Cybereason exposes Iranian state-sponsored cyber-espionage campaign

Cybereason exposes Iranian state-sponsored cyber-espionage campaign

Cybereason, a leader in operation-centric attack protection, has published a new threat intelligence report that unmasks a cyber-espionage operation targeting global aerospace and telecommunications companies.

Lior Div, Cybereason CEO and Co-founder

The report identifies a newly discovered Iranian threat actor behind the attacks dubbed MalKamak that has been operating since at least 2018 and remained unknown until recently.

In addition, the still-active campaign leverages a very sophisticated and previously undiscovered Remote Access Trojan (RAT) dubbed ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service Dropbox for command and control (C2). 

The report, titled Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms, details the stealthy attacks against companies in the Middle East, United States, Europe and Russia.

“The Operation GhostShell Report revealed a complex RAT capable of evading detection since as early as 2018, and the recent DeadRinger Report also uncovered a similarly evasive threat from as early as 2017, which tells us a lot about how advanced attackers are continuously defeating security solutions,” said Cybereason CEO and Co-founder, Lior Div.

“Layering on more tools to produce even more alerts that overwhelm defenders is not helping us stop sophisticated attacks, which is why Cybereason takes an operation-centric approach that detects based on very subtle chains of behavior where the adversary’s own actions work against them to reveal the attack at the earliest stages.”

Browse our latest issue

Intelligent CISO

View Magazine Archive