A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research.
“Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan,” Lumen’s Black Lotus Labs said in a Tuesday analysis. “The potentially compromised victims aligned with the government and power utility verticals.”
Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization. The covert operation is said to have begun at least in January 2021.
The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domains in the same country as the targeted entity to host their malicious files.
At the same time, the group has been careful to hide their activity by modifying the registry keys, granting them the ability to maintain…