A new threat actor tracked by TA886 is targeting organizations in the United States and Germany with new custom malware to track and steal data on infected systems
The previously unknown activity was first discovered by Proofpoint in October 2022, with the security firm reporting that it continued into 2023.
The threat actor appears to be financially motivated, and performs an initial assessment of compromised systems to determine if the target is valuable enough for further intrusion.
The hacker targets victims using phishing emails that include Microsoft Publisher (.pub) attachments with malicious macros, URLs that link to .pub files with macros, or PDF files that contain URLs that download dangerous JavaScript files.
This tool takes JPG screenshots from the victim’s computer and sends them back to the hacker’s server for inspection.
Combined with the presence of Russian-language variable names and comments in the AHK Bot loader’s code, the clues point to TA886 being likely a Russian hacker.
TA886 attacks are still ongoing, and Proofpoint warns that the Active Directory profile should be a cause for concern, as it could compromise all domain-joined hosts with information-stealing malware.