Type: Cyber espionage/ Cyber criminal

Status: Active

Active Since/Discovered: 2014/2015

Last Report: June 2016

Targets: US, India, Saudi Arabia

Target Sectors: Healthcare, government, IT

Malware:

• At least 45 hacking tools and custom malware
• Backdoor.Nidiran
• Backdoor.Nidiran!g1
• Hacktool
  • Password theft, reconnaissance and lateral movement

Preferred Attack Vector:  Spear phishing, Watering hole attacks and exploits

TTP:

• CVE-2014-6332
• Custom malware signed with authentic code-signing certificates
• Credential theft

Unique:

• Known for stealing code-signing certificates
• Uses many of the same malware delivery techniques as the PlugX and Korplug campaigns
• May be associated with Blackfly