The threat actor known as Space Pirates has emerged as a major cybersecurity concern, having orchestrated attacks against 16 organizations in Russia and Serbia over the past year. Positive Technologies, in a recent deep dive report, highlighted the group’s utilization of novel tactics and its expansion of cyber weapons in its arsenal.
Although espionage and theft of confidential information remain the primary objectives, the group has broadened its interests and the scope of its attacks, targeting government agencies, educational institutions, private security firms, aerospace manufacturers, agricultural producers, defense, energy, and healthcare companies in the two countries.
Space Pirates first came to public attention in May 2022 when the Russian cybersecurity company exposed their attacks on the aerospace sector within the nation. The group, believed to be active since late 2019, has links to another adversary named Webworm, as tracked by Symantec.
In their analysis of the attack infrastructure, Positive Technologies discovered the threat actor’s interest in harvesting PST email archives and using a malware artifact called Deed RAT, which is exclusive to this adversarial collective. Deed RAT, an evolution of the widely used Chinese cyber espionage tools ShadowPad and PlugX, operates in both 32- and 64-bit versions and can dynamically retrieve additional plug-ins from a remote server.
Among the next-stage payloads served by Deed RAT is a previously undocumented malware named Voidoor. This malware is designed to communicate with the legitimate forum called Voidtools and a GitHub repository associated with a user named “hasdhuahd” for command-and-control purposes. Voidoor’s primary objective is to gain access to users’ personal messaging systems on the forum, searching for a specific victim ID.
Positive Technologies’ investigation found that the accounts on GitHub and voidtools were registered around November 2022. The cybersecurity firm also observed the threat actors working on new malware, such as Voidoor, that implements unconventional techniques and modifying their existing malware. The hackers employ a significant number of publicly available tools to navigate networks and leverage the Acunetix web vulnerability scanner to reconnoiter infrastructures they target.
