North Korean hackers have been installing backdoors on targets’ computers using trojanized versions of the PuTTY SSH client. Mandiant, a cyber threat defense solution company, released a technical analysis report “UNC4034” as the threat cluster behind this campaign (aka “Temp.Hermit” or “Labyrinth Chollima”).
The hackers seem to continue the “Operation Dream Job,” which was first observed earlier this June. In July 2022, Mandiant Managed Defense discovered a new spear phishing technique used by the threat cluster tracked as UNC4034 during proactive threat hunting actions at a media organization. The campaign now targets media companies using a trojanized version of the PuTTY SSH client.
According to reports, the attackers allegedly contacted targets using a phishing email containing a job offer from Amazon. Once the victim clicked on the phishing page, the threat actor would pursue the victim to a WhatsApp conversion where an ISO file called “amazon assessment.iso” was shared.
The ISO file contained a trojanized version of PuTTY with an executable file, IP address, and login information. The hackers instructed the users to open the ISO file, use the SSH tool and inside credentials to connect to the server and do a skills evaluation.
According to Mandiant, the evaluated sample could check for active RDP sessions and employ a proxy server; these features are, by default, deactivated.
AIR DRY.V2 supports the following nine commands:
The previous AIRDRY supported more variant commands than the new one. Moreover, the new variant’s plugin execution in memory and AES key for C2 communications are new capabilities. As per the report, the backdoor’s adaptability is unaffected by fewer allowed commands because fetching plugins from the C2 creates additional opportunities for more precise attacks.
These cases reinforce that ATM jackpotting is no longer a niche cybercrime tactic but part of organized financial crime networks.
This signals that DSA enforcement is moving beyond content moderation into deeper operational transparency.
Campaign involving network infiltration, ransomware deployment and phishing operations designed to destabilize essential services in UAE, blocked.
AI fraud, deepfake probes, SME cyber warnings, and ransomware cases highlight rising global risks in this week’s Cyber Express roundup.
French national bank authority confirmed a major data breach affecting 1.2 million bank accounts after a malicious actor stole credentials…
The real success of AI will not only depend on how powerful the technology becomes, but on how safely, fairly,…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More