{ "id": "94f0ec17-aa98-4e22-82ac-46411b1b7323", "created_at": "2026-04-06T00:12:19.808268Z", "updated_at": "2026-04-10T03:32:50.088602Z", "deleted_at": null, "sha1_hash": "5d236c91281de5b97d3a329d72866ee5e85a9564", "title": "Energy Watering Hole Attack Used LightsOut Exploit Kit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41857, "plain_text": "Energy Watering Hole Attack Used LightsOut Exploit Kit\r\nBy Dennis Fisher\r\nPublished: 2014-03-13 · Archived: 2026-04-02 11:37:42 UTC\r\nA recent watering-hole attack targeted firms in the energy sector and led victims to a separate site that used the\r\nLightsOut exploit kit to compromise their machines.\r\nA recent watering-hole attack targeted firms in the energy sector using a compromised site belonging to a law firm\r\nthat works with energy companies and led victims to a separate site that used the LightsOut exploit kit to\r\ncompromise their machines.\r\nThe attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern\r\nseen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when\r\nusers hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the\r\nsecond compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see\r\nwhat sort of exploits should be delivered.\r\nThe kit checks to see whether Java is running, whether the user is running Internet Explorer and what version of\r\nAdobe Reader is installed. Once that information is gathered, the LightsOut exploit kit goes to work, firing\r\nexploits against the user’s machine.\r\n“Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file\r\nexploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that\r\nthe attack window has now closed for this particular watering hole.  However, other security sources tell us that\r\nthe site used in the attack is also a known HAVEX RAT CnC,” Chris Mannon of Zscaler wrote in an analysis of\r\nthe attack.\r\nThis most recent attack shares a lot of traits with one that ran last fall, and also targeted firms in the energy and oil\r\nsector. In that watering hole attack, the attackers were using Java, IE and Firefox exploits and the malware\r\ndelivered was used to record system configurations and data on the clipboard and from the keyboard.\r\nThe researchers at Zscaler said that the similarities between the two attacks is likely not a coincidence.\r\n“It would seem that the attackers responsible for this threat are back for more,” Mannon said.\r\nImage from Flickr photos of Joe Stump. \r\nSource: https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/\r\nhttps://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" ], "report_names": [ "104772" ], "threat_actors": [ { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d236c91281de5b97d3a329d72866ee5e85a9564.pdf", "text": "https://archive.orkl.eu/5d236c91281de5b97d3a329d72866ee5e85a9564.txt", "img": "https://archive.orkl.eu/5d236c91281de5b97d3a329d72866ee5e85a9564.jpg" } }