At a glance.
- TA866 returns with widespread phishing campaigns.
- COLDRIVER continues targeting Western officials.
- Massive credential dump offered on underground forums.
- Iranian threat actor targets universities and research organizations.
TA866 returns with widespread phishing campaigns.
Proofpoint says the threat actor TA866 has resurfaced after a nine-month hiatus, launching large-scale phishing campaigns to deliver malware. The emails contain invoice-themed PDF attachments with OneDrive links that will download variants of the WasabiSeed and Screenshotter malware. The researchers note, "It is currently unknown what follow-on payload the actor would install if they were satisfied with the screenshots taken by the Screenshotter. In previous campaigns the actor has delivered AHK Bot and Rhadamanthys Stealer." TA866 has been known to conduct cyberespionage as well as financially motivated attacks; Proofpoint says "[t]his specific campaign appears financially motivated."