{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/apt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["state-sponsored","apt","persistence","vulnerability-exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIn 2025, state-sponsored threat actors from China, Russia, North Korea, and Iran exhibited distinct motivations, ranging from espionage and disruption to financial gain and geopolitical influence. Despite these varying objectives, these actors employed similar tactics, techniques, and procedures (TTPs), particularly regarding initial access and persistence. A common thread was the exploitation of both newly disclosed (e.g., ToolShell by China) and long-standing vulnerabilities in networking devices and widely used software. Identity-based attacks, including social engineering and the use of stolen credentials, were also prominent. North Korea notably stole $1.5 billion in cryptocurrency and generated billions through fraudulent IT work using AI-generated profiles. Iranian actors combined disruptive hacktivism with advanced persistent threat (APT) activity, such as the ShroudedSnooper group targeting telecommunications for long-term access. The focus across these actors was on establishing a persistent presence within compromised networks, often remaining undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation (Initial Access):\u003c/strong\u003e Actors exploit vulnerabilities in networking devices and widely used software, leveraging both newly disclosed and unpatched flaws.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering (Initial Access):\u003c/strong\u003e North Korean actors use fake recruiter personas via campaigns like Contagious Interview to trick targets into executing code or handing over credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting (Privilege Escalation/Persistence):\u003c/strong\u003e After initial access, actors harvest credentials to gain further access within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWeb Shell Deployment (Persistence):\u003c/strong\u003e Chinese actors deploy web shells for persistent access to compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustom Backdoor Installation (Persistence):\u003c/strong\u003e Backdoors, including compact custom backdoors like those used by ShroudedSnooper, are deployed to maintain long-term access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTunneling (Command \u0026amp; Control):\u003c/strong\u003e Actors use tunneling tools to maintain covert communication channels with compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Exfiltration):\u003c/strong\u003e Actors exfiltrate sensitive data, including espionage-related information or financial data such as cryptocurrency.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisruption/Espionage (Impact):\u003c/strong\u003e Depending on the actor and objective, the final stage involves disruptive activities like DDoS attacks or long-term espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed state-sponsored activity resulted in significant financial losses, espionage, and disruptive attacks. North Korean actors stole $1.5 billion in cryptocurrency and generated billions in revenue through fraudulent IT work, impacting financial institutions and various Fortune 500 companies. Iranian hacktivist operations caused disruption through DDoS attacks and defacements. Espionage campaigns targeted sectors such as telecommunications, potentially compromising sensitive communications and intellectual property. The persistent nature of these attacks allows for long-term monitoring and potential future exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching of both newly disclosed and long-standing vulnerabilities in networking devices and software to mitigate initial access (Reference: Overview, Attack Chain Step 1).\u003c/li\u003e\n\u003cli\u003eImplement robust identity and access management controls, including multi-factor authentication and monitoring for suspicious login activity, to counter social engineering and credential-based attacks (Reference: Attack Chain Step 2 \u0026amp; 3).\u003c/li\u003e\n\u003cli\u003eIncrease visibility into network and edge infrastructure by enabling comprehensive logging and monitoring to detect unauthorized access and persistence mechanisms (Reference: Attack Chain Steps 4, 5, \u0026amp; 6).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect suspicious web shell activity and backdoor installations (Reference: Rules).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns and connections indicative of tunneling or data exfiltration (Reference: Attack Chain Steps 6 \u0026amp; 7).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T13:51:01Z","date_published":"2026-04-14T13:51:01Z","id":"/briefs/2026-04-state-sponsored-access/","summary":"In 2025, state-sponsored actors from China, Russia, North Korea, and Iran leveraged vulnerabilities and identity compromise for initial access, focusing on persistence for long-term espionage or disruption.","title":"State-Sponsored Actors Leveraging Vulnerabilities and Identity for Persistent Access (2025)","url":"https://feed.craftedsignal.io/briefs/2026-04-state-sponsored-access/"},{"_cs_actors":["Russian APT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zimbra","xss","ukraine","apt"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA Russian APT group is conducting a campaign, known as \u0026ldquo;Operation GhostMail,\u0026rdquo; targeting the Ukrainian government. The attackers are leveraging a cross-site scripting (XSS) vulnerability in Zimbra collaboration suite to gain unauthorized access. While the specific vulnerability (CVE) is not provided in the source material, the attackers are clearly focused on exploiting this weakness. The operation highlights the ongoing cyber conflict impacting Ukraine. Defenders need to focus on detecting exploitation attempts against Zimbra and anomalous activity originating from compromised email accounts. The scope of this campaign appears limited to the Ukrainian government sector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Zimbra server within the Ukrainian government infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious email containing a specially crafted XSS payload.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and opens it within the Zimbra webmail client.\u003c/li\u003e\n\u003cli\u003eThe XSS payload executes within the victim\u0026rsquo;s browser, allowing the attacker to steal the victim\u0026rsquo;s Zimbra session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to authenticate to the Zimbra webmail client as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s email account, contacts, and calendar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised email account to send further phishing emails to other targets within the Ukrainian government, escalating the attack.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive information from the compromised mailboxes and possibly pivots to other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign is focused on espionage and potential disruption of Ukrainian government operations. Successful exploitation leads to unauthorized access to sensitive email communications, contact lists, and calendar information. Compromised email accounts can be used to spread further phishing attacks within the government, increasing the scope of the breach. The exfiltration of sensitive data can lead to reputational damage and compromise of national security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Zimbra Webmail Activity\u003c/code\u003e to your SIEM and tune for your environment to identify unusual actions within the Zimbra webmail interface.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual connections originating from Zimbra servers, which can be indicative of post-exploitation activity, using the \u003ccode\u003eDetect Zimbra Server Outbound Connections\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Zimbra accounts to mitigate the impact of stolen credentials.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of Zimbra installations to identify and patch any known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:20:03Z","date_published":"2026-03-20T05:20:03Z","id":"/briefs/2026-03-ghostmail/","summary":"A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.","title":"Operation GhostMail: Russian APT Exploiting Zimbra XSS to Target Ukraine Government","url":"https://feed.craftedsignal.io/briefs/2026-03-ghostmail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","ioc","osx","android","apt"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief highlights indicators of compromise (IOCs) identified on March 15, 2026, through the Maltrail feed. The identified IOCs are associated with a variety of threat actors and malware families, targeting both macOS and Android operating systems. The threats include OSX_Atomic, which potentially delivers malware to macOS systems; FakeApp, used for deceptive applications; Android_Joker, a known Android malware family; Lummack2, an information stealer; APT_Sidewinder, an advanced persistent threat actor; APT_Kimsuky, another APT group; and Hak5Cloud_C2, related to Hak5 Cloud Command and Control infrastructure. This diverse set of IOCs underscores the wide range of threats organizations face and the importance of monitoring network traffic and system logs for malicious activity. This data is crucial for detection engineers to build and deploy relevant detection rules to protect their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (OSX_Atomic/FakeApp):\u003c/strong\u003e User downloads a seemingly legitimate application from a compromised website (e.g., \u003ccode\u003eappsformacs.com\u003c/code\u003e, \u003ccode\u003etorrents4mac.com\u003c/code\u003e, or a FakeApp site like \u003ccode\u003eadhushapp-razvd.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (OSX_Atomic/FakeApp):\u003c/strong\u003e The downloaded application is executed on the user\u0026rsquo;s macOS or Android device. This may involve bypassing security warnings or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (OSX_Atomic/Android_Joker):\u003c/strong\u003e The malware establishes persistence on the system, potentially using techniques such as modifying startup items or scheduled tasks (OSX_Atomic), or registering as a background service (Android_Joker).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (Multiple):\u003c/strong\u003e The malware connects to a command-and-control (C2) server (e.g., \u003ccode\u003ec2.socops.net\u003c/code\u003e, \u003ccode\u003eonev.online\u003c/code\u003e) to receive instructions and exfiltrate data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft (Lummack2):\u003c/strong\u003e The malware attempts to steal credentials stored on the system or in web browsers, potentially using keylogging or form grabbing techniques (Lummack2).  Observed communicating with \u003ccode\u003epolice-center.vg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Multiple):\u003c/strong\u003e Sensitive data, such as credentials, financial information, or personal data, is exfiltrated to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (APT_Sidewinder/APT_Kimsuky):\u003c/strong\u003e The attacker uses the compromised system to move laterally within the network, targeting other systems and data.  APT_Sidewinder uses domains like \u003ccode\u003evisa.nadra.gov-pk.info\u003c/code\u003e while APT_Kimsuky leverages \u003ccode\u003enaver.liferod.com\u003c/code\u003e for potential C2 or phishing activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Multiple):\u003c/strong\u003e The attacker achieves their objectives, which may include financial gain (through fraud or extortion), intellectual property theft, or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe identified IOCs represent a diverse range of threats that can have significant impact on organizations and individuals. Successful attacks can lead to financial losses due to fraud or ransomware, data breaches resulting in the theft of sensitive information, and reputational damage. The targeting of macOS and Android devices indicates a broad scope of potential victims, encompassing both corporate and personal devices. The involvement of APT groups like APT_Sidewinder and APT_Kimsuky suggests potential for targeted attacks with significant impact on national security or critical infrastructure. A single successful infection can lead to widespread compromise within an organization\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the malicious domains listed in the IOC table at the DNS resolver and firewall to prevent communication with known C2 infrastructure.\u003c/li\u003e\n\u003cli\u003eImplement a network intrusion detection system (NIDS) rule to detect connections to the malicious domains and URLs (IOCs) to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM and tune them for your specific environment to detect suspicious process execution and network connections.\u003c/li\u003e\n\u003cli\u003eInvestigate systems communicating with any of the listed IOCs (domains/URLs) for signs of malware infection or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T21:00:08Z","date_published":"2026-03-15T21:00:08Z","id":"/briefs/2026-03-maltrail-iocs/","summary":"This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.","title":"Maltrail IOC Feed Update for Multiple Threats","url":"https://feed.craftedsignal.io/briefs/2026-03-maltrail-iocs/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["maltrail","threat-intelligence","apt","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief is based on an IOC feed from Maltrail, dated February 27, 2026, which aggregates indicators related to various threat actors and malware campaigns. The tracked actors include APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp. The IOCs primarily consist of domains and IP addresses associated with these groups\u0026rsquo; network infrastructure and malware distribution. These campaigns are likely targeting a wide range of victims across multiple sectors, employing diverse techniques to achieve their objectives, including initial access, command and control, and potentially data exfiltration or deployment of malicious payloads. The data suggests ongoing malicious activity necessitating proactive monitoring and detection efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An unsuspecting user visits a compromised website or interacts with a malicious advertisement, potentially leading to the download of a malware loader such as those associated with SmokeLoader or FakeApp.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation:\u003c/strong\u003e The initial loader executes on the victim\u0026rsquo;s system, establishing persistence and preparing the environment for further malicious activities. This may involve creating scheduled tasks or modifying registry keys for auto-start.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes communication with a command-and-control server, using domains such as \u003ccode\u003edax.estate\u003c/code\u003e (SmokeLoader) or \u003ccode\u003eresistantmusic.shop\u003c/code\u003e (PowerShell Injector) to receive instructions and transmit data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePowerShell Injection:\u003c/strong\u003e The PowerShell Injector, utilizes multiple techniques to inject malicious code into running processes, allowing it to evade detection and maintain persistence within the system. Domains such as \u003ccode\u003eapostile.zapto.org\u003c/code\u003e and \u003ccode\u003egoogletranslate.zapto.org\u003c/code\u003e may resolve to infrastructure involved in command and control of compromised hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attackers leverage compromised systems to move laterally within the network, potentially using stolen credentials or exploiting vulnerabilities to gain access to additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Sensitive data is collected from compromised systems and exfiltrated to attacker-controlled servers, potentially using domains such as \u003ccode\u003eashersoftlib.com\u003c/code\u003e (APT_Bitter) for staging or exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAndroid Exploitation:\u003c/strong\u003e In the case of Android_Joker, malicious applications distributed through unofficial channels or app stores communicate with \u003ccode\u003epetitle.cloud\u003c/code\u003e for command and control, potentially leading to data theft or installation of further malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinal Objective:\u003c/strong\u003e The final objective of the attack may vary depending on the actor and the target, ranging from data theft and espionage (APT_UNC2465, Lazarus Group, APT_Bitter) to financial gain (Android_Joker) or widespread malware distribution (SmokeLoader, FakeApp, PowerShell Injector).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can be used for a variety of malicious purposes, including data theft, financial fraud, and further propagation of malware. Victims may experience data breaches, financial losses, and reputational damage. The wide range of threat actors involved suggests that various sectors and organizations are at risk. If successful, these attacks can lead to significant financial losses and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the identified malicious domains and IP addresses at the network perimeter to prevent communication with command-and-control servers (IOC table).\u003c/li\u003e\n\u003cli\u003eImplement a web proxy filter to block access to URLs associated with malware downloads and phishing campaigns (IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known malicious domains and IP addresses associated with APT_Bitter, PowerShell Injector, SmokeLoader, and FakeApp (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to domains associated with PowerShell Injector infrastructure. Tune the rule for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect network connections to infrastructure associated with FakeApp campaigns, adjusting the rule as needed for your environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any systems that exhibit suspicious network activity or have been identified as compromised based on the IOCs provided (IOC table).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T23:00:14Z","date_published":"2026-02-27T23:00:14Z","id":"/briefs/2026-02-maltrail-iocs/","summary":"This brief analyzes IOCs aggregated by Maltrail on February 27, 2026, highlighting network activity associated with diverse threat actors including APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp campaigns targeting various sectors.","title":"Maltrail IOCs Report: Tracking Multiple Threat Actors","url":"https://feed.craftedsignal.io/briefs/2026-02-maltrail-iocs/"}],"language":"en","title":"CraftedSignal Threat Feed — Apt","version":"https://jsonfeed.org/version/1.1"}