GoKawiilA Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor.
Tracked as TA4922, the threat actor is associated with financially motivated attacks aimed at breaching target networks for fraud, data theft, and the sale of access.
TA4922 has previously targeted organizations in East Asia, but recent campaigns have focused on entities in Germany, Italy, the United Kingdom, and South Africa.
Researchers at cybersecurity company Proofpoint note that TA4922 shares overlaps with activity previously reported as ‘Silver Fox’ and ‘Void Arachne. However, the activity cluster is tracked separately as it is more consistent with cybercrime than espionage.
Since March, TA4922’s activity has increased sharply, and since April, it has shown unprecedented operational diversity and high tempo.
“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today.
“While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups.”
The attacker uses localized phishing lures crafted to appear as payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human resources communications.
The threat group also attempts to contact victims via WhatsApp, the LINE messenger, and Microsoft Teams.
German lure
... continue reading