Group-IB has published an update on the activities of Red Curl, a Russian-speaking threat group that casts an unusually wide net, wide enough to include North American firms and Russian banks. The group, active since 2018, is principally engaged in industrial espionage, interested in trade secrets and employee personal data.
Proofpoint is following TA406, a North Korean state threat group associated with the activity against Western diplomatic and intelligence targets tracked as Kimsuky and Thallium, and with the Konni family of remote access Trojans. TA406 has engaged, the researchers say, in "espionage, cyber crime and sextortion" during 2021. It's moved from credential theft to attacks that involve distribution of malware. Thus, like other DPRK threat groups, TA406 engages in a mix of spying and financially-motivated cybercrime.
Domain Tools has identified a quiet spearphishing campaign, running since the end of July, in which an email address belonging to an employee of a firm operating in the UAE was used in an apparent credential harvesting campaign directed against other companies in the region. The documents in the emails each contained distinctive domains hosted on Glitch, a legitimate web-based code collaboration tool whose ephemeral nature the attackers seem to have used to render their operations quieter and less susceptible to detection.
Venafi today published research on how Chinese threat actor APT41 (also known as Barium, Winnti, and Wicked Panda) has perfected code-signing techniques, the better to attack software supply chains. APT41 has run a "boot camp" on the technique for over a decade.