{ "id": "0cdb21db-3a79-454d-87e2-fccc6cf0eacf", "created_at": "2026-04-06T00:22:32.07262Z", "updated_at": "2026-04-10T13:12:59.643268Z", "deleted_at": null, "sha1_hash": "fe07b10d449408e8fe1db0951fc061d82dff3874", "title": "Sexually Explicit Material Used as Lures in Recent Cyber Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 196247, "plain_text": "Sexually Explicit Material Used as Lures in Recent Cyber Attacks\r\nArchived: 2026-04-05 16:57:59 UTC\r\nSex sells. Cybercriminals know this and readily use it as\r\nlures, as we have seen in past spam runs that used fake YouTube links or promised photos of naked celebrities.\r\nThis month, actors of Operation Arid Viper and members of the Yanbian Gang jumped on the sexually explicit\r\ncontent bandwagon, using them in separate attacks that target respective victims in Israel and Kuwait, and South\r\nKorea.\r\nOperation Arid Viper attacked five Israeli-based organizations in the government, transport, infrastructure,\r\nmilitary, and academic industries, and one organization in Kuwait using spear-phishing emails that dropped a\r\npornographic video on a victim's computer.\r\n“It targeted professionals who might be receiving very inappropriate content at work and so would hesitate to\r\nreport the incident,” declares Trend Micro threat researchers in a recent report of the Arid Viper discovery.\r\n[Read: How Operation Arid Viper Used Sexually Explicit Content]\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812\r\nPage 1 of 3\n\nMeanwhile, fake versions of popular porn apps were among\r\nthe many lures that the Yanbian Gang used to infect millions of Android™ mobile banking customers in South\r\nKorea.\r\nMobile banking customers unknowingly downloaded malware apps, which mobile threat researcher Simon Huang\r\ndescribed to come \"in the guise of popular porn apps with lewd icons and names and eye-catching descriptions\r\nlike 'sexy women photos' and 'porn movies.' ”\r\n\"They hardly ever deliver on their promise though when run. All they do, in fact, is steal and upload victims’\r\nmobile banking credentials to C\u0026C servers,\" adds Huang.\r\nWhen mobile users in South Korea download the apps—either through links sent via SMS or from infected\r\nmobile downloads—their mobile phone numbers, account names and number, and login credentials are\r\nautomatically sent over to the Yanbian Gang members.\r\n[Read: Fake Porn Apps Used in South Korean Banking App Scam]\r\nBattling Malicious Clicks and Urges\r\nThreat actors rely on an element of shame from professionals who received the pornographic video, care of\r\nOperation Arid Viper, to keep them from reporting the incident to their IT departments. This gives attackers a\r\nlonger window to use the malware to get whatever information they can from the system. \"These victims’ failure\r\nto act on the threat could have then allowed the main malware to remain undiscovered. The attackers used a\r\ndistinct and likely successful strategy previously unseen when it came to avoiding incident response team\r\ninvestigations,\" researchers stressed in the paper.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812\r\nPage 2 of 3\n\nMost targeted attack strategies leave employees out of incident response solutions. However, given that the human\r\ncomponent is a typical weak spot in a system's defenses, doing so is an oversight that can lead to data loss or theft.\r\nWe have previously noted that organizations need to complement security efforts with a proactive security\r\nawareness program. This program should train the workforce to practice safe habits and how to react to actual\r\nsecurity incidents.\r\n[Read:How Employees Make or Break Enterprise Security]\r\nIn addition, everyone should be reminded that sexually explicit content is a mainstay in a cybercriminal's bag of\r\ntargeted attack tricks. It is not just organizations that are in danger of these schemes, as we have seen in the case of\r\nthe South Korean mobile banking app scheme.\r\nConsumers and enterprises alike should establish proactive measures against targeted attacks, which should also\r\naddress malware and flaws in mobile devices.\r\n[Read: Are You Guilty of Poor Mobile Security?]\r\n[Read: Proven Protection Against Targeted Attacks and Advanced Threats]\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12\r\n425812\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812" ], "report_names": [ "sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "4c5a35bf-f483-463e-aea0-89a795698cff", "created_at": "2023-01-06T13:46:39.198624Z", "updated_at": "2026-04-10T02:00:03.243996Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "MISPGALAXY:Yanbian Gang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f350ed9-134e-4160-b63d-701f562ba64a", "created_at": "2022-10-25T16:07:24.589322Z", "updated_at": "2026-04-10T02:00:05.045635Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "ETDA:Yanbian Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe07b10d449408e8fe1db0951fc061d82dff3874.pdf", "text": "https://archive.orkl.eu/fe07b10d449408e8fe1db0951fc061d82dff3874.txt", "img": "https://archive.orkl.eu/fe07b10d449408e8fe1db0951fc061d82dff3874.jpg" } }