Actor threats known as Room Since November 2024, he has been connected with a number of current companies aimed at Colombian institutions and state structures.
“Monitoring companies are oriented – Note In a new analysis.
“More than 1,600 victims were injured during one of these companies, which took place approximately December 19, 2024. This infection level is significant, given the purposeful approach to APT.”
The room, active with at least 2018, is also monitored as Aguilaciega, Apt-C-36 and Apt-Q-98. It know For its hyper-specific targets for legal entities in South America, in particular Colombia and Ecuador.
The attacks of the attacks organized by the actor threatens entails the use of social engineering tactics, often in the form of e -mail spear to gain initial access to target systems and ultimately abandon easily available Trojans such as Asyncrat, NJRAT, QUASAR RAT and REMCOS RAT.
The latest set of invasion is characteristic for three reasons: Use operation option for now requested Microsoft Windows Link (Cve-2024-43451( Heartageand distribution of useful loads through Bitbucket and GitHub, going beyond Google Drive and Dropbox.
Specifically, Heartcrypt is used to protect malicious performance, option Purecrypter This is then responsible for launching malicious Remcos rats located on a changed Bitbucket or GitHub Repository.
The CVE-2024-43451 refers to the vulnerability of the NTLMV2 Hash, which was recorded by Microsoft in November 2024. Being embedded, at the point, he included the option of this feat in his attack Arsenal a few days after the release of the patch, causing the unmatched victims to promote the infection when an malicious exposure in the arsenal distributed into the patches.
“Although this option does not actually expose the NTLMV2 hash, it reports that the file was loaded with the same unusual interactions with users,” the cybersecurity campaign said.
“On devices that are vulnerable to the CVE-2024-43451, the Webdav request is launched before the user manually interacts with the file with the same unusual behavior. Meanwhile, on the corrected and unprocessed systems, by pressing the angry file .url.
The check noted that the “quick response” serves to emphasize the technical examination of the group and its ability to adapt and pursue new methods of attack in the conditions of developing security protection.
Smoking for the origin of the actor threatening is the GITHUB repository, which showed that the actor threatens in the UTC-5 temporary belt, coordinating with several South America countries.
That’s not all. The fact that it seems to be an operational mistake, analysis of the story of the repository revealed a file containing a couple of account with passages with 1634 unique email addresses.
While the HTML file called “Ver Datos del Formulario.html” was removed from the repository on February 25, 2025, it contained details such as users, passwords, email, passwords and pins with ATMs associated with people, state bodies, educational institutions.
“The key factor of its success is its ability to use legitimate platforms for file sharing, including Google Drive, Dropbox, Bitbucket and GitHub, allowing it to bypass traditional security measures and distribute malicious software,” said Check Point.
“In addition, its use of underground tools from criminal service, such as Remcos Rat, Heartcrypt and Purecrypter, enhances its deep ties with the cyber -ecosystem, providing access to sophisticated evasion methods and resistant methods.”
