Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

APT

Operation Earth Kitsune: hackers target the Korean diaspora

Experts uncovered a new watering hole attack, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers. Researchers at Trend Micro have disclosed details about a new watering hole campaign, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers such as Google Chrome and Internet Explorer […]

Operation Earth Kitsune

Experts uncovered a new watering hole attack, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers.

Researchers at Trend Micro have disclosed details about a new watering hole campaign, dubbed Operation Earth Kitsune, targeting the Korean diaspora that exploits flaws in web browsers such as Google Chrome and Internet Explorer to deploy backdoors.

Threat actors behind the Operation Earth Kitsune used SLUB (for SLack and githUB) malware and two new backdoors tracked as dneSpy and agfSpy to exfiltrate data from the infected systems and for taking over them.

The attacks were spotted by the researchers during the months of March, May, and September.

Attackers have deployed the spyware on websites associated with North Korea, but experts pointed out that access to these sites is blocked for visitors from South Korean IP addresses.

“The threat, which we dubbed as such due to its abuse of Slack and GitHub in previous versions, has not abused either of the platforms this time; instead, it employed Mattermost, an open-source online chat service that can be easily deployed on-premise.” reads the analysis published by Trend Micro.

Operation Earth Kitsune

This campaign, unlike other ones, deployed numerous samples (7) to the victim machines and used multiple command-and-control (C&C) servers (5), attackers also employed exploits for four N-day bugs.

Experts were investigating a strange redirection of visitors of the Korean American National Coordinating Council (KANCC) website to the Hanseattle website. Users were redirected to a weaponized version of a proof of concept (POC) for the CVE-2019-5782 Chrome vulnerability published by Google researchers. Experts discovered that the exploit was infecting the victim machine with three separate malware samples.

Operation Earth Kitsune 2

The attack chain initiates with a connection to the C&C server to receive the dropper, which once executed first checks for the presence of anti-malware solutions on the target system before delivering the three backdoor samples (in “.jpg” format) and executing them.

The attackers used Mattermost server to keep track of the deployment across multiple infected machines and to create a separate channel for each machine for data exfiltration.

The agfSpy backdoor support multiple commands to exfiltrate data, capture screenshots, enumerate directories, upload, download, and execute files.

“One interesting aspect of dneSpy’s design is its C&C pivoting behavior. The central C&C server’s response is actually the next-stage C&C server’s domain/IP, which dneSpy has to communicate with to receive further instructions.” continues the analysis.

agfSpy uses its own C&C server mechanism to receive commands that could instruct the backdoor to execute shell commands and send the execution results back to the server.

agfSpy and dneSpy are very similar except for the use of a different C&C server and various formats in message exchanges.

“Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them,” the researchers concluded. “The campaign’s use of new samples to avoid detection by security products is also quite notable.”

“From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Earth Kitsune)

[adrotate banner=”5″]

[adrotate banner=”13″]