Proofpoint has uncovered a new cyber operation utilizing the SugarGh0st Remote Access Trojan (RAT), targeting AI research organizations across the United States. Linked to the UNK_SweetSpecter threat cluster, the operation focuses on entities ranging from businesses to universities and government agencies. Employing AI-themed bait emails, the attackers lure potential victims into opening zip archive attachments containing JavaScript droppers.
Once launched, these JavaScript droppers initiate the deployment of the SugarGh0st RAT, facilitating data exfiltration and keylogging. The attack methodology closely resembles previously reported tactics, including the use of fake documents, ActiveX tools, and base64-encrypted binary files. Analysis of the network infrastructure reveals a shift in UNK_SweetSpecter’s command-and-control communications to new domains, indicating ongoing adaptation by the threat actors.
While initial investigations suggested ties to Chinese-speaking threat actors, discrepancies in language proficiency cast doubt on this attribution. However, the targeting of AI experts suggests potential state-backed espionage efforts, aligning with US initiatives to counter Chinese advancements in generative AI technology. This campaign unfolds amidst heightened US government efforts to safeguard sensitive AI research from foreign exploitation, underscoring the strategic importance of protecting intellectual property in the AI domain.
