Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission.
Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former’s work-in-progress moniker WIP26.
“WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate,” researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.
This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.
The initial intrusion vector used in the attacks entails “precision targeting” of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.
The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.