Hidden in plain sight: ta397’s new attack chain delivers espionage rats

Intel Name: Hidden in plain sight: ta397’s new attack chain delivers espionage rats

Date of Scan: December 18, 2024

Impact: High

Summary:
On November 18, 2024, TA397 (also known as Bitter) targeted a defense sector organization in Turkey with a spearphishing email. The email included a RAR archive containing a decoy PDF (~tmp.pdf), a malicious LNK file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file with embedded PowerShell code. The subject line, “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR,” mirrored the LNK file name, a tactic frequently used by TA397 to target organizations linked to public investments. This highlights the tailored nature of their campaigns.

More Details