An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto. The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Since November 2014, the Golden Rat Organization (named APT-C-27 by 360, different to APT-27 from Mandiant) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform. So far, we have captured 29 Android platform attack samples, 55 Windows platform attack samples, and 9 C&C domain names.

On July 18, in an officially released routine patch update, Oracle fixed CVE-2018-2893, an Oracle WebLogic Server remote code execution vulnerability. Three days later, at 2018-07-21 11:24:31 GMT+8, we noticed that a malicious campaign that we have been tracking for a long time start to exploit this vulnerability to spread itself. This campaign has been using luoxkexp[.]com as main C2, and we named it luoxk.

A backdoor was introduced on eslint-scope (version 3.7.2) upon which ESLint depends. It seems that the goal of this hack was to leak NPM tokens. We advise you to take the following actions as soon as possible: Revoke all your NPM tokens at once Enable 2FA on your NPM account for all scopes Audit the NPM packages you own to ensure nobody published new versions without you knowing If you are running a private registry or a mirror, delete this package Ensure you don’t have eslint-scope version 3.7.2 on your computers

The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.


Smoke Loader is primarily used as a downloader to drop and execute additional malware like ransomware or cryptocurrency miners. Actors using Smoke Loader botnets have posted on malware forums attempting to sell third-party payload installs. This sample of Smoke Loader did not transfer any additional executables, suggesting that it may not be as popular as it once was, or it’s only being used for private purposes.

On June 27th, Ticketmaster, a ticket sales and distribution company, made public they had been compromised and that hackers stole customer information. However, we discovered that this was not a one-off event as initially reported, but part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world. The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.

HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.


Two weeks ago, FortiGuard Labs spotted a malicious document with the politically themed file name “Draft PH-US Dialogue on Cyber Security.doc”. This document takes advantage of the vulnerability CVE-2017-11882. Upon successful exploitation, it drops a malware in the victim’s %temp% directory. Our analysis of this malware shows that it belongs to Hussarini, also known as Sarhust, a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014.

FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.