{ "id": "fe354f6c-cb64-49b9-93c6-839e43d62bb7", "created_at": "2026-04-06T00:19:26.92171Z", "updated_at": "2026-04-10T03:38:20.834747Z", "deleted_at": null, "sha1_hash": "b81c82dbd924ad5b6367e9113a41b4b2429e566c", "title": "RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55922, "plain_text": "RSAC 2019: New Operation Sharpshooter Data Reveals Higher\r\nComplexity, Scope\r\nBy Lindsey O'Donnell\r\nPublished: 2019-03-04 · Archived: 2026-04-05 14:40:41 UTC\r\nNew look at server data behind a previously-identified espionage campaign shows that it has exceeded\r\nresearchers’ expectations in complexity, scope and breadth.\r\nSAN FRANCISCO – An insidious reconnaissance campaign discovered in 2018, dubbed Operation Sharpshooter,\r\nis much more widespread than previously thought, researchers said.\r\nOperation Sharpshooter was first disclosed in December 2018, using a never-before-seen implant framework to\r\ninfiltrate global defense and critical infrastructure players — including nuclear, defense, energy and financial\r\ncompanies.\r\nOperation Sharpshooter’s campaign initially appeared to begin Oct. 25 – but in a new research report released at\r\nthe RSA Conference 2019 this week in San Francisco, researchers with McAfee said that the campaign “is more\r\nextensive in complexity, scope and duration of operations.”\r\n“The analysis led to identification of multiple previously unknown command-and-control centers, and suggest that\r\nSharpshooter began as early as September 2017, targeted a broader set of organizations, in more industries and\r\ncountries and is currently ongoing,” researchers said on Sunday.\r\nOperation Sharpshooter\r\nThe espionage campaign began when a splay of malicious documents were sent to targets via Dropbox. The initial\r\nattack vector is a document that contains a weaponized macro. Once downloaded, it places embedded shellcode\r\ninto the memory of Microsoft Word, which acts as a simple downloader for a second-stage implant.\r\nThis next stage runs in memory and gathers intelligence. That second-stage implant is a fully modular backdoor\r\ncalled “Rising Sun” that performs reconnaissance on the victim’s network, according to the research.\r\nNotably, Rising Sun uses source code from the Duuzer backdoor, a malware first used in a 2015 campaign\r\ntargeting the data of South Korean organizations, mainly in manufacturing. Duuzer, which is designed to work\r\nwith 32-bit and 64-bit Windows versions, opens a back door through which bad actors can gather system\r\ninformation. In this situation, the Rising Sun implant gathers and encrypts data from the victim, and fetches the\r\nvictim devices’ computer name, IP address data, native system information and more.\r\nWidespread Campaign\r\nhttps://threatpost.com/sharpshooter-complexity-scope/142359/\r\nPage 1 of 2\n\nIn December, researchers detected the campaign’s implant in 87 organizations worldwide, predominantly in the\r\nU.S. (about 50 percent of attacks) and in other English-speaking companies.\r\nHowever, newly discovered command-and-control server data and code used by the espionage campaign suggests\r\nthat Sharpshooter began as early as September 2017, targeting a broader set of organizations, and in more\r\nindustries and countries. That campaign is currently ongoing, researchers said.\r\nThe most recent attacks appear to primarily target financial services, government and critical infrastructure, with\r\nthe largest number taking aim at Germany, Turkey, the United Kingdom and the United States.\r\nThe analysis also exposed striking similarities between the technical indicators, techniques and procedures\r\nexhibited in the 2018 Sharpshooter attacks, and features of multiple other groups of attacks attributed to the\r\nLazarus Group.\r\nFor instance, Rising Sun is similar to the Lazarus Group’s Duuzer implant, and source code from the Lazarus\r\nGroup’s infamous 2016 backdoor trojan Duuzer.\r\n“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the\r\npieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist. “Access to the\r\nadversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner\r\nworkings of cyberattack infrastructure, are typically seized by law enforcement, and are only rarely made\r\navailable to private sector researchers.”\r\nFor all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here. \r\nSource: https://threatpost.com/sharpshooter-complexity-scope/142359/\r\nhttps://threatpost.com/sharpshooter-complexity-scope/142359/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://threatpost.com/sharpshooter-complexity-scope/142359/" ], "report_names": [ "142359" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a13b5ca4-fb52-44a9-aa5a-595eca6789ed", "created_at": "2022-10-25T15:50:23.4331Z", "updated_at": "2026-04-10T02:00:05.381716Z", "deleted_at": null, "main_name": "Sharpshooter", "aliases": [ "Sharpshooter" ], "source_name": "MITRE:Sharpshooter", "tools": [ "Rising Sun" ], "source_id": "MITRE", "reports": null }, { "id": "874ada20-4ca8-4997-9f2e-e3933742d09c", "created_at": "2023-01-06T13:46:38.857642Z", "updated_at": "2026-04-10T02:00:03.124075Z", "deleted_at": null, "main_name": "Operation Sharpshooter", "aliases": [], "source_name": "MISPGALAXY:Operation Sharpshooter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434766, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b81c82dbd924ad5b6367e9113a41b4b2429e566c.pdf", "text": "https://archive.orkl.eu/b81c82dbd924ad5b6367e9113a41b4b2429e566c.txt", "img": "https://archive.orkl.eu/b81c82dbd924ad5b6367e9113a41b4b2429e566c.jpg" } }