Carding 4 Carders
Professional
A group of hackers with extensive experience continues their attacks, bypassing the protection and attention of victims.
According to a report by Anheng, the Confucius group (APT59) is attacking government and military structures in South and East Asia. Recently, experts discovered a new campaign in which Confucius uses LNK files to distribute the River Stealer infostiler.
The attack starts with a ZIP file that disguises itself as a PDF. The archive contains an LNK file that executes a VBS script on the local machine at startup. The VBS script then checks whether Avast antivirus is installed on the computer, and based on this check opens the path for subsequent malware. The script creates a hidden scheduler task that runs the DLL Loader file every 5 minutes. After loading, DLL Loader delivers subsequent malicious files, eventually stealing files from the target computer.
Hackers used various methods to attract victims attention, including using documents on various topics related to Pakistan, such as politics, religion, energy and telecommunications. The decoys included files related to Pakistan's policy until 2025, a discussion on renewable energy in Pakistan, and a notice of hearing from the National Electric Power Regulatory Authority (NEPRA), the supervisory body responsible for regulating electricity supply in Pakistan.
The analysis shows that attackers have the ability to detect and bypass antivirus protection, embed malicious files, and hide their tracks by using a multi-level attack for stolen data. The campaign highlights the need for increased attention to cybersecurity by organizations in the Asian region.
The final stage of the researchers report provides recommendations for improving cyber security, including regular backups, avoiding opening unknown applications and email attachments, visiting only reliable websites, using high-quality cybersecurity products, and frequently checking system logs for suspicious activity.
Earlier, the Anti-AVL Threat Intelligence Team revealed the activity of the Confucius APT group (APT59), which has been engaged in cyber attacks since 2013. The group's main targets are government agencies, military and nuclear facilities in Pakistan and other South Asian countries. Confucius uses malicious SunBird and Hornbill apps to steal data from Android devices.
According to a report by Anheng, the Confucius group (APT59) is attacking government and military structures in South and East Asia. Recently, experts discovered a new campaign in which Confucius uses LNK files to distribute the River Stealer infostiler.
The attack starts with a ZIP file that disguises itself as a PDF. The archive contains an LNK file that executes a VBS script on the local machine at startup. The VBS script then checks whether Avast antivirus is installed on the computer, and based on this check opens the path for subsequent malware. The script creates a hidden scheduler task that runs the DLL Loader file every 5 minutes. After loading, DLL Loader delivers subsequent malicious files, eventually stealing files from the target computer.
Hackers used various methods to attract victims attention, including using documents on various topics related to Pakistan, such as politics, religion, energy and telecommunications. The decoys included files related to Pakistan's policy until 2025, a discussion on renewable energy in Pakistan, and a notice of hearing from the National Electric Power Regulatory Authority (NEPRA), the supervisory body responsible for regulating electricity supply in Pakistan.
The analysis shows that attackers have the ability to detect and bypass antivirus protection, embed malicious files, and hide their tracks by using a multi-level attack for stolen data. The campaign highlights the need for increased attention to cybersecurity by organizations in the Asian region.
The final stage of the researchers report provides recommendations for improving cyber security, including regular backups, avoiding opening unknown applications and email attachments, visiting only reliable websites, using high-quality cybersecurity products, and frequently checking system logs for suspicious activity.
Earlier, the Anti-AVL Threat Intelligence Team revealed the activity of the Confucius APT group (APT59), which has been engaged in cyber attacks since 2013. The group's main targets are government agencies, military and nuclear facilities in Pakistan and other South Asian countries. Confucius uses malicious SunBird and Hornbill apps to steal data from Android devices.
