"The Russian state-sponsored hacking group known as Sandworm (aka: Quedagh, Voodoo Bear, TEMP.Noble, IRON VIKING, G0034, ELECTRUM, TeleBots, IRIDIUM, Blue Echidna) has been observed masquerading as telecommunication providers to target Ukrainian entities with malware."
Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.
Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control (C2) infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.
Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT (remote access trojan) onto critical Ukrainian systems.
#APT #Campaign #Analysis #IoCs