{
	"id": "77ef6479-6266-4d15-837b-59bba61936f6",
	"created_at": "2026-04-06T00:11:34.557653Z",
	"updated_at": "2026-04-10T03:32:49.951258Z",
	"deleted_at": null,
	"sha1_hash": "cd9c8193fa2b2eb27dda5d3ddaa08ee35431ec96",
	"title": "LightsOut EK Targets Energy Sector | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 219995,
	"plain_text": "LightsOut EK Targets Energy Sector | Zscaler\r\nBy Chris Mannon\r\nPublished: 2014-03-12 · Archived: 2026-04-05 20:05:34 UTC\r\nLate last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and\r\nIntelligence gathering malware.  It would seem that the attackers responsible for this threat are back for more. \r\nThis particular APT struck late February between 2/24-2/26.  The attack began as a compromise of a third party\r\nlaw firm which includes an energy law practice known as Thirty Nine Essex Street LLP (www[.]39essex[.]com). \r\nThe victim site is no longer compromised, but viewers should show restraint and better browsing practices when\r\nvisiting.\r\n39essex.com shown as a referral URL to suspicious site.\r\nThe compromise leads the victim to another site which provides the attacker with a specific user-agent in the URL\r\nfield.  The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent\r\nto the victim.  This should be taken as a point of identification in administrator logs as this may indicate an attack\r\non your network.\r\nhttps://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nPage 1 of 5\n\nAt the time of research, the Java Class file was returning 404.\r\nThere are several other locations which show similar activity that are also related to this threat.  Malicious\r\nredirects come from IP address 174[.]129[.]210[.]212 should also be taken as suspicious as well as some sites\r\nhosted on this domain (aptguide[.]3dtour[.]com).\r\nThe URLquery and VirusTotal entries for this IP corroborates the notion that this location played a part in using\r\nLightsOut Exploit Kit.  \r\nLightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited.  This\r\nincludes checking the browser and plugin versions.\r\nThe deobfuscated Javascript sheds some light on the iframe injection.\r\n \r\nhttps://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nPage 2 of 5\n\nMore JS Deobfuscation\r\n \r\nChecking to see what version of Adobe is installed.\r\n \r\nhttps://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nPage 3 of 5\n\nChecking to see if you are IE7.\r\n \r\nChecking to see if Java is enabled in the browser.\r\nUltimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file\r\nexploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that\r\nthe attack window has now closed for this particular watering hole.  However, other security sources tell us that\r\nthe site used in the attack is also a known HAVEX RAT CnC.\r\nThe recent activity of this threat originating from a site in the energy sector should serve as a warning to those in\r\nthe targeted industry.  Prior research from other sources tells us that the threat actors involved are highly\r\nmotivated and agile.  Their motive is to gather intelligence for further attacks, so be on your guard and monitor\r\ntransaction logs for suspicious activity!\r\nExplore more Zscaler blogs\r\nhttps://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nPage 4 of 5\n\nSource: https://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nhttps://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/lightsout-ek-targets-energy-sector"
	],
	"report_names": [
		"lightsout-ek-targets-energy-sector"
	],
	"threat_actors": [
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434294,
	"ts_updated_at": 1775791969,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd9c8193fa2b2eb27dda5d3ddaa08ee35431ec96.pdf",
		"text": "https://archive.orkl.eu/cd9c8193fa2b2eb27dda5d3ddaa08ee35431ec96.txt",
		"img": "https://archive.orkl.eu/cd9c8193fa2b2eb27dda5d3ddaa08ee35431ec96.jpg"
	}
}