November 25, 2024 By Pierluigi Paganini
Russia-linked threat actors TAG-110 employed custom malware HATVIBE and CHERRYSPY to target organizations in Asia and Europe.
Insikt Group researchers uncovered an ongoing cyber-espionage campaign by Russia-linked threat actor TAG-110 that employed custom malware tools HATVIBE and CHERRYSPY.
The campaign primarily targeted government entities, human rights groups, and educational institutions in Central Asia, East Asia, and Europe.
The researchers pointed out that the campaign’s tactics, techniques and procedures align with the historical operations of UAC-0063, attributed to Russian APT APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).
The APT used HATVIBE loader to deliver malware like CHERRYSPY, threat actors often rely on malicious emails or exploited web vulnerabilities. HATVIBE uses obfuscation (e.g., XOR encryption) and persists via scheduled tasks with mshta.exe. The loader communicates with C2 servers via HTTP PUT, sharing system details.
