ClearSky Cyber Security and SentinelLabs have discovered a new wave of Russian information warfare campaign named Doppelgänger NG. “Doppelgänger” (meaning spirit double, an exact but usually invisible replica) is a global information warfare campaign publishing false information on hundreds of fake websites and social media channels.Our research revealed that “Doppelgänger NG” is again fully operational […]
Read More“Homeland Justice” targets Albanian organizations with “No-justice” wiper
This blog post will elaborate on “Homeland justice” group’s background and provide an in-depth analysis of the tools used in the current attack, including reverse engineering of the NACL executable – dubbed “No-Justice Wiper” Read the Full report: No-Justice Wiper
Read MoreFata Morgana: Watering hole attack on shipping and logistics websites
ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. We have […]
Read MoreLyceum suicide drone
ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group withmedium-high confidence.The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain. This indicates an attacker-controlled at least two IP’s on the […]
Read MoreEvilNominatus Ransomware
As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware’s developer is a young Iranian, who bragged […]
Read MoreNew Iranian Espionage Campaign By “Siamesekitten” – Lyceum
At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten (also named Lyceum/Hexane) is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them […]
Read More‘Lebanese Cedar’ APT
In early 2020, suspicious network activities and hacking tools were found in a range of companies. Comprehensive forensic research of the infected systems revealed a strong connection to a threat actor we call ‘Lebanese Cedar’, ‘Lebanese Cedar’ APT has been operating since 2012. These operations were first discovered by Check-Point researchers and Kaspersky labs in 2015. […]
Read MoreThe Kittens Are Back in Town 3
During 2017-2019, Clearsky had published several reports about the Iranian APT group “Charming Kitten”. One of the group’s most common attack vectors is impersonating journalists, particularly those from the German “Deutsche Welle” broadcasting company and the “Jewish Journal” magazine. Starting July 2020, we have identified a new TTP of the group, impersonating “Deutsche Welle” and […]
Read MoreCryptoCore Group
A Threat Actor Targeting Cryptocurrency Exchanges In this research, we present a hidden and persistent group, that has been targeting crypto-exchanges, mainly in the US and Japan since as early as 2018. The actor has successfully stolen millions’ worth of cryptocoins. We named it as “CryptoCore” (or “Crypto-gang”), aka “Dangerous Password”, “Leery Turtle”. The CryptoCore […]
Read MoreFox Kitten – Widespread Iranian Espionage-Offensive Campaign
During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Read the full Report: Fox Kitten – Widespread Iranian Espionage-Offensive Campaign […]
Read More