Cybercriminals, Asylum Ambuscade have been exposed. The group has been active since 2020, and recently caught the attention of cybersecurity researchers. The group that has launched attacks on Ukraine’s neighboring countries targets individuals, small and medium-sized enterprises (SMEs), banking application users, and cryptocurrency users across North America and Europe. In addition to cybercriminal activities, Asylum Ambuscade has been conducting espionage operations against government entities in Europe and Central Asia, as revealed by ESET Research.
Diversification into Cyberespionage
Asylum Ambuscade’s cyberespionage campaigns, which began in 2020, primarily targeted government officials and employees of public companies in Central Asian countries and Armenia. In 2022, the group expanded its focus to European countries neighboring Ukraine. ESET’s research indicates that the attackers aimed to steal confidential information and email credentials from official government email portals. This shift from primarily cybercriminal activities to cyberespionage is an unusual development that has prompted close monitoring by cybersecurity experts.
Attack Techniques and Compromise Chain
The compromise chain initiated by Asylum Ambuscade in their cyberespionage operations involved a phishing email with a malicious attachment in Excel or Word format. If the targeted machine was deemed interesting, the attackers proceeded to deploy AHKBOT, a downloader equipped with various plugins for spying on victims’ devices. These plugins enable screen capture, keystroke logging, stealing web browser passwords, file downloading, and information theft.
Wide-Ranging Targets and Victim Profile
Although Asylum Ambuscade gained notoriety for its cyberespionage operations, the group has primarily engaged in cybercriminal campaigns since early 2020. ESET Research identified over 4,500 victims worldwide since January 2022, with most located in North America. However, victims have also been discovered in Asia, Africa, Europe, and South America. The group’s broad targeting primarily focuses on individuals, cryptocurrency traders, banking customers, and SMEs across various sectors.
Observations from ESET Research
Matthieu Faou, an ESET researcher investigating Asylum Ambuscade’s activities, notes the group’s unusual diversification into cyberespionage campaigns. The compromise chain in their cyberespionage operations closely resembles their cybercriminal campaigns, with the main difference lying in the initial compromise vector. In cyberespionage, the vector can involve malicious Google Ad redirection or multiple HTTP redirects leading to websites distributing malicious JavaScript files.
Moreover, the group has expanded its activities from cybercriminal campaigns to cyberespionage operations. With a primary focus on individuals, SMEs, and users of banking applications and cryptocurrencies in North America and Europe, the group has recently targeted government officials in European countries neighboring Ukraine. As young individuals navigate the digital landscape, it is essential to stay informed about evolving cyber threats like Asylum Ambuscade. By following cybersecurity research and adopting secure practices, individuals can protect themselves and contribute to a safer online environment.
//Staff writer