Actor Background and Tool Distribution A new offensive OT framework has been identified and offered for sale on a platform accessible via the TOR network, promoted by the “APT IRAN” channel. The administrators have indicated that this is the most extensive industrial and military control network framework to date within the Black Industry (BI) ecosystem. […]
From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign
During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll, HideFirstLetter.dll).From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different […]
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
LAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent threat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies from various sectors in NATO member countries. The artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the […]
DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities
LAB52, the intelligence team at S2 Group, has uncovered a new phishing campaign deploying DeedRAT—a modular backdoor attributed to Chinese threat actors—through adversary tracking efforts. The campaign leverages the legitimate signed binary MambaSafeModeUI.exe, part of the VIPRE Antivirus Premium software, which is vulnerable to DLL side-loading. This technique allows the attackers to load the DeedRAT […]
New book NOW available: Cyber GRU. Russian military intelligence in cyberspace
Finally, CYBER GRU: Russian military intelligence in cyberspace, the new book that I announced some days ago, was published last Friday, July 4th. In the previous post, the structure of the book was presented, together with its table of contents. Both the editor and the printer have worked quickly, and it is ready earlier than […]
Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations
The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products. These emails will contain a zipped attachment that […]