Menlo Labs has uncovered a new threat actor that has been targeting government entities via a Discord-distributed threat campaign. The campaign is known as PureCrypter and uses the domain of a compromised non-profit organization as a Command and Control (C2) to deliver malware payloads, such as Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware.
The campaign has been active in the Asia-Pacific (APAC) and North America regions, where Menlo’s Cloud Security Platform blocked password-protected archive files across multiple government customers, prompting an investigation.
Menlo Labs assesses that the threat actor group will continue to use the compromised and taken infrastructure for as long as they can, before needing to find a new home. The use of compromised infrastructure is an operational security lapse, but it leaves a trail for analysts to follow. Fortunately, in this case, Menlo’s Cloud Security Platform detected and blocked the attack, which allowed Menlo Labs to track the actor’s activities.
PureCrypter is an evasive threat campaign that uses Discord as a distribution platform. The campaign features a downloader that targets government entities and leverages a compromised non-profit organization’s domain as a Command and Control (C2).
The campaign delivers several types of malwares, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware, among others. Menlo’s investigation revealed that the campaign had been active for some time, and it is not clear how many entities may have been affected.
Overall, this threat campaign underscores the need for government entities and other organizations to remain vigilant in their cybersecurity practices. The use of compromised infrastructure is a tactic that has been used by threat actors for many years, and it highlights the importance of regularly monitoring networks for suspicious activity.
Additionally, the use of a communication platform like Discord underscores the need to have comprehensive security measures in place that can monitor all aspects of an organization’s digital footprint. Menlo’s Cloud Security Platform is an example of such a tool, and it demonstrates the importance of having a comprehensive security strategy in place.
