T1053 – D E C E I V E R . I O

Engage Report: Double-Tap Campaign – Espionage in Central Asia

A malicious macro in the initial Word document creates a second blank document and weaponizes it with another malicious macro.
The second macro creates a scheduled task named “SettingsService Dispatch” using RegisterTaskDefinition.
This task executes an HTA file containing the HATVIBE backdoor every four minutes using mshta.exe.

Pygmy goat Backdoor

Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.

COLDRIVER – UNC4057, Star Blizzard and Callisto

The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.

Tag: T1053

Engage Report: Double-Tap Campaign – Espionage in Central Asia

Pygmy goat Backdoor

COLDRIVER – UNC4057, Star Blizzard and Callisto

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense