The Reveal Platform
Intel Name: Cybercriminals abuse open-source tools to target africa’s financial sector
Date of Scan: June 25, 2025
Impact: High
Summary: Since at least July 2023, a threat group tracked as CL-CRI-1014 has been targeting financial institutions across Africa. These attackers use open-source tools like PoshC2, Chisel, and Classroom Spy to establish remote access and create communication tunnels. They forge file signatures by mimicking legitimate software to evade detection. The group is believed to be acting as an initial access broker—gaining entry to networks and selling that access on dark web markets. Their tactics emphasize the growing abuse of legitimate open-source tools for malicious purposes.
