CryptoCore Group

A Threat Actor Targeting Cryptocurrency Exchanges In this research, we present a hidden and persistent group, that has been targeting crypto-exchanges, mainly in the US and Japan since as early as 2018. The actor has successfully stolen millions’ worth of cryptocoins. We named it as “CryptoCore” (or “Crypto-gang”), aka “Dangerous Password”, “Leery Turtle”. The CryptoCore […]

Read More

PowDesk: PowerShell Script for LANDesk Management Agent Hosts

PowDesk is a simple PowerShell-based script for hosts that run LANDesk Management Agent. This script is compatible with both 32-bit and 64-bit systems and exfiltrates the computer’s name through a PHP page stored at a certain domain name. After analyzing the script behavior, we assess that potential attackers might create a whitelist of companies that […]

Read More

The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers

In 2019 ClearSky Cyber Security observed a sharp increase in Charming Kitten attacks, after an absence of a few months and after 2019 Microsoft official complaint against the group for “establishing an internet-based cybertheft operation referred to as ‘Phosphorus’“. Read the full report: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic […]

Read More

2019 H1 Cyber Events Summary Report

We are happy to present our half-year report summarizing cyber events for the first half of 2019. This report provides an in-depth review of significant trends, as well as major attack events in the cyber landscape – a combined effort of our intelligence research, threat-hunting and analyst teams. Read the full report: 2019 H1 Cyber […]

Read More

Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal

In recent months, there has been considerable unrest in the Iranian cybersphere. Highly sensitive data about Iranian APT groups were leaked, exposing abilities, strategies, and attack tools. The main medium for this leak was a telegram channel. The first leak uncovered attack frameworks and web shells of APT-34 (Known as OilRig group). This was followed […]

Read More

Iranian Nation-State APT Groups – “Rana Institute” Leak

Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope […]

Read More

Year of the Dragon – Summary report of cyber events for 2018

We are happy to present our yearly summary report of cyber events for 2018. This report is a combined effort of our intelligence research, threat-hunting and analyst teams. One of the biggest challenges in cyber space is the overwhelming, and at times contradicting amount of data we are confronted with on a daily basis. As […]

Read More

MuddyWater Operations in Lebanon and Oman

Abstract MuddyWater is an Iranian high-profile threat actor that’s been seen active since 2017. The group is known for espionage campaigns in the Middle East. Over the past year, we’ve seen the group extensively targeting a wide gamut of entities in various sectors, including Governments, Academy, Crypto-Currency, Telecommunications and the Oil sectors. MuddyWater has recently […]

Read More

Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets

Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, […]

Read More

Operation Wilted Tulip – Exposing a Cyber Espionage Apparatus

CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2]. In this report, Trend Micro and ClearSky expose […]

Read More