Threat Actors Distributing Screenshotter Malware from OneDrive - #TA866
Cybersecurity researchers have observed various threat actors distributing malware through cloud services and phishing emails over the past year. In early 2024, TA866 resumed activities after nine months and initiated a campaign targeting North America with thousands of emails containing PDFs leading to the installation of Screenshotter malware. Around the same time, Coldriver, linked to Russian intelligence, expanded beyond phishing to use PDFs to distribute a custom backdoor named SPICA, written in Rust, to infiltrate networks of NGOs and government officials. The threat level for these campaigns is high due to the strategic nature of the targets. Google's Threat Analysis Group has tracked SPICA since September 2023 and disrupted the campaign, while other firms monitor TA866's connections to Asylum Ambuscade and tactics involving multiple malware types.