Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

SUMMARY :

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task to communicate with a staging domain and manually deploying WmRAT and MiyaRAT malware. These RATs enable intelligence gathering and data exfiltration. The attack utilized NTFS alternate data streams and masqueraded files to evade detection. TA397's infrastructure included separate staging and command and control domains. The threat actor's tactics, targeting, and malware indicate it is likely an intelligence collection effort supporting a South Asian government's interests.

OPENCTI LABELS :

apt,rat,espionage,turkey,south asia,defense sector,scheduled tasks,miyarat,wmrat,alternate data streams


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs