For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2024.
Readers who would like to learn more about our intelligence reports or request more information about a specific report, are encouraged to contact [email protected].
The most remarkable findings
The Gelsemium group performs server-side exploitation that effectively leads to a webshell, and uses various custom and public tools deployed with stealth techniques and technologies. The two main implants, SessionManager and OwlProxy, were first detected in 2022 in the aftermath of the ProxyLogon-type exploitations of Exchange Servers. Our latest investigation was prompted by the discovery of suspicious activity on a server located in Palestine in mid-November 2023, with traces of a previous breach attempt on October 12, 2023. The payloads were distinctively served, veiled as font files, in compressed and encrypted fashion. This characteristic led us to highly similar incidents in Tajikistan and Kyrgyzstan.
Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. However, the last operations conducted by this threat actor were observed in 2013. Since then, no information about Careto’s activity has been published. Recent threat hunting enabled us to gain an insight in ..
Support the originator by clicking the read the rest link below.
