Weekly Summary Cyberattacks 12-18 Dec

Earth Koshchei APT group deploys sophisticated large-scale RDP attacks   

The Earth Koshchei cyberthreat group, linked to Russian intelligence (SVR), launched a massive campaign of cyberattacks using the remote RDP protocol in October, combining advanced network team tools and anonymization techniques. The operation reached its peak on October 22 with spear-phishing emails targeting governments, armed forces and strategic sectors, especially in Ukraine and Europe. These emails contained malicious RDP configuration files that redirected to servers controlled by the attackers, allowing data exfiltration and remote manipulation of systems without installing malware. The attackers employed 193 proxy servers and 34 RDP backends hidden under layers of anonymization such as commercial VPNs and the TOR network, making attribution and detection difficult.

Malicious campaign spoofs with fake ads and CAPTCHAs, affecting thousands of users daily   

Cybersecurity researchers have uncovered a sophisticated malvertising campaign, dubbed DeceptionAds, that uses ad networks to distribute malware and steal information. Based on a single ad network, the operation generates more than one million impressions per day via 3,000 websites that redirect users to fake CAPTCHA verification pages. There, they are urged to execute commands that install infostealers such as Lumma, exposing them to account and money theft. The campaign is associated with the Monetag platform, used by the attackers to direct traffic to a distribution system that hides its malicious intent with services such as BeMob, making content moderation difficult. Although more than 200 fraudulent accounts were removed following the complaint, a reactivation of the scheme has been detected since December 5, 2024. 

“NodeLoader” malware discovered using Node.js to steal information and mine cryptocurrencies   

Cybersecurity researchers have detected a malware campaign called NodeLoader, which uses Node.js-based applications to distribute malware such as cryptocurrency miners and infostealers. The attack spreads mainly through community platforms such as YouTube and Discord, where cybercriminals share links to fraudulent websites pretending to offer video game cheats. Once downloaded, NodeLoader, compiled with the Node.js pkg module, executes PowerShell scripts to download and activate secondary malicious payloads, such as XMRig (cryptocurrency miner) and credential-stealing tools such as Lumma Stealer and Phemedrone.

International vishing network that defrauded over 3 million euros dismantled   

A joint operation between the Spanish National Police and the Peruvian National Police has dismantled a criminal organization that defrauded over 3 million euros through vishing schemes. The network, operating from three call centers in Peru and with members active in Spain, deceived more than 10,000 victims by impersonating bank employees. The operation, carried out simultaneously in both countries, resulted in 83 arrests, including the leader of the organization. During 29 raids, authorities seized technological devices, documentation, and cash. The group used social engineering techniques and spoofing tools to convince victims to provide access codes, which were then used to withdraw money from ATMs in Spain. The investigation, launched in August 2022, uncovered a hierarchical structure involving family members and close associates, who even celebrated new employees’ successful scams.

Europol dismantles 27 DDoS cyber-attack platforms in international operation   

In an international operation called PowerOFF, Europol and law enforcement agencies from 15 countries have dismantled 27 distributed denial of service (DDoS) attack platforms, known as booter and stresser. These services offered cyber-attacks to customers, using networks of compromised devices, and have been taken offline. Three administrators of these platforms were arrested in France and Germany, while more than 300 users have been identified for further legal action. In the Netherlands, four suspects have been prosecuted for their involvement in hundreds of such attacks. The motivations behind the attacks include economic sabotage, financial gain and even ideological reasons linked to collectives such as KillNet or Anonymous Sudan.