Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
Threat Overview
AlienVault has recently published a threat report highlighting the activities of a nation-state actor known as Secret Blizzard. This actor group, associated with Russia, has been observed using tools and infrastructure from other malicious actors to compromise targets in Ukraine.
Background
In between March and April 2024, Secret Blizzard utilised the Amadey bot malware associate with cybercriminal activity for deployment purposes as well. Moreover, in January 2024, Secret Blizzard leveraged a backdoor from Storm-1837 to install its malware.
Scope
The attack was conducted against Ukrainian military targets and involved multiple attack vectors including strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing for the initial access.
Tactics, Techniques, and Procedures (TTPs)
Secret Blizzard’s approach to attacking targets is diverse and innovative. The actor employs various techniques including:
Strategic Web Compromises: Targeting websites and domains belonging to Ukrainian military institutions.
Adversary-in-the-Middle: Intercepting communications between servers, devices, or networks.
Access Vector
Secret Blizzard utilized Amadey bot malware associated with cybercriminal activity for deployment purposes. Additionally, in January 2024, Secret Blizzard leveraged a backdoor from Storm-1837 to install its malware.
Prior exploitation techniques used by the actor include:
Amadey Bot Malware: The amadey bot malware was exploited for deployment purposes as well. This malware is also associated with cybercriminal activity and provides the attacker with malicious code for compromise.
Tools and Infrastructure Used
Secret Blizzard has used tools and infrastructure from other threat actors, including:
Tavdig and KazuarV2 Backdoors: The Tavdig and KazuarV2 backdoors were employed by the actor to deploy its custom malware on Ukrainian military devices.
Techniques Exploited for Execution of Attacks
The actor relies on various techniques such as spear-phishing to gain initial access.
Nigerian scams and spoofing attacks are frequently used by cyber attackers, including adversary groups who want to infiltrate networks remotely without revealing their intent. This technique can be employed to trick users into divulging sensitive information.
Spear phishing is often used by adversary groups to bypass security defenses. This technique is employed to trick users into divulging sensitive information which helps to execute further attacks and exploits.
Tactics, Techniques, and Procedures (TTPs) are an extremely effective method of achieving the goals of your attack vector.
Protecting yourself against such sophisticated attack methods can seem daunting, however it is essential not to be caught off guard.
The consequences range from data theft and loss, through the exploitation of sensitive information or complete takeover of network systems.
A successful breach of a major organization’s secure system could result in huge financial gains, both for your hackers and their employers if sold on the black market.
Initial Access
Spear phishing is often used by adversary groups to bypass security defenses. This technique is employed to trick users into divulging sensitive information which helps to execute further attacks and exploits.
It’s because they know exactly which companies are using the most popular software, and therefore use these platforms when launching a targeted attack.
Recommendations
Based on the threat report, several recommendations can be made for improving cybersecurity posture:
Monitor activity from known adversary groups, such as Storm-1837.
Implementing robust security controls and protocols helps protect an organization’s sensitive assets in these advanced threats. Regularly updating your software packages is also recommended to prevent exploitation by zero-day vulnerabilities, or through the exploitation of newly discovered vulnerabilities and bugs.
Regular maintenance and monitoring can identify vulnerabilities. An organization should have multiple layers of protection against their threat vector as well. Firewalls and intrusion detection systems are some examples.
Cybersecurity Tips:
One of the most effective methods in preventing cyber security threats is to implement robust security measures such as multi factor authentication, two factor login, firewalls and more.
Cyber Security Awareness Month
is recognized internationally as an occasion to increase security measures in protecting sensitive data that could provide the advantage over competitors.
Subscribe to get the latest posts sent to your email.
Lorem Ipsum is simply dummy text of the printing and typesetting
industry. Lorem Ipsum has been the industry's
Hackers Use Microsoft Management Console to Deliver Malicious Payloads.
As outlined in a recent threat report, hackers have been exploiting the Microsoft Management Console (MMC) to deliver backdoor payloads on Windows systems. This sophisticated campaign employs advanced obfuscation techniques and Microsoft Common Console Document (MSC) files to evade detection.
The attackers, believed to be nation-state actors, use the MMC to drop a stealthy backdoor payload that allows them to maintain persistent access to compromised systems. The malicious activity is said to target organizations in various industries, including government agencies, financial institutions, and technology companies.
The hackers responsible for this campaign have demonstrated expertise in evasive techniques and persistence.
Their tactics include:
The attackers have leveraged various tools and infrastructure, including:
Some notable characteristics of this campaign include:
To mitigate the risks associated with this campaign, organizations can take the following measures:
The tactics employed by this actor group highlight the need for organizations to remain vigilant against emerging threats. It is essential to stay up-to-date with the latest threat reports, maintain robust security controls, and prioritize employee education and awareness.
Resources:
In January 2025, the eSentire Threat Response Unit (TRU) identified a sophisticated cyber espionage campaign orchestrated by the EarthKapre/RedCurl Advanced Persistent Threat (APT) group. This report delves into the intricate stages and techniques employed by this highly advanced threat actor, providing a comprehensive analysis of their tactics, techniques, and procedures (TTPs).
EarthKapre, also known as RedCurl, is renowned for its sophisticated operations primarily targeting private-sector organizations with a focus on corporate espionage. The group’s latest attack targeted an organization within the Law Firms & Legal Services industry, highlighting their strategic selection of high-value targets.
The attack vector involved the use of a legitimate Adobe executable (ADNotificationManager.exe) to sideload the EarthKapre/RedCurl loader. This method demonstrates the group’s ability to leverage trusted software to bypass security measures and gain initial access to the target network. The sideloading technique is particularly insidious because it exploits the trust users have in legitimate applications, making detection and prevention more challenging.
The EarthKapre/RedCurl APT group employs a multi-stage attack process that includes several sophisticated techniques:
Lateral Movement: After gaining a foothold, the attackers move laterally within the network to identify high-value targets and sensitive data. They use various techniques such as pass-the-hash, pass-the-ticket, and remote desktop protocols (RDP) to navigate through the network undetected.
Data Exfiltration: The final stage involves exfiltrating the stolen data to a command-and-control server controlled by the attackers. This data is then analyzed for valuable information that can be used for corporate espionage or other malicious activities.
The EarthKapre/RedCurl APT group’s tactics highlight the need for robust cybersecurity measures. Organizations must implement comprehensive security strategies to protect against such advanced threats. Here are some recommendations:
Employee Training: Provide ongoing training to employees on recognizing phishing attempts and other social engineering tactics. Human error is often the weakest link in cybersecurity, so educating staff can significantly reduce the risk of successful attacks.
Advanced Threat Detection: Deploy advanced threat detection tools that use machine learning and artificial intelligence to identify anomalous behavior indicative of an APT attack.
Network Segmentation: Implement network segmentation to limit lateral movement within the network. By isolating critical systems, organizations can contain potential breaches and prevent attackers from accessing sensitive data.
Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response in case of a security breach. This includes having a dedicated team ready to handle incidents and minimize damage.
Regular Software Updates: Ensure that all software, including legitimate applications like Adobe executables, are kept up-to-date with the latest security patches. This reduces the risk of exploitation through known vulnerabilities.
Multi-Factor Authentication (MFA): Implement MFA for all critical systems and user accounts to add an extra layer of security. Even if credentials are compromised, MFA can prevent unauthorized access.
The EarthKapre/RedCurl APT group’s attack on a Law Firms & Legal Services organization underscores the importance of vigilance in cybersecurity. By understanding their TTPs and implementing robust security measures, organizations can better protect themselves against such sophisticated threats. For more detailed information, please refer to the external references provided:
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt
https://otx.alienvault.com/pulse/67b33e146f62a1c90b35ee00
This report provides a comprehensive overview of the EarthKapre/RedCurl APT group’s activities and offers actionable recommendations for enhancing cybersecurity defenses. By staying informed and proactive, organizations can mitigate the risks posed by advanced threat actors like EarthKapre/RedCurl.
Threat Overview
A new threat report published by CyberHunter_NL on March 27, 2025, highlights a significant cyber threat involving the Russian threat actor group known as Water Gamayun. This group has been identified exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console (MMC). The exploitation of this vulnerability allows attackers to execute malicious code and exfiltrate sensitive data from targeted systems.
The report, titled CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin, provides an in-depth analysis of the tactics, techniques, and procedures (TTPs) employed by Water Gamayun. The threat actor leverages a malicious tool known as MSC EvilTwin to exploit the vulnerability in MMC, which is commonly used for system administration tasks.
Water Gamayun has been active for several years, primarily targeting organizations within critical infrastructure sectors such as energy, healthcare, and finance. This group is known for its sophisticated cyber espionage activities and has a history of using advanced persistent threat (APT) techniques to maintain long-term access to compromised networks.
The exploitation of CVE-2025-26633 involves several stages:
The report provides detailed technical analysis of MSC EvilTwin, including its functionality, communication methods with C&C servers, and evasion techniques used to avoid detection by security tools. The analysis also includes indicators of compromise (IOCs), such as file hashes, IP addresses, and domain names associated with the malware.
Recommendations for Mitigation
To protect against this threat, organizations should consider implementing the following recommendations:
External References
For additional information on this threat, refer to the following external references:
Conclusion
The threat posed by Water Gamayun exploiting CVE-2025-26633 is significant and requires immediate attention from security operations centers (SOCs). By understanding the TTPs employed by this group and implementing the recommended mitigation strategies, organizations can enhance their defenses against these sophisticated cyber threats. Regular updates on emerging threats and continuous monitoring are essential to maintain a strong security posture in today’s evolving threat landscape.
Subscribe now to keep reading and get access to the full archive.