Cyber Threat Report: 'Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns'

This Security Intelligence blog post by researchers at IBM's X-Force describes activity by ITG05 - a group which shows overlap with APT28/Forest Blizzard/Fancy Bear, and who's activities align with Russian state objectives. As of March 2024, X-Force analysts have observed ITG05 actively conducting phishing campaigns across Europe, Asia, and the Americas. These campaigns involve impersonating various organizations to distribute malware. The group's tactics continue to evolve, and they have introduced new backdoors like MASEPIE and OCEANMAP, along with a simplified PowerShell script named STEELHOOK. ITG05. The post also includes recommended mitigations including monitoring for specific URLs, blocking NTLMv2 authentication, and keeping informed about new vulnerabilities and exploits.