According to a report by analytics company Anheng, the APT group known as Confucius (APT59) has been targeting state and military structures in Southern and East Asia. Recently, a new campaign by Confucius has been discovered, in which they use LNK files to spread the River Stealer infostealer.
The attack starts with a ZIP file disguised as a PDF. Inside the archive, there is an LNK file, which runs a VBS script when opened. This script checks if Avast Antivirus is installed on the computer, and based on this check, it allows further malicious software to run. The script creates a hidden scheduled task that launches the DLL Loader bootloader file every 5 minutes. Once loaded, DLL Loader delivers additional malicious files, eventually stealing files from the targeted computer.
The hackers employed various techniques to lure their victims, including using documents related to different topics concerning Pakistan, such as politics, religion, energy, and telecommunications. The bait included files discussing Pakistan’s policy until 2025, renewable energy in Pakistan, and notifications from the regulatory authority responsible for power supply in Pakistan, the National Electric Power Regulatory Authority.
Analysis reveals that the attackers are capable of evading antivirus protection, deploying malicious files, and covering their tracks through a multi-level attack to steal data. This campaign highlights the urgent need for organizations in the Asian region to enhance their cybersecurity measures.
In their report, the researchers provide recommendations to improve cyber protection, which include regular backups, avoiding opening unknown applications and email attachments, only visiting reliable websites, using high-quality cybersecurity products, and regularly monitoring system logs for any suspicious activity.
Earlier, the Antiy Avl Threat Intelligence Team uncovered the activities of the APT group Confucius (APT59), which has been carrying out cyber attacks since 2013. The primary targets of this group are state institutions, military establishments, and nuclear facilities in Pakistan and other South Asian countries. Confucius utilizes the Sunbird and Hornbill malware to steal data from Android devices.