Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an advanced persistent threat organization notorious for its sustained cyber attacks.
This group has been actively targeting sectors such as defense, government, technology, and education since 2007, utilizing sophisticated phishing techniques including watering hole phishing and spear phishing.
Recent threat-hunting activities have revealed an uptick in Poison Ivy’s operations. Investigators have discovered the group mimicking official websites to create convincing phishing pages.
Upon visiting these sites, victims unknowingly trigger the automatic download of malicious payloads designed to deploy the Sliver Remote Access Trojan (RAT).
This malware facilitates unauthorized access, allowing the attackers to steal sensitive information and conduct remote operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Poison Ivy’s modus operandi involves creating near-identical copies of legitimate websites. Upon accessing these spoofed sites, the target automatically downloads a malicious loader, disguised with a PDF icon to avoid suspicion.
This loader is a heavily obfuscated .NET compiled Portable Executable (PE) file, configured to decrypt an initial URL along with a specific AES key and initialization vector.
It subsequently downloads, decrypts, and executes shellcode that loads the final Sliver RAT component.
Security analysts have isolated and scrutinized several samples of this loader. A notable sample, disguised as “auto-download.zip,” measures 119.50 KB and has an MD5 hash of 61c42751f6bb4efafec524be23055fba.
Upon execution, this file decrypts a specially encrypted payload embedded within the shellcode, ultimately loading the Sliver RAT into memory.
Sliver is an open-source, cross-platform command-and-control (C2) framework written in Golang, capable of operating on Windows, Linux, and macOS.
Its features include file manipulation, process operations, privilege escalation, process injection, lateral movement, remote shell execution, and obfuscation of function names to evade detection.
The persistence of APT-C-01 and their adept use of deceptive phishing strategies underscore the importance of heightened cybersecurity awareness.
Organizations and individuals are urged to exercise caution with unfamiliar links and email attachments to prevent potential breaches of sensitive information.
Maintaining robust security practices is essential to defending against such sophisticated cyber threats.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
D5:
C2:
Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…
Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…