{
	"id": "8897190b-faae-44e3-8b97-40328703dd24",
	"created_at": "2026-04-06T00:11:52.031985Z",
	"updated_at": "2026-04-10T13:13:01.173197Z",
	"deleted_at": null,
	"sha1_hash": "1b798f89c26036b82d635058853f83052fae32bc",
	"title": "Rewterz Threat Alert - 'NewsPenguin' Threat Actors Targeting Pakistani Entities With Malicious Campaign - Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44779,
	"plain_text": "Rewterz Threat Alert - 'NewsPenguin' Threat Actors Targeting\r\nPakistani Entities With Malicious Campaign - Active IOCs -\r\nRewterz\r\nPublished: 2023-02-09 · Archived: 2026-04-05 17:07:15 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nA new cyber threat group known as “NewsPenguin” has been linked to a phishing attack aimed at marine-related\r\nentities in Pakistan and using the PIMEC-23 maritime expo as a lure.\r\nAccording to the researchers, NewsPenguin has launched a phishing campaign targeting Pakistani entities by\r\nleveraging the upcoming PIMEC-23, an international maritime expo organized by the Pakistan Navy. \r\n“The attacker sent out targeted phishing emails with a weaponized document attached that purports to\r\nbe an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and\r\nembedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the\r\nattack, which leads to the final payload execution.”\r\nPIMEC is a Pakistan Navy initiative organized under the auspices of the Ministry of Maritime Affairs. It gives the\r\nmarine industry, both public and private, the opportunity to showcase products and create business relationships.\r\nThe event would also highlight Pakistan’s marine potential and offer a boost to national economic growth.\r\nThe method employed in the attack, known as remote template injection, is a technique that allows attackers to\r\nfetch the next-stage payload from a server controlled by the attacker. This technique is often used to avoid\r\ndetection by the security software, as the payload is only delivered if the request is sent from a specific location, in\r\nthis case, an IP address located in Pakistan.\r\nThe server was found to be hosting two ZIP archive files which contained a Windows executable (updates.exe)\r\nthat functions as a covert spying tool capable of bypassing sandboxes and virtual machines. The backdoor was\r\nencrypted using the XOR encryption algorithm with the key “penguin”, hinting at the name of the threat actor.\r\n“The final payload is an advanced espionage tool that is XOR encrypted with a “penguin” encryption key. The\r\ncontent-disposition response header name parameter is set to “getlatestnews” during the HTTP response.”\r\nThe domain hosting the payloads was registered since June 30, 2022, suggesting that the attack was planned in\r\nadvance. The timeframe and planning for this campaign by the threat actor demonstrate that the attacker is\r\nconstantly enhancing the tools they use to infiltrate target systems. It is rare for criminal organizations to plan\r\nahead and create network infrastructure months before an event.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs\r\nPage 1 of 3\n\n“As the target is an event run by the Pakistan Navy, it implies that the threat actor is actively targeting government\r\norganizations, rather than this being a financially motivated attack.”\r\nIt is crucial for individuals and organizations to be vigilant when receiving emails with attachments, especially\r\nwhen they appear to be from unfamiliar or unexpected sources. Before opening any attachments, it is\r\nrecommended to verify the identity of the sender and to scan the file with updated antivirus software. In addition,\r\norganizations should have strong security protocols in place to prevent and detect phishing attacks, including\r\nimplementing multi-factor authentication, regularly training employees on security best practices, and having a\r\nincident response plan in place.\r\nImpact\r\nAccess To Sensitive Information\r\nRemote Template Injection\r\nIndicators of Compromise\r\nMD5\r\nfcae6b88640b58d289df42ae2d15e3ca\r\n28e5fceaa9878bfbe967639cf2a2fb9b\r\n314328e63b2e55a9c20bbda313ab4d04\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs\r\nPage 2 of 3\n\nSHA-256\r\n80326b1e151e8348307114c8115e275c2fd63f0d2eb1dfacb6eca9840cf98525\r\n26b113ba29b037034ee34a7f0fea81f6d5452950e0d26058d9b96946d78570c5\r\n55f43319b910037d5b2eb8a5e57a14fca88e22bb0f40e453e510cc375a42bf43\r\nSHA-1\r\n80f4abc3ebe62229f964122dff078187be960874\r\nb9ad129f15e565201d860a04e0e26cce97a254e8\r\n75b2a98f69d457ad22e77fb766f059e5d99634a5\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security controls\r\nIt is important for individuals and organizations to be aware of these types of attacks and to have robust\r\nsecurity measures in place to protect against them. This may include using up-to-date antivirus software,\r\nimplementing multi-factor authentication, regularly backing up important data, and providing security\r\nawareness training for employees.\r\nEnable antivirus and anti-malware software and update signature definitions in a timely manner. Using\r\nmulti-layered protection is necessary to secure vulnerable assets\r\nPatch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize\r\npatching known exploited vulnerabilities and zero-days.\r\nEmails from unknown senders should always be treated with caution.\r\nNever trust or open ” links and attachments received from unknown sources/senders.\r\nImplement multi-factor authentication systems that can help protect systems from malicious attacks\r\nOrganizations should ensure that they have an incident response plan in place to be able to contain and\r\ninvestigate any security incidents quickly and efficiently.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-cam\r\npaign-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs"
	],
	"report_names": [
		"rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs"
	],
	"threat_actors": [
		{
			"id": "810378d0-0534-4aec-aef6-04a0ee6b77c3",
			"created_at": "2023-11-21T02:00:07.364265Z",
			"updated_at": "2026-04-10T02:00:03.467926Z",
			"deleted_at": null,
			"main_name": "NewsPenguin",
			"aliases": [],
			"source_name": "MISPGALAXY:NewsPenguin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b798f89c26036b82d635058853f83052fae32bc.pdf",
		"text": "https://archive.orkl.eu/1b798f89c26036b82d635058853f83052fae32bc.txt",
		"img": "https://archive.orkl.eu/1b798f89c26036b82d635058853f83052fae32bc.jpg"
	}
}