DeathStalker mercenaries are attacking cryptocurrency and exchange companies with VileRat

DeathStalker mercenaries are attacking cryptocurrency and exchange companies with VileRat

Kaspersky researchers tracks attack campaigns from the DeathStalker hack-for-hire group since 2018. Recent analysis shows that the threat actor updated its evasive “VileRat” toolset to attack cryptocurrency and foreign currency exchange companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia in 2022.

DeathStalker is an infamous hack-for-hire APT actor that Kaspersky monitors since 2018, and which mainly targets law firms and organizations in the financial sector. The threat actor stands out since its attacks do not seem to be politically or financially motivated. Kaspersky researchers believe DeathStalker acts as a mercenary organization, offering specialized hacking or financial intelligence services.

In 2020, Kaspersky researchers published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum, PowerSing and PowerPepper campaigns. Company’s experts discovered a new and highly evasive infection, based on the “VileRAT” Python implant, in mid-2020. Experts have been closely monitoring actor’s activity since and discovered it aggressively targeted foreign currency (FOREX) and cryptocurrency trading companies all over the world in 2022.

VileRat is typically deployed after an intricate infection chain, which starts from spearphishing emails. This summer, the attackers also leveraged chatbots that are embedded in targeted companies’ public websites to send malicious documents. The