{
	"id": "fbd12431-14f2-405b-86b8-2f8bf518519e",
	"created_at": "2026-05-01T03:09:14.860546Z",
	"updated_at": "2026-05-01T03:10:50.546225Z",
	"deleted_at": null,
	"sha1_hash": "84df6b30a57466410de82fe41c9ac6cc9b71d1b3",
	"title": "French-speaking gang OPERA1ER APT in Africa | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3243597,
	"plain_text": "French-speaking gang OPERA1ER APT in Africa | Group-IB Blog\r\nArchived: 2026-05-01 02:04:40 UTC\r\nIn 2019, Group-IB Threat Intelligence team detected a series of targeted attacks on financial organizations\r\nin Africa. Later in 2020, our professionals in collaboration with Orange, managed to piece together the seemingly\r\ndisparate attacks into a single timeline and successfully attribute them to the threat actor codenamed\r\nOPERA1ER (also known as DESKTOP-GROUP, Common Raven, NXSMS).\r\nOur latest threat research\r\nIn 2021, together with Orange CERT-CC, we’ve got an idea to release a comprehensive report (now known as\r\n“OPERA1ER. Playing God without permission”) which would thoroughly describe this persistent threat, map\r\nout all TTPs and methods this criminal syndicate leverages that remained unnoticed in the network for years.\r\nActive and dangerous throughout 2018 – 2022, the French-speaking gang managed to carry out over 30\r\nsuccessful attacks on banks, financial services and telecommunications companies, mainly located in Africa.\r\nDuring this period OPERA1ER is confirmed to have stolen at least $11 million.\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 1 of 7\n\nSeasoned threat actors rarely lack street smarts, and OPERA1ER clearly noticed a growing interest in their\r\nactivity and reacted by deleting their accounts and changing some TTPs to cover their tracks. When this happened,\r\nwe risked losing sight of them. To avoid being outfoxed, the Group-IB team postponed publishing our findings\r\nuntil they revealed themselves again.\r\nYou can find the Blog in French here: L’APT OPERA1ER en Afrique\r\nThe moment has come\r\nWe are pleased to finally release this report, OPERA1ER: Playing God without permission, in tight\r\ncooperation with Orange CERT-CC. This report is truly unique: it covers several years of research and\r\nillustrates a perfect outcome of international collaboration along with the impactful contributions of numerous\r\norganizations and experts. We are incredibly grateful for their support; please find a complete list of contributors\r\nin the report.\r\nNew discoveries\r\nThreat actors are constantly developing new TTPs and in August 2022, with the help of Przemyslaw Skowron,\r\nGroup-IB identified new Cobalt Strike servers used by OPERA1ER.\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 2 of 7\n\nOur teams analyzed the newly detected infrastructure, revealing that attacker had carried out 5 more attacks in\r\nthe time after we finished having targeted:\r\nA bank in Burkina Faso in 2021\r\nA bank in Benin in 2021\r\n2 banks in Ivory Coast in 2022\r\nA bank in Senegal in 2022\r\nKeep in mind that the IOCs and hunting tips presented in the report were collected over several years and may no\r\nlonger be relevant, however in this article we provide some important updates. The report’s MITRE matrix is in a\r\nsimilar position and we recommend that reads utilize the updated information for the 5 new attacks below.\r\nThis article shares the latest network indicators and extra hunting techniques. These extra findings are\r\nsupposed to fill in the gaps in the narrative about this APT so that the cybersecurity community can better track\r\nOPERA1ER’s activity, but please download the full report to get a holistic view.\r\nExtra findings: hunting new infrastructure\r\nFirst, Mr Skowron, an Organised Crime Lead, noticed that the attacker uses a specific Public Key on their Cobalt\r\nStrike servers:\r\n“PublicKey_MD5″:”52c66274994172447b21054744cc5b69”.\r\nUsing that fingerprint, we were able to conduct additional investigations, as described below. Beginning with the\r\nPublicKey we identified the following servers:\r\nfiles[.]ddrive[.]online\r\n20[.]91[.]192[.]253\r\n188[.]126[.]90[.]14\r\nUsing Group-IB Threat Intelligence Graph tool we can investigate these servers in depth:\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 3 of 7\n\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 4 of 7\n\nAccording to the Graph, all three servers are connected to infrastructure described in the OPERA1ER report. We\r\nidentified the following fingerprints on the servers:\r\nUsage of BitRAT\r\nUsage of VPN infrastructure like FrootVPN\r\nUsage of DynDNS services\r\nThe only missing part here is a Cobalt Strike Listener on port 777, which we know exists because OPERA1ER\r\nhas been observed deploying Cobalt Strike Beacon. Analyzing further, Group-IB was able to identify a new\r\nheuristic to hunt for OPERA1ER’s malicious infrastructure.\r\nWith the Graph we were also able to identify the following:\r\nbanqueislamik[.]ddrive[.]online\r\n178[.]73[.]192[.]17\r\n46[.]246[.]84[.]17\r\n46[.]246[.]84[.]21\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 5 of 7\n\nOne of these servers contains another PublicKey, shown below:\r\nWith that PublicKey, the following servers were identified:\r\n43[.]205[.]33[.]202\r\n46[.]246[.]84[.]74\r\n72[.]11[.]142[.]240\r\n178[.]73[.]192[.]17\r\nWhile analyzing the servers above, we found another heuristic to identify other ones:\r\nSSH fingerprint :”657a78dcd2c190f00b2f4ef745dd2cdd”\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 6 of 7\n\nTo learn more don’t hesitate to sink your teeth into the full report, OPERA1ER: Playing God without\r\npermission, to get exhaustive information about OPERA1ER operations. To learn more about the Threat\r\nIntelligence Graph reach out to one of our experts.\r\nIOCs\r\n43[.]205[.]33[.]202\r\n46[.]246[.]84[.]74\r\n72[.]11[.]142[.]240\r\n178[.]73[.]192[.]17\r\nbanqueislamik[.]ddrive[.]online\r\n46[.]246[.]84[.]17\r\n46[.]246[.]84[.]21\r\nfiles[.]ddrive[.]online\r\n20[.]91[.]192[.]253\r\n188[.]126[.]90[.]14\r\n2707299e9ec7fb2173f6afb2e23a4d74865cf5a3\r\n17e0b8fe9acfd1776a1566ce5ed6f051f7e0f91f\r\nac85af8395d1b97a8cbcbd16f995ce119e3c4955\r\nSource: https://blog.group-ib.com/opera1er-apt\r\nhttps://blog.group-ib.com/opera1er-apt\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/opera1er-apt"
	],
	"report_names": [
		"opera1er-apt"
	],
	"threat_actors": [],
	"ts_created_at": 1777604954,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84df6b30a57466410de82fe41c9ac6cc9b71d1b3.pdf",
		"text": "https://archive.orkl.eu/84df6b30a57466410de82fe41c9ac6cc9b71d1b3.txt",
		"img": "https://archive.orkl.eu/84df6b30a57466410de82fe41c9ac6cc9b71d1b3.jpg"
	}
}