The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers. Author: AlienVault
Related Tags:
BurnsRAT
T1059.007
netsupport rat
T1547.001
rhadamanthys
T1059.001
Russian Federation
T1021.001
T1059.003
Associated Indicators:
58EB9F211DDBB5A6A3BFEC345431C40AC61090241B865DBE26BBF958AFC685ED
ABFCD51BB120A7EAE5BBD9A99624E4ABE0C9139D
6E26E7EC76C94AEA95E4A07BCC256A15B85D9514
1B41E64C60CA9DFADEB063CD822AB089
882F2DE65605DD90EE17FB65A01FE2C7
67677C815070CA2E3EBD57A6ADB58D2E
7F0EE078C8902F12D6D9E300DABF6AED
12AB1BC0989B32C55743DF9B8C46AF5A
327A1F32572B4606AE19085769042E51