In relation to the latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT, LAB52 aims to complement this information with additional observed deployment activity and encryption characteristics in samples analyzed by this team. PlugX PlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat actors […]
Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure
Overview LAB52 has been monitoring a campaign dubbed “Operation MacroMaze”, which, based on its characteristics, can be attributed to APT28, also known as Fancy Bear, Forest Blizzard or FROZENLAKE. The campaign has been active at least since late September 2025 through January 2026, targeting specific entities in Western and Central Europe. The campaign relies on […]
The GRU illegals
Illegals are intelligence officers operating abroad under false identities and nationalities, without the protection of diplomatic immunity. Posing as ordinary citizens of other countries, these officers maintain fake identities, spending years building normal lives while spying. In front of other spies, these officers have no diplomatic protection: if they are discovered, they go to prison. […]
Black Industry: IRGC-Linked offensive OT framework
Actor Background and Tool Distribution A new offensive OT framework has been identified and offered for sale on a platform accessible via the TOR network, promoted by the “APT IRAN” channel. The administrators have indicated that this is the most extensive industrial and military control network framework to date within the Black Industry (BI) ecosystem. […]
From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign
During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll, HideFirstLetter.dll).From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders — components capable of deploying different […]
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
LAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent threat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies from various sectors in NATO member countries. The artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the […]