{
	"id": "f37048d4-c531-4674-84c5-91dd9160ca35",
	"created_at": "2026-04-06T00:19:54.937245Z",
	"updated_at": "2026-04-10T03:33:11.68626Z",
	"deleted_at": null,
	"sha1_hash": "68969bb27e293ca56e2f17e2ce59d4a8a3985f96",
	"title": "This stealthy cat-and-mouse hacking campaign aims to steal diplomatic secrets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64422,
	"plain_text": "This stealthy cat-and-mouse hacking campaign aims to steal\r\ndiplomatic secrets\r\nBy Written by Danny Palmer, Senior WriterSenior Writer Nov. 7, 2017 at 6:00 a.m. PT\r\nArchived: 2026-04-05 12:39:20 UTC\r\nVideo: Ransomware using trojan trick to expand threat\r\nA previously unknown hacking and espionage operation is using malware to infiltrate governments in an attempt\r\nto steal sensitive data in a series of highly targeted attacks.\r\nDubbed Sowbug, the group behind the attacks is apparently focused on foreign policy institutions and diplomatic\r\ntargets in South America and South East Asia and is thought to have been active since at least early 2015.\r\nA low-profile, under-the-radar operation has helped the operation avoid detection, even as it carried out campaigns\r\nwhich remained undetected by governments for up to six months.\r\nTech Pro Research\r\nGovernments in Brazil, Argentina, Peru, Ecuador, Malaysia, and Brunei have all fallen victim to the Sowbug\r\ncampaign, which has been detailed by researchers at Symantec.\r\nThe group uses Felismus, a backdoor trojan, in all of its attacks. The malware was first identified in March and\r\namong other things allows attackers to conduct espionage, key-logging, traffic analysis, further malware\r\ndeployment, the ability to evade detection and more.\r\nThe group behind the attacks is described as well resourced and capable of infiltrating multiple targets\r\nsimultaneously via campaigns which operate outside the working hours of targeted organisations in order to\r\nensure the attacks keep a low profile.\r\nWhile it's unknown where in the world the Sowbug is based, or who they ultimately are -- or work on behalf of --\r\nit's possible it could be a state-backed operation.\r\n\"They bear some hallmarks of a group potentially backed by a nation-state -- the malware used in those attacks\r\nappear to be sophisticated. The group is likely to be well resourced, which has enabled it to remain under the radar\r\nhttps://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/\r\nPage 1 of 3\n\nand steal information from these foreign policy and diplomatic targets since early 2015,\" Alan Neville, threat\r\nresearcher at Symantec, told ZDNet.\r\nAnalysis of compromised victims has shone light on Sowbug's activities, as well as clues to the group's potential\r\nmotivations -- which appear to be based around the theft of specific information.\r\nSee also: Cyberwar: A guide to the frightening future of online conflict\r\nOne attack against a South American foreign ministry - dated to have taken place in May 2015 - appeared to focus\r\nspecifically on the division responsible for relations with the Asia-Pacific region. The attack resulted in all Word\r\ndocuments modified after May 11 stored within the target's file server being extracted.\r\nThe attackers later returned to extract all documents modified from May 7, 2015. Additional attacks continued -\r\nwith more and more documents being removed and the deployment of two unknown payloads to the infected\r\nserver - for another four months, before those behind the campaign wiped their presence from the server in\r\nSeptember 2015.\r\nOne method attackers use to maintain long-term presence on infected networks is by disguising the malicious files\r\nas commonly used software such as Windows or Adobe Reader. The malicious tools are given file names similar\r\nto those used by legitimate software and hidden in directory trees, allowing them to remain present without arising\r\nsuspicion.\r\nThe stealthy nature of the Sowbug operation and its Felismus distribution campaign means it's still isn't known\r\nhow attackers initially infiltrate a target's network.\r\nIn some cases, there's no trace of how Felismus made its way onto compromised computers - pointing to the\r\npossibility it was deployed from an already-compromised system on the network. In other instances, there's some\r\nevidence that the Felismus is installed using a malware loader called Starloader, but it's unknown how Starloader\r\nitself invades a computer.\r\nOne theory is that Starloader is deployed as fake software updates, as researchers found evidence of Starloader\r\nfiles AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.\r\nSowbug also serves as a reminder that no matter where a target is in the world, they could become the victim of\r\ncyber attacks and espionage.\r\n\"While we're not at the stage where no region is untouched by cyber espionage, it was previously unusual to see\r\ncountries in South America targeted by groups such as Sowbug,\" said Neville.\r\nFelismus acquired its named upon its initial discovery in March because of a reference to Tom \u0026 Jerry in its only\r\nhuman-readable encryption key - Felis is Latin for 'cat' and Mus is Latin for 'mouse'.\r\nistock-cat-playing-with-mouse.jpg\r\nFelismus malware has acquired its name from references to a cat and mouse in the code.\r\nImage: iStock\r\nhttps://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/\r\nPage 2 of 3\n\nPrevious and related coverage\r\nWhat is phishing?\r\nEverything you need to know to protect yourself from scam emails and more\r\nIT leader's guide to the threat of cyberwarfare [Tech Pro Research]\r\nAs we become increasingly reliant on digital infrastructure, the possibility of a crippling cyberattack continues to\r\nmount. Communications and banking systems, power grids and factories--all face an increased risk of attack.\r\nCybercrime Inc: How hacking gangs are modeling themselves on big business\r\nFranchises, resellers, customer service, collaboration tools, and training -- professional hacking organizations are\r\nnow operating like any other business.\r\nRead more on cybercrime\r\nHackers are using hotel Wi-Fi to spy on guests, steal data\r\nChinese hacking group returns with new tactics for espionage campaign\r\nHackers gain access to hundreds of global electric systems [CNET]\r\nCIA tools exposed by Wikileaks linked to hacking across 16 countries\r\nThe new art of war: How trolls, hackers and spies are rewriting the rules of conflict [TechRepublic]\r\nSource: https://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/\r\nhttps://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/"
	],
	"report_names": [
		"this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets"
	],
	"threat_actors": [
		{
			"id": "5cd42f56-d307-4d28-ad4f-4ff6b7d850be",
			"created_at": "2022-10-25T15:50:23.714424Z",
			"updated_at": "2026-04-10T02:00:05.372061Z",
			"deleted_at": null,
			"main_name": "Sowbug",
			"aliases": [
				"Sowbug"
			],
			"source_name": "MITRE:Sowbug",
			"tools": [
				"Starloader",
				"Felismus"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f5eae92e-f9b5-44a2-b47b-b7087a4de831",
			"created_at": "2022-10-25T16:07:24.215895Z",
			"updated_at": "2026-04-10T02:00:04.901014Z",
			"deleted_at": null,
			"main_name": "Sowbug",
			"aliases": [
				"G0054"
			],
			"source_name": "ETDA:Sowbug",
			"tools": [
				"Felismus",
				"StarLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75a05738-8fc5-41d0-add3-354b12ecbb8a",
			"created_at": "2023-01-06T13:46:38.726914Z",
			"updated_at": "2026-04-10T02:00:03.080547Z",
			"deleted_at": null,
			"main_name": "Sowbug",
			"aliases": [
				"G0054"
			],
			"source_name": "MISPGALAXY:Sowbug",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434794,
	"ts_updated_at": 1775791991,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68969bb27e293ca56e2f17e2ce59d4a8a3985f96.pdf",
		"text": "https://archive.orkl.eu/68969bb27e293ca56e2f17e2ce59d4a8a3985f96.txt",
		"img": "https://archive.orkl.eu/68969bb27e293ca56e2f17e2ce59d4a8a3985f96.jpg"
	}
}