Unfurling Hemlock: Threat group uses cluster bomb campaigns
Essential information
- Published
- 01/07/2024 10:54
- Modified
- 01/07/2024 11:17
- Tags
- 2024-07-01 amadey cluster bomb eastern european mass distribution mystic stealer redline risepro smokeloader stealers
- Related entities
- 55 observables, 1 intrusion sets (apt), 12 techniques (mitre), 5 malware
Description
A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a 'cluster bomb' technique where each sample contains multiple stages of nested executable files, each containing additional malware payloads. The distributed malware includes stealers like Redline, RisePro, and Mystic Stealer, as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.