{ "id": "a1803411-bd82-433c-9939-e7d3a601efb8", "created_at": "2026-04-06T00:19:10.391177Z", "updated_at": "2026-04-10T13:12:21.67806Z", "deleted_at": null, "sha1_hash": "0fd9d45288b30ebffe0d8ea2b8e51d09c7e4051c", "title": "Advanced threat predictions for 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97981, "plain_text": "Advanced threat predictions for 2024\r\nBy GReAT\r\nPublished: 2023-11-14 · Archived: 2026-04-05 18:53:42 UTC\r\nAdvanced persistent threats (APTs) are the most dangerous threats, as they employ complex tools and techniques,\r\nand often are highly targeted and hard to detect. Amid the global crisis and escalating geopolitical confrontations,\r\nthese sophisticated cyberattacks are even more dangerous, as there is often more at stake.\r\nAt Kaspersky’s Global Research and Analysis Team (GReAT), we monitor a number of APT groups, analyze\r\ntrends and try to anticipate their future developments to keep ahead of the evolving threat landscape and keep our\r\ncustomers safe. In this article, we will review the past year’s trends to see which of our 2023 predictions have\r\ncome true, and try to predict what is to come in 2024.\r\nA review of last year’s predictions\r\n1. The rise of destructive attacks\r\nIn December of last year, shortly after we released our predictions for 2023,  Russian government agencies were\r\nreported to have been targeted by a data wiper called CryWiper. The malware posed as ransomware, demanding\r\nmoney from the victims for “decrypting” their data. However, instead of encrypting the data, it purposefully\r\ndestroyed it in the affected systems.\r\nIn January, ESET discovered a new wiper, deployed in an attack in Ukraine via the Active Directory GPO. They\r\nattribute the wiper, named SwiftSlicer, to Sandworm (aka Hades).\r\nIn June, Microsoft published a report on a threat actor named Cadet Blizzard, responsible for WhisperGate and\r\nother wipers targeting Ukrainian government agencies early in 2022. In addition to government agencies, law\r\nenforcement, IT services and emergency services in Ukraine, the threat actor has also targeted organizations in\r\nEurope, Central Asia and Latin America.\r\nTo sum up, although we did not see the same volume as we had in 2022, clearly there were some significant\r\nattacks.\r\nVerdict: partially fulfilled 🆗\r\n2. Mail servers become priority targets\r\nIn June, Recorded Future warned that BlueDelta (aka Sofacy, APT28, Fancy Bear and Sednit) exploited\r\nvulnerabilities in Roundcube Webmail to hack multiple organizations including government institutions and\r\nmilitary entities involved in aviation infrastructure. The threat actor used news about the Russo-Ukrainian conflict\r\nto trick targets into opening harmful emails that exploited the vulnerabilities (CVE-2020-35730, CVE-2020-12641\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 1 of 9\n\nand CVE-2021-44026). Using a malicious script, the attackers redirected their targets’ incoming email to an email\r\naddress controlled by the attackers, gathering data from the compromised accounts.\r\nIn July, we reported an updated variant of Owowa used against targets in Russia. We were able to associate the\r\ndeployment of Owowa with a mail-based intrusion chain that looked like known CloudAtlas activities in a\r\ncampaign we call GOFFEE.\r\nIn August, TeamT5 and Mandiant, following up on earlier research into exploitation of a remote command\r\ninjection vulnerability affecting the Barracuda Email Security Gateway (ESG) appliance (CVE-2023-2868) by\r\nUNC4841, provided further detail on TTPs used by the threat actor. UNC4841 deployed new malware designed to\r\nmaintain presence on a small subset of high-priority targets compromised either before the patch was released or\r\nshortly afterwards. This includes use of the SKIPJACK and DEPTHCHARGE backdoors and the\r\nFOXTROT/FOXGLOVE launcher. The threat actor targeted a wide variety of verticals. The US Cybersecurity\r\nand Infrastructure Security Agency (CISA) provided additional IoCs associated with exploitation of CVE-2023-\r\n2868.\r\nVerdict: prediction fulfilled ✅\r\n3. The next WannaCry\r\nFortunately for us, a new cyber epidemic did not happen.\r\nVerdict: prediction not fulfilled ❌\r\n4. APT targeting turns toward satellite technologies, producers and operators\r\nThe only known case of an attack utilizing satellite technologies that happened in recent years was the KA-SAT\r\nnetwork hack of 2022. We have not seen anything of the kind in 2023.\r\nVerdict: prediction not fulfilled ❌\r\n5. Hack-and-leak is the new black (and bleak)\r\nIn April, we reported KelvinSecurity, a hacktivist and black hat Spanish-speaking group. The group’s motivations\r\nare socio-political and monetary but inconsistent. Attacks are directed at public or private organizations around the\r\nglobe. Leaks are often sold on the dark web, message groups or the group’s own platforms, and some are given\r\naway for free.\r\nIn May, Ars Technica reported that BootGuard private keys had been stolen following a ransomware attack on\r\nMicro-Star International (MSI) in March this year (firmware on PCs with Intel chips and BootGuard enabled will\r\nonly run if it is digitally signed using the appropriate keys). If an attacker is able to obtain these private keys, they\r\ncould sign their malware, so that the code is trusted and run by MSI computers.\r\nIn August, Insikt Group, a Recorded Future threat research division, reported BlueCharlie (formerly tracked as\r\nTAG-53, also known as Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly\r\nSEABORGIUM) and TA446) linked by researchers to 94 new domains, starting in March this year, suggesting\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 2 of 9\n\nthat the group is actively modifying its infrastructure in response to public disclosures about its activities. The\r\nthreat actor focuses on information gathering for espionage and hack-and-leak operations, targeting organizations\r\nin various industries, such as government, higher education, defense, and political sectors, non-governmental\r\norganizations (NGOs), activists, journalists, think-tanks and national laboratories.\r\nVerdict: prediction fulfilled ✅\r\n6. More APT groups will move from Cobalt Strike to other alternatives\r\nWe are closely monitoring similar tools, one of which is BruteRatel, but Cobalt Strike is still used as the go-to\r\nframework for attacks.\r\nVerdict: prediction not fulfilled ❌\r\n7. SIGINT-delivered malware\r\nIn September, the Citizen Lab released a report concerning the prominent Egyptian opposition figure Ahmed\r\nEltantawy. This politician became the target of a previously undiscovered “zero-day” attack aimed at infecting his\r\nphone with spyware.\r\nDuring the months of August and September, the Citizen Lab reported that Eltantawy experienced a more perilous\r\nform of network injection attacks, which did not require any action on his part, such as clicking anything.\r\nThe Citizen Lab’s report conducted an examination to ascertain the precise location of the injection within the\r\nnetwork. It determined that the injection point was situated within the connection between two Egyptian\r\ntelecommunication providers. By relying solely on technical data, the lab could not ascertain which connection\r\nside the middlebox was positioned on. Nonetheless, the Citizen Lab researchers suspected that the attack likely\r\ninvolved integration with one of the providers’ subscriber databases.\r\nAccording to the Citizen Lab, executing the attack on Eltantawy would have necessitated the installation of the\r\nPacketLogic system on the network of Eltantawy’s communication service provider in Egypt, though the\r\nresearchers did not accuse the ISP of complicity in the attack.\r\nVerdict: prediction fulfilled ✅\r\n8. Drone hacking!\r\nAlthough there was a public report of drones used to hack a Wi-Fi network in 2022, there are no accounts of\r\nsimilar events happening in 2023.\r\nVerdict: prediction not fulfilled ❌\r\nAPT predictions for 2024\r\nNow, let us take a look at a possible future of the advanced persistent threat landscape.\r\nThe rise of creative exploits for mobile, wearables and smart devices\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 3 of 9\n\nThe past year marked a significant discovery: “Operation Triangulation”, a new, remarkably stealthy espionage\r\ncampaign targeting iOS devices, including those of our colleagues. During the investigation, our team identified\r\nfive vulnerabilities in iOS, including four zero-days. These vulnerabilities did not just affect smartphones and\r\ntablets but also extended to laptops, wearable devices and smart home gadgets including Apple TV and Apple\r\nWatch. As we look ahead, we might anticipate more occasional cases of advanced attacks to leverage consumer\r\ndevices and smart home technology. iOS devices may not be the only targets: other devices and operating systems\r\ncould also face risks.\r\nA creative avenue for threat actors is to expand their surveillance efforts to include devices such as smart home\r\ncameras, connected car systems and beyond. Many of these gadgets, both new and old, are susceptible due to\r\nvulnerabilities, misconfigurations or outdated software, making them attractive and easy targets for attackers.\r\nAnother notable aspect of this emerging trend is the “silent” exploit delivery method. In “Operation\r\nTriangulation”, exploits were discreetly delivered through iMessage and activated without user interaction. In the\r\nupcoming year, we may see alternative delivery methods for exploits, such as:\r\nZero-clicks through popular cross-platform messengers, allowing attacks without interaction with the\r\npotential victim\r\nOne-clicks with malicious link delivery via SMS or messaging apps, where victims may unknowingly\r\ntrigger attacks by opening these links\r\nMalicious actors intercepting network traffic, for instance, exploiting Wi-Fi networks – a less common yet\r\npotentially effective method\r\nTo protect against complex attacks and targeted threats, protection of both personal and corporate devices is vital.\r\nSolutions like XDR, SIEM, and MDM platforms, apart from traditional anti-virus products, enable centralized\r\ndata collection, accelerate analysis, and correlate security events from various sources, facilitating swift response\r\nto complex incidents.\r\nBuilding new botnets with consumer and corporate software and appliances\r\nIt is a well-known fact: vulnerabilities persist in commonly used software and appliances, whether for corporate or\r\npersonal use. New high and critical severity vulnerabilities are discovered every now and then. According to\r\nStatista, in 2022, a record number of vulnerabilities — more than 25,000 — were discovered. Often, limited\r\nresources are dedicated to researching vulnerabilities, and they are not always fixed in a timely manner. This\r\nraises concerns about the potential emergence of new, large-scale and stealthily established botnets capable of\r\nconducting targeted attacks.\r\nCreating a botnet involves stealthy installation of malware on a multitude of devices without the device owners’\r\nknowledge. APT groups may find this tactic intriguing for several reasons. To begin with, it allows threat actors to\r\nobscure the targeted nature of their attacks behind seemingly widespread assaults, making it challenging for\r\ndefenders to ascertain the attackers’ identity and motives. Furthermore, botnets rooted in consumer devices or\r\nsoftware, or those belonging to legitimate organizations, conveniently mask the attackers’ true infrastructure. They\r\ncan function as proxy servers, intermediate C2 (Command and Control) hubs and, in cases of network\r\nmisconfiguration, potential entry points into organizations.\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 4 of 9\n\nBotnets themselves are not a new attack tool. For example, a few years ago, a botnet of more than 65,000 home\r\nrouters was used to proxy malicious traffic for other botnets and APTs. Another example, which has risen in the\r\nwake of remote work becoming widespread, is related to APT campaigns targeting remote workers via small\r\noffice/home office routers infected with a botnet-like remote access trojan (RAT). Given the significant number of\r\nrecently disclosed vulnerabilities, we expect to see new attacks of this kind in the coming year.\r\nBotnet-driven attacks will not be confined to APT groups and may also be adopted by cybercriminals. The covert\r\nnature of these attacks presents detection challenges while offering attackers ample opportunities to infiltrate and\r\nestablish a presence within the organization’s infrastructure.\r\nBarriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)\r\nWith the introduction of modern security measures like KMCS (Kernel Mode Code Signing), PatchGuard, HVCI\r\n(Hypervisor-Protected Code Integrity) and the Secure Kernel architecture in recent Windows releases, Microsoft\r\naimed to reduce the prevalence of rootkits and similar low-level attacks. These classical attack methods were\r\nprevalent during an earlier era characterized by a multitude of rootkit variants. Over the past few years, we have\r\nwitnessed numerous APT actors and cybercrime groups successfully execute their code in the kernel-mode of\r\ntargeted systems, despite the presence of these new protection mechanisms. Several Windows Hardware\r\nCompatibility Program (WHCP) abuses reported this year led to compromises of the Windows kernel trust model.\r\nIn June 2021, the Netfilter rootkit was reported, after which Microsoft published an advisory detailing that it was\r\nused as a means of geo-location cheating within the gaming community in China. Bitdefender then disclosed\r\nFiveSys in October 2021, a rootkit that was mainly used to target online gamers with the main goal of credential\r\ntheft and in-game-purchase hijacking. Then Mandiant reported the last known abuse that revealed the Poortry\r\nmalware, which had been used in a number of cyberattacks  including ransomware-based incidents. In July 2023,\r\nwe privately reported new FiveSys signed variants.\r\nWe anticipate a rise in three key vectors that will further empower threat actors with this capability:\r\nIncreased underground market for EV certificates and stolen code signing certificates\r\nMore abuse of the developer accounts to get the malicious code signed through Microsoft code signing\r\nservices like WHCP\r\nContinuous increase in BYOVD (Bring Your Own Vulnerable Driver) in current threat actors’ TTP arsenal\r\nLast year, the world saw well over 50 ongoing real-world conflicts, with the highest level of violent conflicts since\r\nWorld War II, as estimated by the UN. Any political confrontation now inherently includes cyber-elements, as they\r\nhave become a default part of any conflict, and this trend is to evolve further. BlackEnergy APT attacks in Ukraine\r\nare a prominent example from the last decade, known for destructive actions against media companies,\r\ncompromising industrial control systems and engaging in cyber-espionage. The current landscape of potential\r\nactors involved in cyber-warfare is extensive, ranging from the CloudWizard APT campaign activities in the\r\nRusso-Ukrainian conflict area to a string of cyberattacks sparked by the recent attacks within the Israeli-Hamas\r\nconflict. These include, for example, cyberattacks on Israeli energy, defense and telecoms organizations by a\r\nthreat actor dubbed “Storm-1133” (reported by Microsoft)      and the targeting of Android users in Israel with a\r\nmalicious version of the RedAlert – Rocket Alerts app. A hacking group dubbed Predatory Sparrow has resurfaced\r\nfollowing an almost year-long break amidst the ongoing conflict, according to CyberScoop reports.\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 5 of 9\n\nAs we look ahead, we anticipate a surge in state-sponsored cyberattacks as geopolitical tensions strengthen. It will\r\nnot be limited to critical infrastructure, government sectors or defense companies across the globe; media\r\norganizations will also increasingly be at risk. In the current climate of heightened geopolitical tensions, media\r\norganizations may be chosen as targets by those seeking to use them for counterpropaganda or disinformation\r\npurposes.\r\nHackers will primarily focus on data theft, IT infrastructure destruction and long-term espionage. Cyber-sabotage\r\ncampaigns will likely be on the rise, too. The attackers will not just encrypt data; they will destroy it, posing a\r\nsignificant threat to organizations vulnerable to politically driven attacks. This will also include specific targeted\r\nattacks against individuals or groups. These attacks may involve compromising the devices of individuals to gain\r\naccess to the organization they work for, using drones to locate specific targets, using malware for eavesdropping,\r\nand beyond.\r\nHacktivism in cyber-warfare: the new normal in geopolitical conflicts\r\nAnother instance of digital integration in conflicts is hacktivism. It is hard to imagine any future conflict without\r\nhacktivist involvement. There are several ways hacktivists may influence cybersecurity. First, they can carry out\r\nactual cyberattacks, including DDoS attacks, data theft or destruction, website defacement, and so on. Second,\r\nhacktivists can make false hack claims leading to unnecessary investigations and subsequent alert fatigue for SOC\r\nanalysts and cybersecurity researchers. For example, in the ongoing Israeli-Hamas conflict, a hacktivist group\r\nclaimed that they attacked the Israeli Dorad private power station in the beginning of October. Although the\r\nsubsequent research revealed that the data they posted online was leaked by another group in June 2022, it took\r\ntime and resources to find out that no new leak occurred. Deepfakes are also in use, easily accessible tools\r\nemployed for impersonation and to throw in disinformation, as well as other high-profile cases, such as hackers\r\ninterrupting Iranian state TV broadcasts during protests. All in all, as geopolitical tensions rise with no prospects\r\nof abating any time soon, we expect to see an increase in hacktivist activity, both destructive and aimed at\r\ndisinformation.\r\nSupply chain attacks as a service: operators’ bulk-buying access\r\nThere is a growing trend where attackers meet their objectives through suppliers, integrators or developers. This\r\nmeans small and medium-sized companies, often lacking robust protection against APT attacks, are becoming\r\ngateways for hackers to access the data and infrastructure of major players, their ultimate targets. To illustrate the\r\nmagnitude of supply chain attacks, as we witness them now, one might recall the widely-discussed breaches\r\nthrough Okta in 2022 and 2023. This identity management company serves over 18,000 customers worldwide, and\r\neach of these could potentially be compromised.\r\nThe motivation behind these attacks may vary, ranging from financial gain to cyber-espionage, intensifying the\r\nconcerning nature of this threat. For example, the notorious APT group Lazarus has been honing its supply chain\r\nattack capabilities. What is even more remarkable is the discovery that the notorious Gopuram backdoor, deployed\r\nthrough the infamous 3CX hack affecting victims worldwide, was found to coexist on victim machines alongside\r\nAppleJeus, a backdoor attributed to Lazarus. This attack was highly targeted and showed particular interest in\r\ncryptocurrency companies, which may indicate that the ultimate goal of the attackers was financial gain.\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 6 of 9\n\nAs supply chain attacks become more popular among threat actors, 2024 might usher in a new phase in related\r\nactivities. The trend may evolve in various ways. First, popular open-source software could be employed to target\r\nspecific enterprise developers. Additionally, the shadow market could introduce new offerings, including access\r\npackages targeting various software vendors and IT service suppliers. Consequently, those interested in\r\norchestrating supply chain attacks, armed with access to an extensive pool of potential victims, can then carefully\r\nselect their preferred targets for large-scale assaults. By doing this, threat actors are potentially taking the\r\nefficiency of supply chain attacks to a new level.\r\nSpear-phishing to expand with accessible generative AI\r\nChatbots and generative AI tools are now widespread and easily accessible. This trend has not gone unnoticed by\r\nthreat actors who are developing their own black-hat chatbots based on legitimate solutions. For instance,\r\nWormGPT, a language model explicitly designed for malicious use, claimed to be based on the open-source\r\nlanguage model GPTJ. Other models, like xxxGPT, WolfGPT, FraudGPT, DarkBERT, and more, lack the content\r\nrestrictions present in legitimate solutions, making them attractive to attackers that exploit these models for\r\nmalicious purposes.\r\nThe emergence of these tools is likely to facilitate the mass production of spear-phishing messages, often serving\r\nas the initial step in APT and other attacks. The significance extends beyond the ability to craft persuasive and\r\nwell-written messages quickly. It also encompasses the capability to generate documents for impersonation and\r\nmimic the style of specific individuals, such as a business partner or a colleague of the victim. In the upcoming\r\nyear, attackers are expected to develop new methods for automating espionage on their targets. This may include\r\nautomatic data collection from the victim’s online presence, such as social media posts, media comments, or\r\nauthored columns: any content associated with the victim’s identity. This information will be processed using\r\ngenerative tools to create various text or audio messages in the specific individual’s style and voice.\r\nMeanwhile, the importance of cybersecurity awareness and preventative measures, including threat intelligence\r\nand proactive monitoring and detection, will continue to grow.\r\nEmergence of more groups offering hack-for-hire services\r\nHacker-for-hire (or hack-for-hire) groups specialize in infiltrating systems and offering data theft services. Their\r\nclientele includes private investigators, law firms, business rivals, and those lacking the technical skills for such\r\nattacks. These cyber-mercenaries openly advertise their services and target entities of interest.\r\nOne such group, tracked by our Global Research and Analysis Team (GReAT), is DeathStalker. It focuses on law\r\nfirms and financial companies, providing hacking services and acting as an information broker rather than\r\noperating as a traditional APT. They use spear-phishing emails with malicious file attachments to take control of\r\nvictims’ devices and steal sensitive data.\r\nThese groups consist of skilled hackers organized hierarchically, with leaders managing teams. They advertise on\r\ndark web platforms and employ various techniques, including malware, phishing, and other social engineering\r\nmethods. They adapt to avoid detection by using anonymous communication and VPNs, and causing various\r\nimpacts, from data breaches to reputational damage. The services of hacker-for-hire groups in general go beyond\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 7 of 9\n\ncyber-espionage and extend to commercial espionage. They may gather data on competitors, for example, M\u0026A\r\ntransactions, expansion plans, financials, and customer information.\r\nThis approach is gaining global momentum, and we expect it to evolve in the coming year. It is possible that some\r\nAPT groups may expand their operations due to the demand for such services, as they need to generate income to\r\nsustain their activities and compensate their operatives.\r\nMFT systems at the forefront of cyberthreats\r\nAs the digital landscape continues to evolve, so does the complexity and sophistication of cyberthreats. At the\r\nheart of this evolving scenario are Managed File Transfer (MFT) systems, designed to securely ferry sensitive data\r\nbetween organizations. Housing a wealth of confidential information including intellectual property, financial\r\nrecords, and customer data, MFT solutions have become indispensable in modern business operations. They\r\nfacilitate seamless data sharing both internally and externally, thereby becoming a cornerstone of organizational\r\nefficiency. However, this pivotal role also places them in the crosshairs of cyber-adversaries, particularly\r\nransomware actors, who are on a relentless quest to exploit digital vulnerabilities for financial extortion.\r\nThe incidents involving MFT systems, such as MOVEit and GoAnywhere, in 2023, shed light on the potential\r\nvulnerabilities within these critical data transfer conduits. The MOVEit breach orchestrated by the Cl0p\r\nransomware gang, and the exploitation of Fortra’s GoAnywhere MFT platform highlighted how a single\r\nvulnerability could be leveraged to exfiltrate sensitive data, disrupt operations and demand a ransom.\r\nLooking ahead, the threat landscape affecting MFT systems is poised for escalation. The allure of financial gain\r\nand the potential to cause substantial operational disruptions will likely fuel a surge in targeted attacks against\r\nMFT systems. The intricate architecture of MFT systems, coupled with their integration into broader business\r\nnetworks, potentially harbors security weaknesses that are ripe for exploitation. As cyber-adversaries continue to\r\nhone their skills, the exploitation of vulnerabilities within MFT systems is anticipated to become a more\r\npronounced threat vector.\r\nThe trajectory of cyberthreats targeting MFT systems underscores a looming reality: the potential for significant\r\ndata breaches and financial extortion will continue to rise. The incidents of 2023 serve as a stark reminder of the\r\nvulnerabilities inherent within MFT systems and the dire need for robust cybersecurity measures to safeguard\r\nthese critical data transfer channels.\r\nIn light of this, organizations are strongly advised to undertake comprehensive reviews of their MFT solutions to\r\nidentify and mitigate potential security weaknesses. Implementing robust Data Loss Prevention (DLP) solutions,\r\nencrypting sensitive data, and fostering a culture of cybersecurity awareness are prudent steps towards fortifying\r\nMFT systems against emerging cyberthreats. As the cyberthreat horizon continues to expand, proactive\r\ncybersecurity measures encompassing MFT systems will be paramount in safeguarding organizational data assets\r\nand ensuring operational resilience in the face of evolving cyberthreats.\r\nThe narrative of 2023 is a clarion call for organizations to bolster their cybersecurity apparatus around MFT\r\nsystems. As we venture into a future where cyberthreats are bound to become more sophisticated, the onus is on\r\norganizations to stay ahead of the curve, ensuring the integrity and security of their MFT systems in a bid to\r\nthwart the nefarious designs of cyber-adversaries.\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 8 of 9\n\nThese were our predictions for the year 2024. A year from now, we shall see which ones materialized and which\r\nones did not.\r\nSource: https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nhttps://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/" ], "report_names": [ "111048" ], "threat_actors": [ { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "63f532e6-4b4a-4f17-bbff-8517f0dd1868", "created_at": "2024-01-09T02:00:04.192588Z", "updated_at": "2026-04-10T02:00:03.507424Z", "deleted_at": null, "main_name": "KelvinSecurity", "aliases": [], "source_name": "MISPGALAXY:KelvinSecurity", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "120b98af-cc15-468d-ae91-52d5af9216e4", "created_at": "2025-05-29T02:00:03.189197Z", "updated_at": "2026-04-10T02:00:03.84415Z", "deleted_at": null, "main_name": "GOFFEE", "aliases": [], "source_name": "MISPGALAXY:GOFFEE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "d64de7e1-4ba3-43c4-9b69-932976b604fc", "created_at": "2023-11-07T02:00:07.111305Z", "updated_at": "2026-04-10T02:00:03.412326Z", "deleted_at": null, "main_name": "Storm-1133", "aliases": [], "source_name": "MISPGALAXY:Storm-1133", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434750, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0fd9d45288b30ebffe0d8ea2b8e51d09c7e4051c.pdf", "text": "https://archive.orkl.eu/0fd9d45288b30ebffe0d8ea2b8e51d09c7e4051c.txt", "img": "https://archive.orkl.eu/0fd9d45288b30ebffe0d8ea2b8e51d09c7e4051c.jpg" } }