.exe and communicates with a C2 server using a custom, TLS-encrypted protocol, enabling stealthy updates and evasion. The DEMODEX rootkit, now in a new variant, stores encrypted configurations and payloads within CAB files that are deleted post-installation to hinder forensic analysis. Earth Estries employs lateral movement techniques via LOLBINS like PSEXEC.exe and implements anti-analysis measures, including control flow flattening in its rootkits. The group also targets secondary victims, such as consulting firms and military contractors, to expand intelligence collection. Their persistent, highly obfuscated operations and encrypted communications make detection and attribution challenging, underscoring their strategic focus on data exfiltration and surveillance of high-value targets.

EARTH KASHA

In Q4 2024, researchers uncovered a sophisticated spear-phishing campaign by Earth Kasha, targeting individuals and organizations in Japan since June 2024. This operation marks the reappearance of the ANEL backdoor, previously used by APT10 until 2018, alongside NOOPDOOR, a modular backdoor associated with Earth Kasha. The campaign primarily focuses on individuals linked to political organizations, research institutions, think tanks, and Japan’s national security sector. Unlike its 2023 operations, which exploited edge device vulnerabilities, Earth Kasha has shifted tactics to spear-phishing emails crafted around topics related to Japan’s economic security and government affairs. These emails contain OneDrive links leading to a malicious ZIP file, which varies in content depending on the target. One infection method involves a macro-enabled document called ROAMINGMOUSE, which deploys ANEL, while another uses a shortcut file combined with an SFX archive or PowerShell script to achieve the same infection flow. ROAMINGMOUSE incorporates sandbox evasion techniques, such as detecting mouse movements and using custom Base64 encoding to bypass automated analysis. The ANEL backdoor executes through WMI (Windows Management Instrumentation), leveraging DLL sideloading to evade detection, and decrypts its payload using AES-256 encryption. The latest ANEL variant introduces UAC bypass techniques via the CMSTPLUA COM interface, removing older evasion features while adding new commands. NOOPDOOR, typically reserved for high-value targets, enables post-exploitation functions such as screenshot capture and remote command execution, suggesting a layered intrusion strategy. This campaign underscores Earth Kasha’s evolving tactics, blending legacy malware with modern spear-phishing techniques to infiltrate high-value individuals, reinforcing its role as a persistent espionage threat against Japan’s national security interests.

EVASIVE PANDA

In Q4 2024, the China-linked threat group Evasive Panda conducted a cyber-espionage campaign targeting Tibetan media and academic entities by exploiting vulnerabilities in Joomla-based content management systems. The attackers compromised websites, including Tibet Post and Gyudmed Tantric University, embedding malicious JavaScript that executed on the window.onload event. The script selectively targeted Windows users, collecting browser details and redirecting them to a fake TLS certificate error page, which prompted the download of a malicious executable disguised as a security certificate. This executable, a legitimate signed file, leveraged DLL side-loading to deploy a Cobalt Strike Beacon payload, enabling persistent remote access and intelligence collection. Unlike its parent group, Evasive Panda relied on widely available tools rather than custom malware, forgoing advanced obfuscation techniques. This campaign underscores the persistent focus of Chinese threat actors on infiltrating Tibetan organizations, using deceptive social engineering tactics, and exploiting trusted platforms to conduct cyber espionage.

In another incident in Q4 2024, Evasive Panda targeted a government entity and a religious organization in Taiwan, deploying a previously undocumented post-compromise toolset named CloudScout, integrated into their MgBot malware framework. CloudScout, a .NET-based toolset, enables session hijacking through stolen web session cookies, granting unauthorized access to cloud services like Google Drive, Gmail, and Outlook. It features specialized modules for data exfiltration, extracting mail folder listings, email messages with attachments, and specific file formats (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt). The stolen data is compressed into ZIP archives and exfiltrated via MgBot or Nightdoor. The toolset incorporates custom-developed libraries like HTTPAccess for HTTP communication and ManagedCookie for cookie management, enabling seamless integration with MgBot through a plugin-based mechanism. In the campaign, Evasive Panda leverages multiple initial access vectors, including exploiting newly disclosed vulnerabilities and DNS poisoning in supply chain attacks, while its pass-the-cookie technique showcases an advanced strategy for bypassing authentication and maintaining persistent access. These findings highlight Evasive Panda’s evolving espionage tactics and continued focus on infiltrating high-value entities in Taiwan.

GELSEMIUM

In Q4 2024, the discovery of the WolfsBane and FireWood Linux backdoors highlighted the evolving cyber-espionage landscape, with Gelsemium APT assessed as the likely actor behind these tools. WolfsBane, a Linux counterpart to Gelsevirine, shares architectural and operational similarities with Gelsemium’s previous Windows-based malware, including persistence mechanisms using systemd or bash scripts and a modified open-source userland rootkit for stealth. It features custom network communication libraries utilizing UDP and HTTPS protocols, with embedded encryption to protect C2 traffic. This development suggests Gelsemium is shifting toward Linux-based attacks, likely in response to strengthened security measures in Windows environments. Meanwhile, FireWood, associated with the Project Wood malware family used in Operation TooHash, shares code similarities with its Windows predecessors, including TEA encryption and networking functions, but its attribution to Gelsemium remains low confidence due to potential shared usage among China-aligned groups. These backdoors enable persistent access, intelligence gathering on system credentials and sensitive files, and evasion of detection. The presence of these samples in archives from Taiwan, the Philippines, and Singapore suggests a focus on Southeast Asian entities, aligning with China’s strategic regional interests. The adoption of Linux malware reflects a broader shift among APT groups toward new attack vectors, demonstrating the continuous evolution of state-sponsored cyber operations.

VOLT TYPHOON

In Q4 2024, the Chinese state-sponsored threat group Volt Typhoon resumed its botnet operations following the law enforcement disruption of its KV-Botnet earlier in the year, demonstrating its persistence in leveraging compromised SOHO routers and outdated networking devices. The group primarily targets end-of-life Cisco RV320/325 routers and Netgear ProSafe firewalls, exploiting unpatched vulnerabilities to install MIPS-based malware and webshells. These tools enable communication over non-standard ports, complicating detection, while self-signed SSL certificates, including the identifier “jdyfj”, help disguise traffic. A key tactic involves using a compromised VPN device in the Pacific as a stealth hub to route traffic between the Asia-Pacific region and the Americas, masking malicious activity. In just over a month, Volt Typhoon compromised approximately 30% of all internet-exposed Cisco RV320/325 devices, rapidly expanding its botnet. While the exact initial entry points remain unclear, the group’s focus on unpatched, unsupported devices highlights the urgent need for organizations to replace outdated infrastructure, enforce strict network segmentation, and apply regular firmware updates to mitigate the risk of exploitation.

NORTH KOREAN APT ACTIVITIES

Targeted Country

• United States
• South Korea
• Russia
• Japan

Targeted Technology

• Software
• Windows
• Web Applications
• Google services

Targeted Industries

• Advertising
• Finance
• Corporate
• Research
• Entertainment
• Crypto
• Energy
• Defence

LAZARUS GROUP

In Q4 2024, Lazarus Group intensified its DeathNote campaign (Operation DreamJob), continuing to exploit fake job opportunities to target employees in nuclear-related organizations. The group employed sophisticated infection chains, delivering trojanized VNC tools and malicious archive files disguised as skill assessments for aerospace and defense roles. The campaign leveraged compressed ISO files containing malicious VNC software, initiating an infection chain with Ranid Downloader, MISTPEN loader, and RollMid malware. A key tactic involved DLL side-loading via vnclang.dll, which executed MISTPEN to download additional payloads such as LPEClient and RollMid. Additionally, CookieTime malware facilitated lateral movement and payload execution, deploying tools like ServiceChanger and Charamel Loader, which in turn delivered CookiePlus, a stealthy downloader capable of retrieving payloads from internal or external sources. CookiePlus used encrypted configuration data to maintain covert C2 communication. By integrating open-source utilities, leveraging advanced obfuscation, and evolving its malware toolkit, Lazarus demonstrated its adaptability and persistence in targeting high-value organizations globally, further cementing its role as a critical cyber espionage threat.

In another campaign, Lazarus Group exploited a zero-day vulnerability in Google Chrome (CVE-2024-4947, CVSS 9.6) to target individuals in the cryptocurrency sector. The campaign used a fraudulent DeFi tank game website, detankzone[.]com, to lure victims into downloading a trial version that triggered a malicious script exploiting two vulnerabilities: a type confusion bug enabling read/write access within the Chrome process and a flaw in the V8 JavaScript engine allowing a sandbox bypass. While both vulnerabilities were patched in March and May 2024, Lazarus leveraged them before disclosure, deploying a validator shellcode to assess system data and determine whether the target warranted further compromise. The final payload remains unidentified. The operation was heavily driven by social engineering, with attackers creating AI-generated content and impersonating blockchain entities to promote the fake game across social media. Notably, Lazarus also repurposed stolen source code and assets from a legitimate play-to-earn game, reinforcing its financially motivated tactics and continuous innovation in cybercrime and espionage operations.

In Q4 2024, Lazarus Group introduced a novel technique for concealing malicious code on macOS by leveraging extended attributes (EAs), a metadata feature that allows additional data storage within files beyond standard attributes. By embedding custom attributes, Lazarus effectively evaded detection by traditional antivirus tools, marking an undocumented method in the MITRE ATT&CK framework. The observed malware was developed using the Tauri framework, combining a JavaScript-based frontend with a Rust-based backend. Execution involved extracting hidden content from custom EAs via a Tauri API and running embedded shell scripts. The group employed decoy tactics, including fake PDF downloads and application error messages, with malicious applications either unsigned or signed with revoked certificates. Attribution to Lazarus is based on shared infrastructure with prior campaigns and thematic decoy content related to cryptocurrency and employment opportunities. While no secondary payloads were recovered, this technique demonstrates a significant evolution in Lazarus’s macOS-focused tactics, presenting future risks if combined with code signing, notarization bypasses, or macOS Gatekeeper evasion strategies.

KIMSUKY

In Q4 2024, the North Korea-aligned threat actor Kimsuky conducted a series of credential theft campaigns leveraging sophisticated phishing techniques designed to bypass traditional email security measures. Since September 2024, the group has been spoofing Russian-origin domains, using the VK Mail[.]ru service and alias domains such as mail[.]ru, internet[.]ru, bk[.]ru, inbox[.]ru, and list[.]ru to enhance legitimacy. Previously, Kimsuky relied on sender addresses linked to domains in Japan, Korea, and the U.S., but its recent shift to Russian domains has allowed it to impersonate financial institutions and popular online platforms more effectively. A common lure involves posing as Naver’s MYBOX cloud storage service, warning users of malicious files in their accounts to create urgency and drive interaction with malicious links. The group also abuses compromised infrastructure, with emails traced to servers like “mmbox[.]ru” and “ncloud[.]ru”, linked to a compromised Evangelia University email server. Kimsuky orchestrates these attacks using the PHP-based Star mailer tool, echoing its established practice of misusing legitimate tools for malicious purposes. The campaign’s primary objective is credential theft, enabling account hijacking, lateral movement, data exfiltration, and further attacks. By exploiting misconfigured DMARC policies and spoofing trusted entities, Kimsuky continues to refine its evasion tactics, posing a persistent and evolving threat.

JUMPY PISCES

In Q4 2024, Jumpy Pisces (also known as Andariel), a North Korean state-sponsored group, was observed collaborating with the Play ransomware operation, marking a strategic shift toward ransomware-driven financial gain. Between May and September 2024, Jumpy Pisces gained initial access through a compromised user account, leveraging the Sliver C2 framework and the Dtrack backdoor to establish persistence. These tools remained active until early September, culminating in the deployment of Play ransomware, which has previously impacted around 300 organizations. Prior to ransomware execution, another threat actor—using the same compromised account—conducted credential harvesting, privilege escalation, and endpoint defense evasion, while also deploying a trojanized binary to extract sensitive browser data, including history, auto-fill information, and credit card details. The connection between Jumpy Pisces and Play was established through shared infrastructure, tools, and timelines, with the Sliver C2 server remaining active until the day before the ransomware attack. However, the nature of their collaboration remains unclear—whether Jumpy Pisces served as an initial access broker or had a formal partnership with Play ransomware actors. This development highlights North Korea’s increasing reliance on ransomware as a means to circumvent sanctions and generate revenue, posing heightened risks of widespread ransomware attacks against enterprises in the future.

CONCLUSION

In Q4 2024, state-sponsored APT groups from China, North Korea, Iran, and Russia continued to evolve their cyber-espionage, financial cybercrime, and disruptive attack strategies, leveraging zero-day exploits, social engineering, ransomware, and advanced evasion techniques. The increasing targeting of cloud environments, Linux systems, and end-of-life devices underscores a shift toward diversified attack surfaces and long-term persistence. Credential theft, ransomware collaborations, and infrastructure obfuscation remain central to nation-state cyber operations, with North Korea monetizing ransomware, China prioritizing intelligence collection, Russia focusing on geopolitical espionage, and Iran blending cyber warfare with influence operations. As APT threats grow more covert, persistent, and financially driven, organizations must prioritize proactive threat intelligence, cross-sector collaboration, and enhanced cybersecurity resilience to mitigate emerging risks and strengthen defenses against increasingly sophisticated nation-state threats.