New DEEP#GOSU campaign attributed to Springtail APT (aka Kimsuky)
Contents
New DEEP#GOSU campaign attributed to Springtail APT (aka Kimsuky)
March 20, 2024
Copy Link
A new malicious campaign dubbed DEEP#GOSU has been attributed to the Springtail APT (aka Kimsuky or Thallium). The attack chain leverages among others .LNK files, embedded PowerShell code and VBScript stagers that lead up to download of payloads hosted on the Dropbox file repository. The final payload in the campaigns is an infostealing malware with backdoor capabilities that allows for clipboard monitoring, keylogging and data exfiltration.
Symantec protects you from this threat, identified by the following:
Adaptive-based
ACM.Ps-Http!g2
File-based
CL.Downloader!gen241
Scr.Mallnk!gen2
Scr.Mallnk!gen13
Trojan Horse
Trojan.Gen.NPE
WS.Malware.1
WS.SecurityRisk.4
Web-based
Observed domains/IPs are covered under security categories in all WebPulse enabled products
March 20, 2024
Copy Link
A new malicious campaign dubbed DEEP#GOSU has been attributed to the Springtail APT (aka Kimsuky or Thallium). The attack chain leverages among others .LNK files, embedded PowerShell code and VBScript stagers that lead up to download of payloads hosted on the Dropbox file repository. The final payload in the campaigns is an infostealing malware with backdoor capabilities that allows for clipboard monitoring, keylogging and data exfiltration.
Symantec protects you from this threat, identified by the following:
Adaptive-based
ACM.Ps-Http!g2
File-based
CL.Downloader!gen241
Scr.Mallnk!gen2
Scr.Mallnk!gen13
Trojan Horse
Trojan.Gen.NPE
WS.Malware.1
WS.SecurityRisk.4
Web-based
Observed domains/IPs are covered under security categories in all WebPulse enabled products