Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Cloudflare warns of India-linked hackers targeting South and East Asian countries
Global Security

Cloudflare warns of India-linked hackers targeting South and East Asian countries

AdminBy AdminSeptember 26, 2024No Comments3 Mins Read
India-Linked Hackers
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


September 26, 2024Ravi LakshmananCloud Security / Cyber ​​Espionage

Hackers related to India

An advanced threat actor with an Indian connection was observed using multiple cloud service providers to facilitate credential collection, malware delivery, and management (C2).

Web infrastructure and security company Cloudflare tracks activity under this name SloppyLemmingwhich is also called Weekend tiger and fishing elephant.

“From late 2022 to the present, SloppyLemming regularly used Cloudflare Workers, likely as part of a broad espionage campaign targeting countries in South and East Asia,” Cloudflare said in the analysis.

SloppyLemming is believed to have been active since at least July 2021, with previous campaigns using malware such as the Ares RAT and WarHawkthe latter of which is also linked to a well-known hacking group called SideWinder. Use of the Ares RAT, on the other hand, has been linked to SideCopythreat actor, likely of Pakistani origin.

Cyber ​​security

SloppyLemming targets government, law enforcement, energy, education, telecommunications and technology organizations located in Pakistan, Sri Lanka, Bangladesh, China, Nepal and Indonesia.

Chain attacks involve sending phishing emails to targets that aim to trick recipients into clicking on a malicious link, creating a false sense of urgency by claiming they have to complete a mandatory process within the next 24 hours.

Clicking on the URL takes the victim to a credential collection page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations of interest.

“The actor uses a custom-built tool called CloudPhish to create a malicious Cloudflare Worker to handle the credential registration logic and issue the victim’s credentials to the threat actor,” the company said.

Some SloppyLemming attacks used similar techniques to capture Google OAuth tokens, as well as mined RAR archives (“CamScanner 06-10-2024 15.29.rar”), which likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.

The RAR file contains an executable file that, in addition to displaying the decoy document, stealthily loads “CRYPTSP.dll”, which serves as the bootloader for the remote access trojan hosted on Dropbox.

Cyber ​​security company SEQRITE should be mentioned here in detail a similar campaign by SideCopy members last year targeted the Indian government and defense sector to distribute the Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip” that are designed to cause the same vulnerability .

The third infection sequence used by SloppyLemming is to use phishing lures to redirect potential targets to a fake website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an Internet shortcut (URL ). file.

Cyber ​​security

The URL file comes with embedded code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that is used to load a fake DLL called profapi.dll, which then interacts with the Cloudflare Worker.

The company noted that these Cloudflare Worker URLs act as intermediaries, forwarding requests to the actual C2 domain used by the adversary (“aljazeerak(.)online”).

Cloudflare said it had “observed a concerted effort by SloppyLemming to attack Pakistan’s police departments and other law enforcement agencies,” adding that “there are indications that the actor has targeted organizations involved in the operation and maintenance of Pakistan’s only nuclear power facility.” “.

Some of the other targets of credential harvesting activities include government and military organizations in Sri Lanka and Bangladesh and, to a lesser extent, Chinese energy and academic organizations.

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025

Critical 10-year Error Webmail RoundCube allows users to run the malicious code

June 3, 2025

Understanding the scammers and how to defend their organization

June 3, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.