Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

888 (Cybercriminals) – Threat Actor

January 25, 2025
Reading Time: 4 mins read
in Threat Actors
888 (Cybercriminals) – Threat Actor

888

Date of Initial Activity

2024

Location

Unknown

Suspected Attribution 

Cybercriminals

Motivation

Data Theft
Espionage
Extortion

Associated Tools

Unknown

Software

Windows
Servers
Networks


Overview

In 2024, a new and formidable threat actor has emerged on the cyber landscape: 888. Known for their audacious and high-profile operations, 888 has quickly gained notoriety for targeting a diverse range of industries and organizations. This hacker group has made headlines with their sophisticated data breach claims, including notable targets such as Microsoft, BMW (Hong Kong), and several other major players in the tech, freight, and oil & gas sectors. 888’s rise to prominence can be attributed to their strategic approach to cyberattacks and data breaches. Their operations are characterized by a blend of technical prowess and an in-depth understanding of their targets. The group has shown an alarming ability to penetrate secure environments, often leveraging advanced tactics and exploiting vulnerabilities to extract sensitive data. The nature of their attacks and the breadth of their targets reflect a sophisticated understanding of both the technology they are breaching and the security measures they must overcome.

Common Targets 

  • Mining, Quarrying, and Oil and Gas Extraction
  • Manufacturing
  • Information
  • Hong Kong
  • United States

Attack vectors

Phishing Software Vulnerabilities

How they work

Initial Access and Exploitation
The initial phase of 888’s operations involves gaining access to target networks through a combination of social engineering and exploiting vulnerabilities in public-facing systems. Social engineering tactics, such as spear-phishing (T1566), are frequently employed to deceive individuals into revealing sensitive information or clicking on malicious links. The threat actor meticulously crafts phishing emails that appear legitimate, often masquerading as trusted entities. In parallel, they exploit known vulnerabilities in web applications or software (T1190), taking advantage of flaws in systems that have not been patched or secured.
Lateral Movement and Persistence
Once inside the target network, 888 employs various techniques to maintain access and move laterally within the compromised environment. They use credential dumping tools (T1003) to extract usernames and passwords from compromised systems, allowing them to escalate privileges and gain deeper access. This is often followed by leveraging Remote Desktop Protocol (RDP) and other remote management tools (T1021) to establish persistence and control over the network. The threat actor’s capability to navigate through the network undetected is enhanced by their use of sophisticated evasion techniques, including encrypted communications and the obfuscation of malicious activities.
Data Exfiltration and Impact
The final phase of 888’s attacks involves exfiltrating sensitive data and ensuring its dissemination. They employ data compression and encryption methods (T1565) to securely package and transfer stolen information, making it difficult for security systems to detect and intercept. The threat actor often targets high-value data, such as personal identification information (PII) and financial records, which is then either sold on dark web forums or used for extortion. In cases where 888’s activities are discovered, they are known for their ability to quickly pivot and adapt, employing new techniques and tools to avoid detection and mitigate response efforts.
Conclusion
The technical prowess of threat actor 888 underscores the evolving complexity of cyber threats in 2024. Their methodical approach to gaining initial access, maintaining persistence, and executing data exfiltration highlights the need for robust security measures and vigilance. Organizations must adopt comprehensive cybersecurity strategies, including regular vulnerability assessments, user education, and advanced threat detection systems, to defend against such sophisticated adversaries and mitigate the risks posed by threat actors like 888.

MITRE Tactics and Techniques

Initial Access (TA0001):
Phishing (T1566): 888 uses phishing campaigns to gain initial access to victim networks. This involves tricking users into revealing credentials or downloading malware. Exploit Public-Facing Applications (T1190): The actor may exploit vulnerabilities in public-facing applications to gain unauthorized access to systems.
Execution (TA0002):
Command and Scripting Interpreter (T1059): Utilizes command-line interfaces or scripting languages to execute malicious commands on compromised systems. Exploitation for Client Execution (T1203): Executes malicious payloads on client systems by exploiting vulnerabilities in applications used by the victim.
Persistence (TA0003):
Registry Run Keys / Startup Folder (T1060): Maintains persistence by modifying registry keys or placing executable files in startup folders to ensure malware execution on reboot. Create or Modify System Process (T1543): Establishes persistence by creating or modifying system processes to maintain access.
Privilege Escalation (TA0004):
Exploit Vulnerability (T1203): Exploits known vulnerabilities in the operating system or applications to gain higher privileges on the system.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide malicious files or information from security tools. Timestomping (T1070.006): Modifies timestamps on files to avoid detection and analysis.
Credential Access (TA0006):
Brute Force (T1110): Employs brute force attacks to guess passwords and gain unauthorized access to accounts. Credential Dumping (T1003): Extracts credentials from compromised systems to facilitate further access.
Discovery (TA0007):
Network Service Scanning (T1046): Scans the network to identify active services and potential targets. System Information Discovery (T1082): Collects detailed information about the compromised system to aid in further exploitation.
Lateral Movement (TA0008):
Remote Services (T1021): Moves laterally across the network by exploiting remote services and protocols. Windows Admin Shares (T1077): Utilizes administrative shares to move between systems on the network.
Collection (TA0009):
Data Staged (T1074): Stages collected data for exfiltration, often compressing or encrypting it before transfer.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Exfiltrates data through channels used for command and control, bypassing traditional security measures.
Impact (TA0040):
Data Destruction (T1485): May destroy data to disrupt operations and further complicate recovery efforts. Data Encrypted for Impact (T1486): Encrypts data to extort victims by demanding ransom for decryption.
References:
  • Threat Actor 888
Tags: 888BMWHong KongmanufacturingMicrosoftMiningOil and GasPhishingQuarryingThreat ActorsUnited StatesVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

APT36 Targets Indian Defense Linux Systems

hpingbot Botnet Uses Pastebin C2 Channel

Hackers Abuse Driver Signing For Malware

Google Removes 352 ‘IconAds’ Fraud Apps

Malicious Firefox Add Ons Steal Crypto Keys

Browser Cache Attack Bypasses Web Security

Subscribe to our newsletter

    Latest Incidents

    Ransomware Attack Causes Outage at Ingram

    Call of Duty Players Hacked on Game Pass

    RansomHub Claims Theft of Coppell City Data

    Tech Incubator IdeaLab Discloses Data Breach

    Brazil’s CIEE One Exposes 248,000 Records

    McLaughlin & Stern Discloses Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial