LAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent threat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies from various sectors in NATO member countries. The artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the […]
DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities
LAB52, the intelligence team at S2 Group, has uncovered a new phishing campaign deploying DeedRAT—a modular backdoor attributed to Chinese threat actors—through adversary tracking efforts. The campaign leverages the legitimate signed binary MambaSafeModeUI.exe, part of the VIPRE Antivirus Premium software, which is vulnerable to DLL side-loading. This technique allows the attackers to load the DeedRAT […]
New book NOW available: Cyber GRU. Russian military intelligence in cyberspace
Finally, CYBER GRU: Russian military intelligence in cyberspace, the new book that I announced some days ago, was published last Friday, July 4th. In the previous post, the structure of the book was presented, together with its table of contents. Both the editor and the printer have worked quickly, and it is ready earlier than […]
Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations
The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products. These emails will contain a zipped attachment that […]
CYBER GRU: Russian military intelligence in cyberspace
I am excited to share that today I sent a new book to the printer titled CYBER GRU: Russian military intelligence in cyberspace. As this title states, it is a book where I delve into the GRU in cyberspace, ended in May and that, after some retouches and a foreword, is being printed to arrive […]
Some thoughts about Laundry Bear
Today, Dutch intelligence (AIVD and MIVD) and Microsoft have published two reports unveiling a potential new Russian threat actor: Laundry Bear, or Void Blizzard. This actor was discovered through a recent compromise of the Dutch Police, and it has been targeting Western organizations since at least 2024, including armed forces, government organizations and defense contractors, […]