Cyber Security News

Poison Ivy APT Launches Continuous Cyber Attack on Defense, Gov, Tech & Edu Sectors

Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an advanced persistent threat organization notorious for its sustained cyber attacks.

This group has been actively targeting sectors such as defense, government, technology, and education since 2007, utilizing sophisticated phishing techniques including watering hole phishing and spear phishing.

Recent threat-hunting activities have revealed an uptick in Poison Ivy’s operations. Investigators have discovered the group mimicking official websites to create convincing phishing pages.

Upon visiting these sites, victims unknowingly trigger the automatic download of malicious payloads designed to deploy the Sliver Remote Access Trojan (RAT).

This malware facilitates unauthorized access, allowing the attackers to steal sensitive information and conduct remote operations.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Attack Analysis

Poison Ivy’s modus operandi involves creating near-identical copies of legitimate websites. Upon accessing these spoofed sites, the target automatically downloads a malicious loader, disguised with a PDF icon to avoid suspicion.

This loader is a heavily obfuscated .NET compiled Portable Executable (PE) file, configured to decrypt an initial URL along with a specific AES key and initialization vector.

It subsequently downloads, decrypts, and executes shellcode that loads the final Sliver RAT component.

Security analysts have isolated and scrutinized several samples of this loader. A notable sample, disguised as “auto-download.zip,” measures 119.50 KB and has an MD5 hash of 61c42751f6bb4efafec524be23055fba.

Upon execution, this file decrypts a specially encrypted payload embedded within the shellcode, ultimately loading the Sliver RAT into memory.

Sliver is an open-source, cross-platform command-and-control (C2) framework written in Golang, capable of operating on Windows, Linux, and macOS.

Its features include file manipulation, process operations, privilege escalation, process injection, lateral movement, remote shell execution, and obfuscation of function names to evade detection.

The persistence of APT-C-01 and their adept use of deceptive phishing strategies underscore the importance of heightened cybersecurity awareness.

Organizations and individuals are urged to exercise caution with unfamiliar links and email attachments to prevent potential breaches of sensitive information.

Maintaining robust security practices is essential to defending against such sophisticated cyber threats.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Indicators of Compromise for SOC/DFIR Teams

D5:

  • 61c42751f6bb4efafec524be23055fba
  • 3bd15b16a9595d20c0e185ab1fae738f
  • 7f0dba2db8c3fdd717d83bb693b3ade9
  • 88e306f4d6a33703316e794a9210f528
  • 3a74ed8d1163d1dbc516410d1b8081fa

C2:

  • 165.22.97[.]48
  • 158.247.208[.]174
  • 128.199.134[.]3
    caac-cn[.]org
    caac-cn[.]com
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hackers Exploit Fast Flux to Evade Detection and Obscure Malicious Servers

Cybersecurity agencies worldwide have issued a joint advisory warning against the growing threat posed by…

21 minutes ago

Oracle Reports Data Breach, Initiates Client Notifications

Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking its…

1 hour ago

Vite Development Server Flaw Allows Attackers Bypass Path Restrictions

A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…

2 hours ago

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

2 hours ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

3 hours ago

Ex-ASML Russian Employee Smuggled Trade Secrets to Moscow via USB

A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…

5 hours ago