securelist.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://securelist.com/cloudwizard-apt/109722/
Submission: On May 22 via api from TR — Scanned from DE
Submission: On May 22 via api from TR — Scanned from DE
Form analysis 12 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Notwendig</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Präferenzen</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistiken</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>GET https://securelist.com/
<form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get" data-gtm-vis-has-fired-11711842_122="1"
data-gtm-vis-has-fired-11711842_155="1">
<div class="c-form-element c-form-element--style-fill" data-gtm-vis-has-fired-11711842_122="1">
<div class="c-form-element__field wp_autosearch_form_wrapper" data-gtm-vis-has-fired-11711842_122="1">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off" data-gtm-vis-has-fired-11711842_122="1">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit" data-gtm-vis-has-fired-11711842_122="1"><svg class="o-icon o-svg-icon o-svg-large" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg></button>
</form>GET https://securelist.com/
<form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get" data-gtm-vis-has-fired-11711842_122="1"
data-gtm-vis-recent-on-screen-11711842_155="623" data-gtm-vis-first-on-screen-11711842_155="623" data-gtm-vis-total-visible-time-11711842_155="100" data-gtm-vis-has-fired-11711842_155="1">
<div class="c-form-element c-form-element--style-fill" data-gtm-vis-has-fired-11711842_122="1">
<div class="c-form-element__field wp_autosearch_form_wrapper" data-gtm-vis-has-fired-11711842_122="1">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off" data-gtm-vis-has-fired-11711842_122="1">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit" data-gtm-vis-has-fired-11711842_122="1"><svg class="o-icon o-svg-icon o-svg-large" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg></button>
</form>POST https://securelist.com/wp-comments-post.php
<form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form" data-gtm-vis-has-fired-11711842_122="1">
<p class="comment-notes" data-gtm-vis-has-fired-11711842_122="1"><span id="email-notes" data-gtm-vis-has-fired-11711842_122="1">Your email address will not be published.</span> <span class="required-field-message"
data-gtm-vis-has-fired-11711842_122="1">Required fields are marked <span class="required" data-gtm-vis-has-fired-11711842_122="1">*</span></span></p>
<div class="comment-form-comment" data-gtm-vis-has-fired-11711842_122="1"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"
data-gtm-vis-has-fired-11711842_122="1"></textarea></div><!-- .comment-form-comment -->
<p class="comment-form-author" data-gtm-vis-has-fired-11711842_122="1"><label for="author" data-gtm-vis-has-fired-11711842_122="1">Name <span class="required" data-gtm-vis-has-fired-11711842_122="1">*</span></label> <input id="author" name="author"
type="text" value="" size="30" maxlength="245" autocomplete="name" required="required" data-gtm-vis-has-fired-11711842_122="1"></p>
<p class="comment-form-email" data-gtm-vis-has-fired-11711842_122="1"><label for="email" data-gtm-vis-has-fired-11711842_122="1">Email <span class="required" data-gtm-vis-has-fired-11711842_122="1">*</span></label> <input id="email" name="email"
type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required" data-gtm-vis-has-fired-11711842_122="1"></p>
<script type="text/javascript" data-gtm-vis-has-fired-11711842_122="1">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer="" data-gtm-vis-has-fired-11711842_122="1"></script>
<div id="recaptcha-submit-btn-area" data-gtm-vis-has-fired-11711842_122="1"> </div>
<noscript data-gtm-vis-has-fired-11711842_122="1">
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p class="form-submit" data-gtm-vis-has-fired-11711842_122="1"><input name="submit" type="submit" id="commentsubmit" class="submit" value="Comment"
data-gtm-vis-has-fired-11711842_122="1"><a rel="nofollow" id="cancel-comment-reply-link" href="/cloudwizard-apt/109722/#respond" style="display:none;" data-gtm-vis-has-fired-11711842_122="1">Cancel</a> <input type="hidden"
name="comment_post_ID" value="109722" id="comment_post_ID" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" name="comment_parent" id="comment_parent" value="0" data-gtm-vis-has-fired-11711842_122="1">
</p>
<p style="display: none;" data-gtm-vis-has-fired-11711842_122="1"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="0ebb131eb1" data-gtm-vis-has-fired-11711842_122="1"></p>
<!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="RO2EIQk2nTNqfV5qofRSgEEJ7" name="cHlAe7x4dRnGC9n0wMpHLPzxu" data-gtm-vis-has-fired-11711842_122="1">
<p style="display: none !important;" data-gtm-vis-has-fired-11711842_122="1"><label data-gtm-vis-has-fired-11711842_122="1">Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"
data-gtm-vis-has-fired-11711842_122="1"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1684721433450" data-gtm-vis-has-fired-11711842_122="1">
<script data-gtm-vis-has-fired-11711842_122="1">
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /cloudwizard-apt/109722/#gf_68533097
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_68533097" id="gform_68533097" class="subscribe-mc gform_legacy_markup" action="/cloudwizard-apt/109722/#gf_68533097" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform-content-wrapper" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform_body gform-body" data-gtm-vis-has-fired-11711842_122="1">
<ul id="gform_fields_68533097" class="gform_fields top_label form_sublabel_below description_below" data-gtm-vis-has-fired-11711842_122="1">
<li id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1">
<div class="ginput_container ginput_container_email" data-gtm-vis-has-fired-11711842_122="1">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_68533097_1" data-gtm-vis-has-fired-11711842_122="1">Email</label><input name="input_1" id="input_68533097_1" type="text" value=""
class="medium fl-input" placeholder="Email" aria-required="true" aria-invalid="false" data-placeholder="Email" data-gtm-vis-has-fired-11711842_122="1"></div>
</div>
</li>
<li id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" data-gtm-vis-has-fired-11711842_122="1">
<div class="ginput_container ginput_container_text" data-gtm-vis-has-fired-11711842_122="1"><input name="input_3" id="input_68533097_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""
data-gtm-vis-has-fired-11711842_122="1"></div>
</li>
<li id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1"><label
class="gfield_label screen-reader-text gfield_label_before_complex" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required gfield_required_asterisk"
data-gtm-vis-has-fired-11711842_122="1">*</span></span></label>
<div class="ginput_container ginput_container_checkbox" data-gtm-vis-has-fired-11711842_122="1">
<ul class="gfield_checkbox" id="input_68533097_2" data-gtm-vis-has-fired-11711842_122="1">
<li class="gchoice gchoice_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_68533097_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<label for="choice_68533097_11_2_1" id="label_68533097_11_2_1" data-gtm-vis-has-fired-11711842_122="1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I
can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="gform_footer top_label" data-gtm-vis-has-fired-11711842_122="1"> <button type="submit" class="gform_button button" id="gform_submit_button_68533097" value="Sign up" data-gtm-vis-has-fired-11711842_122="1">
<svg class="o-icon o-svg-icon o-svg-large" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg> <span data-gtm-vis-has-fired-11711842_122="1">Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_68533097_11" value="0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_68533097_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" name="gform_random_id" value="68533097" data-gtm-vis-has-fired-11711842_122="1"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar" data-gtm-vis-has-fired-11711842_122="1">
</div>
</div>
<p style="display: none !important;" data-gtm-vis-has-fired-11711842_122="1"><label data-gtm-vis-has-fired-11711842_122="1">Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"
data-gtm-vis-has-fired-11711842_122="1"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1684721433451" data-gtm-vis-has-fired-11711842_122="1">
<script data-gtm-vis-has-fired-11711842_122="1">
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /cloudwizard-apt/109722/#gf_807730522
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_807730522" id="gform_807730522" class="subscribe-mc gform_legacy_markup" action="/cloudwizard-apt/109722/#gf_807730522" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform-content-wrapper" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform_body gform-body" data-gtm-vis-has-fired-11711842_122="1">
<ul id="gform_fields_807730522" class="gform_fields top_label form_sublabel_below description_below" data-gtm-vis-has-fired-11711842_122="1">
<li id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1"><label class="gfield_label screen-reader-text" for="input_807730522_1"
data-gtm-vis-has-fired-11711842_122="1">Email<span class="gfield_required" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required gfield_required_asterisk" data-gtm-vis-has-fired-11711842_122="1">*</span></span></label>
<div class="ginput_container ginput_container_email" data-gtm-vis-has-fired-11711842_122="1">
<input name="input_1" id="input_807730522_1" type="text" value="" class="medium" placeholder="Email" aria-required="true" aria-invalid="false" data-gtm-vis-has-fired-11711842_122="1">
</div>
</li>
<li id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" data-gtm-vis-has-fired-11711842_122="1">
<div class="ginput_container ginput_container_text" data-gtm-vis-has-fired-11711842_122="1"><input name="input_3" id="input_807730522_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""
data-gtm-vis-has-fired-11711842_122="1"></div>
</li>
<li id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1"><label
class="gfield_label screen-reader-text gfield_label_before_complex" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required gfield_required_asterisk"
data-gtm-vis-has-fired-11711842_122="1">*</span></span></label>
<div class="ginput_container ginput_container_checkbox" data-gtm-vis-has-fired-11711842_122="1">
<ul class="gfield_checkbox" id="input_807730522_2" data-gtm-vis-has-fired-11711842_122="1">
<li class="gchoice gchoice_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_807730522_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<label for="choice_807730522_11_2_1" id="label_807730522_11_2_1" data-gtm-vis-has-fired-11711842_122="1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I
can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="gform_footer top_label" data-gtm-vis-has-fired-11711842_122="1"> <button class="gform_button button" type="submit" id="gform_submit_button_807730522" value="Sign up" data-gtm-vis-has-fired-11711842_122="1">
<svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg> <span class="u-hidden u-inline@sm" data-gtm-vis-has-fired-11711842_122="1">Subscribe</span>
<span class="u-hidden@sm" data-gtm-vis-has-fired-11711842_122="1"><svg class="o-icon o-svg-icon o-svg-right" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg></span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_807730522_11" value="0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_807730522_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" name="gform_random_id" value="807730522" data-gtm-vis-has-fired-11711842_122="1"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=" data-gtm-vis-has-fired-11711842_122="1">
</div>
</div>
<p style="display: none !important;" data-gtm-vis-has-fired-11711842_122="1"><label data-gtm-vis-has-fired-11711842_122="1">Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"
data-gtm-vis-has-fired-11711842_122="1"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js" value="1684721433474" data-gtm-vis-has-fired-11711842_122="1">
<script data-gtm-vis-has-fired-11711842_122="1">
document.getElementById("ak_js_3").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /cloudwizard-apt/109722/#gf_2310387515
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_2310387515" id="gform_2310387515" class="subscribe-mc gform_legacy_markup" action="/cloudwizard-apt/109722/#gf_2310387515" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform-content-wrapper" data-gtm-vis-has-fired-11711842_122="1">
<div class="gform_body gform-body" data-gtm-vis-has-fired-11711842_122="1">
<ul id="gform_fields_2310387515" class="gform_fields top_label form_sublabel_below description_below" data-gtm-vis-has-fired-11711842_122="1">
<li id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1">
<div class="ginput_container ginput_container_email" data-gtm-vis-has-fired-11711842_122="1">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_2310387515_1" data-gtm-vis-has-fired-11711842_122="1">Email</label><input name="input_1" id="input_2310387515_1" type="text" value=""
class="medium fl-input" placeholder="Email" aria-required="true" aria-invalid="false" data-placeholder="Email" data-gtm-vis-has-fired-11711842_122="1"></div>
</div>
</li>
<li id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" data-gtm-vis-has-fired-11711842_122="1">
<div class="ginput_container ginput_container_text" data-gtm-vis-has-fired-11711842_122="1"><input name="input_3" id="input_2310387515_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""
data-gtm-vis-has-fired-11711842_122="1"></div>
</li>
<li id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" data-gtm-vis-has-fired-11711842_122="1"><label
class="gfield_label screen-reader-text gfield_label_before_complex" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required" data-gtm-vis-has-fired-11711842_122="1"><span class="gfield_required gfield_required_asterisk"
data-gtm-vis-has-fired-11711842_122="1">*</span></span></label>
<div class="ginput_container ginput_container_checkbox" data-gtm-vis-has-fired-11711842_122="1">
<ul class="gfield_checkbox" id="input_2310387515_2" data-gtm-vis-has-fired-11711842_122="1">
<li class="gchoice gchoice_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_2310387515_11_2_1" data-gtm-vis-has-fired-11711842_122="1">
<label for="choice_2310387515_11_2_1" id="label_2310387515_11_2_1" data-gtm-vis-has-fired-11711842_122="1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that
I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="gform_footer top_label" data-gtm-vis-has-fired-11711842_122="1"> <button type="submit" class="gform_button button" id="gform_submit_button_2310387515" value="Sign up" data-gtm-vis-has-fired-11711842_122="1">
<svg class="o-icon o-svg-icon o-svg-large" data-gtm-vis-has-fired-11711842_122="1">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope" data-gtm-vis-has-fired-11711842_122="1"></use>
</svg> <span data-gtm-vis-has-fired-11711842_122="1">Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_2310387515_11" value="0" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_2310387515_11" value="1" data-gtm-vis-has-fired-11711842_122="1">
<input type="hidden" name="gform_random_id" value="2310387515" data-gtm-vis-has-fired-11711842_122="1"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar" data-gtm-vis-has-fired-11711842_122="1">
</div>
</div>
<p style="display: none !important;" data-gtm-vis-has-fired-11711842_122="1"><label data-gtm-vis-has-fired-11711842_122="1">Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"
data-gtm-vis-has-fired-11711842_122="1"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js" value="1684721433525" data-gtm-vis-has-fired-11711842_122="1">
<script data-gtm-vis-has-fired-11711842_122="1">
document.getElementById("ak_js_4").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Powered by Cookiebot
* Zustimmung
* Details
* [#IABV2SETTINGS#]
* Über Cookies
DIESE WEBSEITE VERWENDET COOKIES
Wir verwenden Cookies, um Inhalte und Anzeigen zu personalisieren, Funktionen
für soziale Medien anbieten zu können und die Zugriffe auf unsere Website zu
analysieren. Außerdem geben wir Informationen zu Ihrer Verwendung unserer
Website an unsere Partner für soziale Medien, Werbung und Analysen weiter.
Unsere Partner führen diese Informationen möglicherweise mit weiteren Daten
zusammen, die Sie ihnen bereitgestellt haben oder die sie im Rahmen Ihrer
Nutzung der Dienste gesammelt haben.
Consent Selection
Notwendig
Präferenzen
Statistiken
Marketing
Details zeigen
Notwendig 17
Notwendige Cookies helfen dabei, eine Webseite nutzbar zu machen, indem sie
Grundfunktionen wie Seitennavigation und Zugriff auf sichere Bereiche der
Webseite ermöglichen. Die Webseite kann ohne diese Cookies nicht richtig
funktionieren.
Adobe
1
Erfahren Sie mehr über diesen Anbieter
demdexÜber eine eindeutige ID, die für semantische Inhaltsanalyse verwendet
wird, wird die Navigation des Benutzers auf der Website registriert und mit
Offline-Daten aus Umfragen und ähnlichen Registrierungen verknüpft, um gezielte
Werbung anzuzeigen.
Ablauf: 179 TageTyp: HTTP
Cookiebot
2
Erfahren Sie mehr über diesen Anbieter
CookieConsent [x2]Speichert den Zustimmungsstatus des Benutzers für Cookies auf
der aktuellen Domäne.
Ablauf: 1 JahrTyp: HTTP
Google
3
Erfahren Sie mehr über diesen Anbieter
test_cookieVerwendet, um zu überprüfen, ob der Browser des Benutzers Cookies
unterstützt.
Ablauf: 1 TagTyp: HTTP
rc::aDieser Cookie wird verwendet, um zwischen Menschen und Bots zu
unterscheiden. Dies ist vorteilhaft für die webseite, um gültige Berichte über
die Nutzung ihrer webseite zu erstellen.
Ablauf: PersistentTyp: HTML
rc::cDieser Cookie wird verwendet, um zwischen Menschen und Bots zu
unterscheiden.
Ablauf: SessionTyp: HTML
Kaspersky Lab
6
Erfahren Sie mehr über diesen Anbieter
AMCV_# [x2]Einmalige Benutzer-ID, welche den Anwender bei wiederkehrenden
Besuchen erkennt
Ablauf: 399 TageTyp: HTTP
AMCVS_#AdobeOrg [x2]Anstehend
Ablauf: SessionTyp: HTTP
test [x2]Wird verwendet, um festzustellen, ob der Besucher die
Marketingkategorie im Cookie-Banner akzeptiert hat. Dieser Cookie ist notwendig
für die Einhaltung der DSGVO der Webseite.
Ablauf: SessionTyp: HTTP
Marketo
2
Erfahren Sie mehr über diesen Anbieter
__cf_bmDieser Cookie wird verwendet, um zwischen Menschen und Bots zu
unterscheiden. Dies ist vorteilhaft für die webseite, um gültige Berichte über
die Nutzung ihrer webseite zu erstellen.
Ablauf: 1 TagTyp: HTTP
BIGipServer#Verwendet, um Verkehr auf der Website auf mehreren Servern zu
verteilen, um die Antwortzeiten zu optimieren.
Ablauf: SessionTyp: HTTP
Solarwinds
1
Erfahren Sie mehr über diesen Anbieter
pa_enabledBestimmt das Gerät, mit dem auf die Webseite zugegriffen wird. Dadurch
kann die Webseite entsprechend formatiert werden.
Ablauf: PersistentTyp: HTML
play.google.com
youtube.com
2
CONSENT [x2]Wird verwendet, um festzustellen, ob der Besucher die
Marketingkategorie im Cookie-Banner akzeptiert hat. Dieser Cookie ist notwendig
für die Einhaltung der DSGVO der Webseite.
Ablauf: 2 JahreTyp: HTTP
Präferenzen 1
Präferenz-Cookies ermöglichen einer Webseite sich an Informationen zu erinnern,
die die Art beeinflussen, wie sich eine Webseite verhält oder aussieht, wie z.
B. Ihre bevorzugte Sprache oder die Region in der Sie sich befinden.
Cookiebot
1
Erfahren Sie mehr über diesen Anbieter
CookieConsentBulkSetting-#Aktiviert die Zustimmung zur Cookie-Nutzung für
mehrere Webseiten
Ablauf: PersistentTyp: HTML
Statistiken 16
Statistik-Cookies helfen Webseiten-Besitzern zu verstehen, wie Besucher mit
Webseiten interagieren, indem Informationen anonym gesammelt und gemeldet
werden.
Google
9
Erfahren Sie mehr über diesen Anbieter
collectWird verwendet, um Daten zu Google Analytics über das Gerät und das
Verhalten des Besuchers zu senden. Erfasst den Besucher über Geräte und
Marketingkanäle hinweg.
Ablauf: SessionTyp: Pixel
_ga [x2]Registriert eine eindeutige ID, die verwendet wird, um statistische
Daten dazu, wie der Besucher die Website nutzt, zu generieren.
Ablauf: 399 TageTyp: HTTP
_ga_# [x2]Sammelt Daten dazu, wie oft ein Benutzer eine Website besucht hat,
sowie Daten für den ersten und letzten Besuch. Von Google Analytics verwendet.
Ablauf: 399 TageTyp: HTTP
_gat [x2]Wird von Google Analytics verwendet, um die Anforderungsrate
einzuschränken
Ablauf: 1 TagTyp: HTTP
_gid [x2]Registriert eine eindeutige ID, die verwendet wird, um statistische
Daten dazu, wie der Besucher die Website nutzt, zu generieren.
Ablauf: 1 TagTyp: HTTP
Kaspersky Lab
6
Erfahren Sie mehr über diesen Anbieter
_cs_mk [x2]Registriert die Geschwindigkeit und Leistung der Webseite. Diese
Funktion kann im Zusammenhang mit Statistiken und Lastenausgleich verwendet
werden.
Ablauf: 1 TagTyp: HTTP
_gd# [x2]Anstehend
Ablauf: SessionTyp: HTTP
s_cc [x2]Verwendet, um zu überprüfen, ob der Browser des Benutzers Cookies
unterstützt.
Ablauf: SessionTyp: HTTP
Solarwinds
1
Erfahren Sie mehr über diesen Anbieter
paRegistriert die Geschwindigkeit und Leistung der Webseite. Diese Funktion kann
im Zusammenhang mit Statistiken und Lastenausgleich verwendet werden.
Ablauf: PersistentTyp: HTML
Marketing 23
Marketing-Cookies werden verwendet, um Besuchern auf Webseiten zu folgen. Die
Absicht ist, Anzeigen zu zeigen, die relevant und ansprechend für den einzelnen
Benutzer sind und daher wertvoller für Publisher und werbetreibende
Drittparteien sind.
Meta Platforms, Inc.
3
Erfahren Sie mehr über diesen Anbieter
fbssls_# [x2]Sammelt Daten über die Nutzung des Kommentarsystems auf der Website
durch den Besucher, außerdem registriert es, welche Blogs/Artikel der Besucher
gelesen hat - dies kann für Marketingzwecke verwendet werden.
Ablauf: SessionTyp: HTML
_fbpWird von Facebook genutzt, um eine Reihe von Werbeprodukten anzuzeigen, zum
Beispiel Echtzeitgebote dritter Werbetreibender.
Ablauf: 3 MonateTyp: HTTP
BrightTalk
1
Erfahren Sie mehr über diesen Anbieter
ga_clientIdWird verwendet, um Daten zu Google Analytics über das Gerät und das
Verhalten des Besuchers zu senden. Erfasst den Besucher über Geräte und
Marketingkanäle hinweg.
Ablauf: PersistentTyp: HTML
Google
6
Erfahren Sie mehr über diesen Anbieter
IDEVerwendet von Google DoubleClick, um die Handlungen des Benutzers auf der
Webseite nach der Anzeige oder dem Klicken auf eine der Anzeigen des Anbieters
zu registrieren und zu melden, mit dem Zweck der Messung der Wirksamkeit einer
Werbung und der Anzeige zielgerichteter Werbung für den Benutzer.
Ablauf: 1 JahrTyp: HTTP
pagead/landing [x2]Sammelt Daten zum Besucherverhalten auf mehreren Webseiten,
um relevantere Werbung zu präsentieren - Dies ermöglicht es der Webseite auch,
die Anzahl der Anzeige der gleichen Werbung zu begrenzen.
Ablauf: SessionTyp: Pixel
ads/ga-audiencesUsed by Google AdWords to re-engage visitors that are likely to
convert to customers based on the visitor's online behaviour across websites.
Ablauf: SessionTyp: Pixel
_gcl_au [x2]Wird von Google AdSense zum Experimentieren mit Werbungseffizienz
auf Webseiten verwendet, die ihre Dienste nutzen.
Ablauf: 3 MonateTyp: HTTP
Marketo
1
Erfahren Sie mehr über diesen Anbieter
_mkto_trkEnthält Daten zum Besucherverhalten und zur Webseite-Interaktion. Dies
wird im Zusammenhang mit dem E-Mail-Marketingdienst Marketo.com verwendet, der
es der Webseite ermöglicht, Besucher per E-Mail anzusprechen.
Ablauf: 399 TageTyp: HTTP
Meta Platforms, Inc.
1
Erfahren Sie mehr über diesen Anbieter
frWird von Facebook genutzt, um eine Reihe von Werbeprodukten anzuzeigen, zum
Beispiel Echtzeitgebote dritter Werbetreibender.
Ablauf: 3 MonateTyp: HTTP
YouTube
11
Erfahren Sie mehr über diesen Anbieter
nWC1Uzs7EIAnstehend
Ablauf: SessionTyp: HTML
VISITOR_INFO1_LIVEVersucht, die Benutzerbandbreite auf Seiten mit integrierten
YouTube-Videos zu schätzen.
Ablauf: 179 TageTyp: HTTP
YSCRegistriert eine eindeutige ID, um Statistiken der Videos von YouTube, die
der Benutzer gesehen hat, zu behalten.
Ablauf: SessionTyp: HTTP
ytidb::LAST_RESULT_ENTRY_KEYSpeichert die Benutzereinstellungen beim Abruf eines
auf anderen Webseiten integrierten Youtube-Videos
Ablauf: PersistentTyp: HTML
yt-remote-cast-availableSpeichert die Benutzereinstellungen beim Abruf eines auf
anderen Webseiten integrierten Youtube-Videos
Ablauf: SessionTyp: HTML
yt-remote-cast-installedSpeichert die Benutzereinstellungen beim Abruf eines auf
anderen Webseiten integrierten Youtube-Videos
Ablauf: SessionTyp: HTML
yt-remote-connected-devicesSpeichert die Benutzereinstellungen beim Abruf eines
auf anderen Webseiten integrierten Youtube-Videos
Ablauf: PersistentTyp: HTML
yt-remote-device-idSpeichert die Benutzereinstellungen beim Abruf eines auf
anderen Webseiten integrierten Youtube-Videos
Ablauf: PersistentTyp: HTML
yt-remote-fast-check-periodSpeichert die Benutzereinstellungen beim Abruf eines
auf anderen Webseiten integrierten Youtube-Videos
Ablauf: SessionTyp: HTML
yt-remote-session-appSpeichert die Benutzereinstellungen beim Abruf eines auf
anderen Webseiten integrierten Youtube-Videos
Ablauf: SessionTyp: HTML
yt-remote-session-nameSpeichert die Benutzereinstellungen beim Abruf eines auf
anderen Webseiten integrierten Youtube-Videos
Ablauf: SessionTyp: HTML
Nicht klassifiziert 0
Nicht klassifizierte Cookies sind Cookies, die wir gerade versuchen zu
klassifizieren, zusammen mit Anbietern von individuellen Cookies.
Wir nutzen diese Cookie-Typen nicht.
Domainübergreifende Zustimmung2 Ihre Einwilligung trifft auf die folgenden
Domains zu:
Liste der Domains, für die Ihre Zustimmung gilt: securelist.lat securelist.com
Die Cookie-Erklärung wurde das letzte Mal am 15.05.23 von Cookiebot aktualisiert
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies sind kleine Textdateien, die von Webseiten verwendet werden, um die
Benutzererfahrung effizienter zu gestalten.
Laut Gesetz können wir Cookies auf Ihrem Gerät speichern, wenn diese für den
Betrieb dieser Seite unbedingt notwendig sind. Für alle anderen Cookie-Typen
benötigen wir Ihre Erlaubnis.
Diese Seite verwendet unterschiedliche Cookie-Typen. Einige Cookies werden von
Drittparteien platziert, die auf unseren Seiten erscheinen.
Sie können Ihre Einwilligung jederzeit von der Cookie-Erklärung auf unserer
Website ändern oder widerrufen.
Erfahren Sie in unserer Datenschutzrichtlinie mehr darüber, wer wir sind, wie
Sie uns kontaktieren können und wie wir personenbezogene Daten verarbeiten.
Bitte geben Sie Ihre Einwilligungs-ID und das Datum an, wenn Sie uns bezüglich
Ihrer Einwilligung kontaktieren.
Meine persönlichen Daten nicht verkaufen oder weitergeben
Nur notwendige Cookies Auswahl erlauben Anpassen
Cookies zulassen
Powered by Cookiebot by Usercentrics
Solutions for:
* Home Products
* Small Business 1-50 employees
* Medium Business 51-999 employees
* Enterprise 1000+ employees
by Kaspersky
* CompanyAccount
* Get In Touch
* Dark mode off
* English
* Russian
* Spanish
* Solutions
* * Hybrid Cloud Security
Learn More
* Internet of Things & Embedded Security
Learn More
* Threat Management and Defense
Learn More
* Industrial Cybersecurity
Learn More
* Fraud Prevention
Learn More
* * OTHER SOLUTIONS
* Blockchain Security
* Kaspersky for Security Operations Center
* Industries
* * National Cybersecurity
Learn More
* Industrial Cybersecurity
Learn More
* Finance Services Cybersecurity
Learn More
* Healthcare Cybersecurity
Learn More
* Transportation Cybersecurity
Learn More
* Retail Cybersecurity
Learn More
* * OTHER INDUSTRIES
* Telecom Cybersecurity
* Blockchain Security
* View all
* Products
* * KasperskyEndpoint Security for Business
Learn More
* KasperskyEndpoint Detection and Response (EDR)
Learn More
* KasperskyEDR Optimum
Learn More
* KasperskyAnti Targeted Attack Platform
Learn More
* KasperskyManaged Detection and Response
Learn More
* KasperskySandbox
Learn More
* * OTHER PRODUCTS
* Kaspersky Security for Mail Server
* Kaspersky Security for Internet Gateway
* Kaspersky Embedded Systems Security
* Kaspersky Hybrid Cloud Security for AWS
* Kaspersky Hybrid Cloud Security for Azure
* View All
* Services
* * KasperskyCybersecurity Services
Learn More
* KasperskyAdaptive Online Training
Learn More
* KasperskyPremium Support
Learn More
* KasperskyThreat Intelligence
Learn More
* KasperskyAPT Intelligence Reporting
Learn More
* KasperskyTargeted Attack Discovery
Learn More
* * OTHER SERVICES
* Kaspersky Professional Services
* Kaspersky Incident Response
* Kaspersky Cybersecurity Training
* Kaspersky Incident Communications
* Kaspersky Security Awareness
* View All
* Resource Center
* Case Studies
* White Papers
* Datasheets
* Technologies
* MITRE ATT&CK
* About Us
* Transparency
* Corporate News
* Press Center
* Careers
* Innovation Hub
* Sponsorship
* Policy Blog
* Contacts
* GDPR
* Subscribe Dark mode off Login
* Securelist menu
* English
* Russian
* Spanish
* Existing Customers
* Personal
* My Kaspersky
* Renew your product
* Update your product
* Customer support
* Business
* KSOS portal
* Kaspersky Business Hub
* Technical Support
* Knowledge Base
* Renew License
* Home
* Products
* Trials&Update
* Resource Center
* Business
* Small Business (1-50 employees)
* Medium Business (51-999 employees)
* Enterprise (1000+ employees)
*
* Securelist
* Threats
* Financial threats
* Mobile threats
* Web threats
* Secure environment (IoT)
* Vulnerabilities and exploits
* Spam and Phishing
* Industrial threats
* Categories
* APT reports
* Incidents
* Research
* Malware reports
* Spam and phishing reports
* Publications
* Kaspersky Security Bulletin
* Archive
* All Tags
* APT Logbook
* Webinars
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2021
*
* About Us
* Company
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorships
* Policy Blog
* Contacts
* Partners
* Find a Partner
* Partner Program
Content menu Close
Subscribe
by Kaspersky
Dark mode off
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2022
APT reports
CLOUDWIZARD APT: THE BAD MAGIC STORY GOES ON
APT reports
19 May 2023
11 minute read
Table of Contents
* Initial findings
* Digging into the orchestrator
* Encryption and communication
* Module arsenal
* Back to 2017
* Attribution magic
* So what?
* Indicators of compromise
Authors
* Leonid Bezvershenko
* Georgy Kucherin
* Igor Kuznetsov
In March 2023, we uncovered a previously unknown APT campaign in the region of
the Russo-Ukrainian conflict that involved the use of PowerMagic and CommonMagic
implants. However, at the time it was not clear which threat actor was behind
the attack. Since the release of our report about CommonMagic, we have been
looking for additional clues that would allow us to learn more about this actor.
As we expected, we have been able to gain a deeper insight into the “bad magic”
story.
While looking for implants bearing similarities with PowerMagic and CommonMagic,
we identified a cluster of even more sophisticated malicious activities
originating from the same threat actor. What was most interesting about it is
that its victims were located not only in the Donetsk, Lugansk and Crimea
regions, but also in central and western Ukraine. Targets included individuals,
as well as diplomatic and research organizations. The newly discovered campaign
involved using a modular framework we dubbed CloudWizard. Its features include
taking screenshots, microphone recording, keylogging and more.
Over the years, the infosec community has discovered multiple APTs operating in
the Russo-Ukrainian conflict region – Gamaredon, CloudAtlas, BlackEnergy and
many others. Some of these APTs have long been forgotten in the past – such as
Prikormka (Operation Groundbait), discovered by ESET in 2016. While there have
been no updates about Prikormka or Operation Groundbait for a few years now, we
discovered multiple similarities between the malware used in that campaign,
CommonMagic and CloudWizard. Upon further investigation, we found that
CloudWizard has a rich and interesting history that we decided to dig into.
INITIAL FINDINGS
Our investigation started with telemetry data coming from an active infection,
with malware running as a suspicious Windows service named “syncobjsup”. This
service was controlled by a DLL with an equally suspicious path
“C:\ProgramData\Apparition Storage\syncobjsup.dll”. Upon execution, we found
this DLL to decrypt data from the file mods.lrc that is located in the same
directory as the DLL. The cipher used for decryption was RC5, with the key 88 6A
3F 24 D3 08 A3 85 E6 21 28 45 77 13 D0 38. However, decryption of the file with
the standard RC5 implementation yielded only junk data. A closer look into the
RC5 implementation in the sample revealed that it was faulty:
for (i = 0; i < 4; i += 2) { A = buf[i]; B = buf[i + 1]; for (j = 12; j > 0;
--j) { v2 = rotate_right(B - S[2 * i + 1], A); B = A ^ v2; A ^= v2 ^
rotate_right(A - S[2 * i], A ^ v2); } }
1
2
3
4
5
6
7
8
9
10
11
for (i = 0; i < 4; i += 2)
{
A = buf[i];
B = buf[i + 1];
for (j = 12; j > 0; --j)
{
v2 = rotate_right(B - S[2 * i + 1], A);
B = A ^ v2;
A ^= v2 ^ rotate_right(A - S[2 * i], A ^ v2);
}
}
The bug is in the inner loop: it uses the variable i instead of j.
A search for this incorrect implementation revealed a GitHub gist of the code
that has been likely borrowed by the implant’s developers. In the comments to
this gist, GitHub users highlight the error:
What is also interesting is that the key from the gist is the same as the one
used in the syncobjsup.dll library.
The decrypted file looked to us like a virtual file system (VFS), containing
multiple executables and their JSON-encoded configurations:
Each entry in this VFS contains magic bytes (‘CiCi’), a ROR6 hash of the entry
name, as well as the entry size and contents.
Inside mods.lrc, we found:
* Three DLLs (with export table names Main.dll, Crypton.dll and Internet.dll);
* A JSON configuration of these DLLs.
The syncobjsup.dll DLL iterates over VFS entries, looking for an entry with the
name “Main” (ROR6 hash: 0xAA23406F). This entry contains CloudWizard’s Main.dll
orchestrator library, which is reflectively loaded and launched by invoking its
SvcEntry export.
DIGGING INTO THE ORCHESTRATOR
Upon launching, the orchestrator spawns a suspended WmiPrvSE.exe process and
injects itself into it. From the WmiPrvSE.exe process, it makes a backup of the
VFS file, copying mods.lrc to mods.lrs. It then parses mods.lrs to obtain all
the framework module DLLs and their configurations. As mentioned above,
configurations are JSON files with dictionary objects:
{ "Screenshot": { "type": "3", "intervalSec": "4", "numberPack": "24",
"winTitle": [ "SKYPE", "VIBER" ] }, "Keylogger": { "bufSize": "100" },
"Microphone": { "intervalSec": "500", "acousticStart": "1" } }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
"Screenshot": {
"type": "3",
"intervalSec": "4",
"numberPack": "24",
"winTitle": [
"SKYPE",
"VIBER"
]
},
"Keylogger": {
"bufSize": "100"
},
"Microphone": {
"intervalSec": "500",
"acousticStart": "1"
}
}
The orchestrator itself contains a configuration with parameters such as:
* Victim ID (e.g., 03072020DD);
* Framework version (latest observed version is 5.0);
* Interval between two consecutive heartbeats.
After launching modules, the orchestrator starts communicating with the
attackers by sending heartbeat messages. Each heartbeat is a JSON file with
victim information and a list of loaded modules:
{ "name": "<victim_id>", "romoID": "2", "bitOS": "64", "version": "5.0",
"serial": "<infection_timestamp>", "keyID": "<key_id>", "ip": "0.0.0.0",
"state": [ "Main","Crypton","Internet","Screenshot", "USB","Keylogger","Gmail"
], "state2": [ {"Module": "Main","time_mode": "2","Version": "4.7"}, {"Module":
"Crypton","time_mode": "2","Version": "1.0"}, {"Module": "Internet","time_mode":
"2","Version": "0.07"}, {"Module": "Screenshot","time_mode": "2","Version":
"0.01"}, {"Module": "USB","time_mode": "2","Version": "0.01"}, {"Module":
"Keylogger","time_mode": "2","Version": "0.01"}, {"Module": "Gmail","time_mode":
"2","Version": "0.06"} ] }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
"name": "<victim_id>",
"romoID": "2",
"bitOS": "64",
"version": "5.0",
"serial": "<infection_timestamp>",
"keyID": "<key_id>",
"ip": "0.0.0.0",
"state": [
"Main","Crypton","Internet","Screenshot",
"USB","Keylogger","Gmail"
],
"state2": [
{"Module": "Main","time_mode": "2","Version": "4.7"},
{"Module": "Crypton","time_mode": "2","Version": "1.0"},
{"Module": "Internet","time_mode": "2","Version": "0.07"},
{"Module": "Screenshot","time_mode": "2","Version": "0.01"},
{"Module": "USB","time_mode": "2","Version": "0.01"},
{"Module": "Keylogger","time_mode": "2","Version": "0.01"},
{"Module": "Gmail","time_mode": "2","Version": "0.06"}
]
}
This JSON string is encrypted with the cryptography module (Crypton.dll from the
VFS) and sent to the attackers with the internet communication module
(Internet.dll).
In response to the heartbeats, the orchestrator receives commands allowing it to
perform module management: install, start, stop, delete modules or change their
configurations. Each command contains magic bytes (DE AD BE EF) and a JSON
string (e.g., {“Delete”: [“Keylogger”, “Screenshot”]}), optionally followed by a
module DLL file.
ENCRYPTION AND COMMUNICATION
As we have mentioned above, two modules (Crypton.dll and Internet.dll) are
bundled with every installation of the CloudWizard framework. The Crypton module
performs encryption and decryption of all communications. It uses two encryption
algorithms:
* Heartbeat messages and commands are encrypted with AES (the key is specified
in the JSON configuration VFS file)
* Other data (e.g., module execution results) is encrypted with a combination
of AES and RSA. First, the data is encrypted with a generated pseudorandom
AES session key, and then the AES key is encrypted with RSA.
if ( buffers->results.lenstr && buffers->results.str ) { v10 =
RSA_Encrypt(AES_KEY, 32, &v8, &v7, pubKey, pubKeySize); if (v10) { free(v8);
return v10; } v10 = AES_Encrypt(buffers->results.str, buffers->results.lenstr,
&v4, &v6, AES_KEY); if (v10) goto LABEL_11; } if (buffers->state.lenstr &&
buffers->state.str) { v10 = AES_Encrypt(buffers->state.str,
buffers->state.lenstr, &v3, &v5, phpKey); if (v10) goto LABEL_11; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
if ( buffers->results.lenstr && buffers->results.str ) {
v10 = RSA_Encrypt(AES_KEY, 32, &v8, &v7, pubKey, pubKeySize);
if (v10) {
free(v8);
return v10;
}
v10 = AES_Encrypt(buffers->results.str,
buffers->results.lenstr,
&v4, &v6, AES_KEY);
if (v10)
goto LABEL_11;
}
if (buffers->state.lenstr && buffers->state.str) {
v10 = AES_Encrypt(buffers->state.str,
buffers->state.lenstr,
&v3, &v5, phpKey);
if (v10)
goto LABEL_11;
}
The internet connection module relays the encrypted data to the malware
operators. It supports four different communication types:
* Cloud storages: OneDrive, Dropbox, Google Drive
* Web-based C2 server
The primary cloud storage is OneDrive, while Dropbox and Google Drive are used
if OneDrive becomes inaccessible. The module’s configuration includes OAuth
tokens required for cloud storage authentication.
As for the web server endpoint, it is used when the module can’t access any of
the three cloud storages. To interact with it, it makes a GET request to the URL
specified in its configuration, getting new commands in response. These commands
likely include new cloud storage tokens.
While examining the strings of the network module, we found a string containing
the directory name from the developer’s machine:
D:\Projects\Work_2020\Soft_Version_5\Refactoring.
MODULE ARSENAL
Information gathering is performed through auxiliary DLL modules that have the
following exported functions:
Export function Description Start Starts the module Stop Stops the module Whoami
Returns JSON-object with information about module
(e.g., {“Module”:”Keylogger “,”time_mode”:”2″,”Version”:”0.01″}).
The time_mode value indicates whether the module is persistent (1 – no, 2 –
yes). GetResult Returns results of module execution (e.g. collected screenshots,
microphone recordings, etc.). Most modules return results in the form of ZIP
archives (that are stored in memory) GetSettings Returns module configuration
Modules can persist upon reboot (in this case they are saved in the mods.lrs VFS
file) or executed in memory until the machine is shut down or the module is
deleted by the operator.
In total, we found nine auxiliary modules performing different malicious
activities such as file gathering, keylogging, taking screenshots, recording the
microphone and stealing passwords.
The module that looked most interesting to us is the one that performs email
exfiltration from Gmail accounts. In order to steal, it reads Gmail cookies from
browser databases. Then, it uses the obtained cookies to access the Gmail web
interface in legacy mode by making a GET request to
https://mail.google.com/mail/u/<account ID>/?ui=html&zy=h. When legacy mode is
accessed for the first time, Gmail prompts the user to confirm whether they
really wants to switch to legacy mode, sending the following webpage in
response:
If the module receives such a prompt, it simulates a click on the “I’d like to
use HTML Gmail” button by making a POST request to a URL from the prompt’s HTML
code.
Having obtained access to the legacy web client, the module exfiltrates activity
logs, the contact list and all the email messages.
What’s also interesting is that the code for this module was partially borrowed
from the leaked Hacking Team source code.
BACK TO 2017
After obtaining the CloudWizard’s orchestrator and its modules, we were still
missing one part of the infection chain: the framework installer. While
searching through older telemetry data, we were able to identify multiple
installers that were used from 2017 to 2020. The version of the implant
installed at that time was 4.0 (as we wrote above, the most recent version we
observed is 5.0).
The uncovered installer is built with NSIS. When launched, it drops three files:
* C:\ProgramData\Microsoft\WwanSvc\WinSubSvc.exe
* C:\ProgramData\Microsoft\MF\Depending.GRL (in other versions of the
installer, this file is also placed under
C:\ProgramData\Microsoft\MF\etwdrv.dll)
* C:\ProgramData\System\Vault\etwupd.dfg
Afterwards, it creates a service called “Windows Subsystem Service” that is
configured to run the WinSubSvc.exe binary on every startup.
It is worth noting that the installer displays a message with the text “Well
done!” after infection:
This may indicate that the installer we discovered is used to deploy CloudWizard
via physical access to target machines, or that the installer attempts to mimic
a Network Settings (as displayed in the window title) configurator.
The old (4.0) and new (5.0) CloudWizard versions have major differences, as
outlined in the table below:
Version 4.0 Version 5.0 Network communication and cryptography modules are
contained within the main module Network communication and cryptography modules
are separate from each other Framework source file compilation directory:
D:\Projects\Work_2020\Soft_Version_4\Service Framework source file compilation
directory: D:\Projects\Work_2020\Soft_Version_5\Refactoring Uses RC5
(hard-coded key: 7Ni9VnCs976Y5U4j) from the RC5Simple library for C2 server
traffic encryption and decryption Uses RSA and AES for C2 server traffic
encryption and decryption (the keys are specified in a configuration file)
ATTRIBUTION MAGIC
After spending considerable time researching CloudWizard, we decided to look for
clues that would allow us to attribute it to an already known actor. CloudWizard
reminded us of two campaigns observed in Ukraine and reported in public:
Operation Groundbait and Operation BugDrop. Operation Groundbait was first
described by ESET in 2016, with the first implants observed in 2008. While
investigating Operation Groundbait, ESET uncovered the Prikormka malware, which
is “the first publicly known Ukrainian malware that is being used in targeted
attacks”. According to ESET’s report, the threat actors behind Operation
Groundbait “most likely operate from within Ukraine”.
As for Operation BugDrop, it is a campaign discovered by CyberX in 2017. In
their report, CyberX claims (without providing strong evidence) that Operation
BugDrop has similarities with Operation Groundbait. And indeed, we have
discovered evidence confirming this:
* Prikormka USB DOCS_STEALER module (MD5:
7275A6ED8EE314600A9B93038876F853B957B316) contains the PDB path
D:\My\Projects_All\2015\wallex\iomus1_gz\Release\iomus.pdb;
* BugDrop USB stealer module (MD5: a2c27e73bc5dec88884e9c165e9372c9) contains
the PDB path D:\My\Projects_All\2016\iomus0_gz\Release\usdlg.pdb.
The following facts allow us to conclude with medium to high confidence that the
CloudWizard framework is operated by the actor behind Operation Groundbait and
Operation BugDrop:
* ESET researchers found the loader of CloudWizard version 4.0 dll (with the
export name LCrPsdNew.dll) to be similar to a Prikormka DLL. The similarity
between these two files has been noted in the Virus Bulletin 2019 talk ‘Rich
headers: leveraging the mysterious artifact of the PE format’ (slide 42)
Slide 42 of the VB2019 ‘Rich headers: leveraging the mysterious artifact of
the PE format’ talk
* ESET detects a loader of a CloudWizard v. 4 sample (MD5:
406494bf3cabbd34ff56dcbeec46f5d6, PDB path:
D:\Projects\Work_2017\Service\Interactive Service_system\Release\Service.pdb)
as Win32/Prikormka.CQ.
* According to our telemetry data, multiple infections with the Prikormka
malware ended with a subsequent infection with the CloudWizard framework
* Implementation of several modules of CloudWizard resembles the corresponding
one from the Prikormka and BugDrop modules, though rewritten from C to C++:
* USB stealer modules retrieve the serial numbers and product IDs of
connected USB devices via the IOCTL_STORAGE_QUERY_PROPERTY system call. The
default fallback value in case of failure is the same, “undef”.
Retrieval of USB device serial number and product ID in BugDrop (MD5:
F8BDE730EA3843441A657A103E90985E)
Retrieval of USB device serial number and product ID in CloudWizard (MD5:
39B01A6A025F672085835BD699762AEC)
Assignment of the ‘undef’ string in BugDrop (left) and CloudWizard (right)
in the samples above
* The modules for taking screenshots use the same list of window names that
trigger an increase in the frequency of screenshot taking: ‘Skype’ and
‘Viber’. CloudWizard and Prikormka share the same default value for the
screenshot taking interval (15 minutes).
Comparison of the window title text in Prikormka (MD5:
16793D6C3F2D56708E5FC68C883805B5)
Addition of the ‘SKYPE’ and ‘VIBER’ string to a set of window titles in
CloudWizard (MD5: 26E55D10020FBC75D80589C081782EA2)
* The file listing modules in both Prikormka and CloudWizard samples have the
same name: Tree. They also use the same format string for directory
listings: “\t\t\t\t\t(%2.2u,%2.2u.%2.2u.%2.2u)\n”.
Use of the same format string for directory listings in Prikormka (above,
MD5: EB56F9F7692F933BEE9660DFDFABAE3A) and CloudWizard (below, MD5:
BFF64B896B5253B5870FE61221D9934D)
* Microphone modules record sound in the same way: first making a WAV
recording using Windows Multimedia API and then converting it to MP3 using
the LAME library. While this pattern is common in malware, the strings used
to specify settings for the LAME library are specific: 8000 Hz and 16 Kbps.
Both Prikormka and CloudWizard modules extract integers from these strings,
using them in the LAME library.
* A similar order of extensions is used in extension lists found in Prikormka
and CloudWizard modules:
Extension lists in Prikormka (left, MD5: EB56F9F7692F933BEE9660DFDFABAE3A)
and CloudWizard (right, MD5: BFF64B896B5253B5870FE61221D9934D)
* In Prikormka, the names of files to be uploaded to the C2 server have the
name format mm.yy_hh.mm.ss.<extension>. In CloudWizard, the files have the
name format dd.mm.yyyy_hh.mm.ss.ms.dat. The date substituted into the name
format strings is retrieved from the GetLocalTime API function.
* The C2 servers of both Prikormka and CloudWizard are hosted by Ukrainian
hosting services. Additionally, there are similarities between BugDrop and
CloudWizard in terms of exfiltrating files to the Dropbox cloud storage.
* Victims of Prikormka, BugDrop and CloudWizard are located in western and
central Ukraine, as well as the area of conflict in Eastern Europe.
As for the similarities between CloudWizard and CommonMagic, they are as
follows:
* The code that performs communication with OneDrive is identical in both
frameworks. We did not find this code to be part of any open-source library.
This code uses the same user agent: “Mozilla/5.0 (Windows NT 10.0)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Edge/12.10136”.
The same strings in the internet communication module of CloudWizard (left, MD5:
84BDB1DC4B037F9A46C001764C115A32) and CommonMagic (right, MD5:
7C0E5627FD25C40374BC22035D3FADD8)
* Both frameworks, CloudWizard (version 4) and CommonMagic use the RC5Simple
library for encryption. Files encrypted with RC5Simple start with a 7-byte
header, which is set to ‘RC5SIMP’ in the library source code. However, this
value has been changed in the malicious implants: DUREX43 in CloudWizard and
Hwo7X8p in CommonMagic. Additionally, CloudWizard and CommonMagic use the
RapidJSON library for parsing JSON objects.
* Names of files uploaded to the C2 server in CommonMagic have the format mm.dd
_hh.mm.ss.ms.dat (in CloudWizard, the name format is
dd.mm.yyyy_hh.mm.ss.ms.dat).
* Victim IDs extracted from CloudWizard and CommonMagic samples are similar:
they contain a date followed by the two same letters, e.g. 03072020DD,
05082020BB in CloudWizard and WorkObj20220729FF in CommonMagic.
* Victims of CommonMagic and CloudWizard are located in the area of conflict in
Eastern Europe.
SO WHAT?
We initiated our investigation back in 2022, starting with simple malicious
PowerShell scripts deployed by an unknown actor and ended up discovering and
attributing two large related modular frameworks: CommonMagic and CloudWizard.
As our research demonstrates, their origins date back to 2008, the year the
first Prikormka samples were discovered. Since 2017, there have been no traces
of Groundbait and BugDrop operations. However, the actor behind these two
operations has not ceased their activity, and has continued developing their
cyberespionage toolset and infecting targets of interest for more than 15 years.
INDICATORS OF COMPROMISE
NSIS installer
MD5 0edd23bbea61467f144d14df2a5a043e
SHA256 177f1216b55058e30a3ce319dc1c7a9b1e1579ea3d009ba965b18f795c1071a4
Loader (syncobjsup.dll)
MD5 a2050f83ba2aa1c4c95567a5ee155dca
SHA256 041e4dcdc0c7eea5740a65c3a15b51ed0e1f0ebd6ba820e2c4cd8fa34fb891a2
Orchestrator (Main.dll)
MD5 0ca329fe3d99acfaf209cea559994608
SHA256 11012717a77fe491d91174969486fbaa3d3e2ec7c8d543f9572809b5cf0f2119
Domains and IPs
91.228.147[.]23
curveroad[.]com
* APT
* Backdoor
* Cloud services
* CloudWizard
* CommonMagic
* Malware
* Malware Descriptions
* Malware Technologies
* Targeted attacks
Authors
* Leonid Bezvershenko
* Georgy Kucherin
* Igor Kuznetsov
CloudWizard APT: the bad magic story goes on
Your email address will not be published. Required fields are marked *
Name *
Email *
Cancel
Δ
Table of Contents
* Initial findings
* Digging into the orchestrator
* Encryption and communication
* Module arsenal
* Back to 2017
* Attribution magic
* So what?
* Indicators of compromise
GReAT webinars
13 May 2021, 1:00pm
GREAT IDEAS. BALALAIKA EDITION
* Boris Larin
* Denis Legezo
26 Feb 2021, 12:00pm
GREAT IDEAS. GREEN TEA EDITION
* John Hultquist
* Brian Bartholomew
* Suguru Ishimaru
* Vitaly Kamluk
* Seongsu Park
* Yusuke Niwa
* Motohiko Sato
17 Jun 2020, 1:00pm
GREAT IDEAS. POWERED BY SAS: MALWARE ATTRIBUTION AND NEXT-GEN IOT HONEYPOTS
* Marco Preuss
* Denis Legezo
* Costin Raiu
* Kurt Baumgartner
* Dan Demeter
* Yaroslav Shmelev
26 Aug 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT ACTORS ADVANCE ON NEW FRONTS
* Ivan Kwiatkowski
* Maher Yamout
* Noushin Shabab
* Pierre Delcher
* Félix Aime
* Giampaolo Dedola
* Santiago Pontiroli
22 Jul 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT HUNTING AND NEW TECHNIQUES
* Dmitry Bestuzhev
* Costin Raiu
* Pierre Delcher
* Brian Bartholomew
* Boris Larin
* Ariel Jungheit
* Fabio Assolini
From the same authors
NOT JUST AN INFOSTEALER: GOPURAM BACKDOOR DEPLOYED THROUGH 3CX SUPPLY CHAIN
ATTACK
BAD MAGIC: NEW APT FOUND IN THE AREA OF RUSSO-UKRAINIAN CONFLICT
HOW TO TRAIN YOUR GHIDRA
ONIONPOISON: INFECTED TOR BROWSER INSTALLER DISTRIBUTED THROUGH POPULAR YOUTUBE
CHANNEL
TWO MORE MALICIOUS PYTHON PACKAGES IN THE PYPI
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
* Email
*
* *
* I agree to provide my email address to “AO Kaspersky Lab” to receive
information about new posts on the site. I understand that I can withdraw
this consent at any time via e-mail by clicking the “unsubscribe” link
that I find at the bottom of any e-mail sent to me for the purposes
mentioned above.
Subscribe
Δ
In the same category
APT TRENDS REPORT Q1 2023
TOMIRIS CALLED, THEY WANT THEIR TURLA MALWARE BACK
FOLLOWING THE LAZARUS GROUP BY TRACKING DEATHNOTE CAMPAIGN
NOT JUST AN INFOSTEALER: GOPURAM BACKDOOR DEPLOYED THROUGH 3CX SUPPLY CHAIN
ATTACK
BAD MAGIC: NEW APT FOUND IN THE AREA OF RUSSO-UKRAINIAN CONFLICT
LATEST POSTS
Publications
NEW RANSOMWARE TRENDS IN 2023
* GReAT
Malware descriptions
NOT QUITE AN EASTER EGG: A NEW FAMILY OF TROJAN SUBSCRIBERS ON GOOGLE PLAY
* Dmitry Kalinin
SOC, TI and IR posts
MANAGED DETECTION AND RESPONSE IN 2022
* Kaspersky Security Services
Research
WHAT DOES CHATGPT KNOW ABOUT PHISHING?
* Vladislav Tushkanov
LATEST WEBINARS
Cyberthreat talks
28 Mar 2023, 5:00pm 60 min
CRYPTOCURRENCY THREAT LANDSCAPE TRENDS IN 2023
* Vitaly Kamluk
* Dan Demeter
Cyberthreat talks
22 Mar 2023, 5:00pm 40 min
RANSOMWARE GROUPS NEGOTIATION TACTICS: WHAT YOU NEED TO KNOW
* Marc Rivero
Technologies and services
15 Feb 2023, 5:00pm 80 min
CHATGPT – GOOD OR EVIL? AI IMPACT ON CYBERSECURITY
* Vladislav Tushkanov
* Maher Yamout
* Victor Sergeev
Cyberthreat talks
07 Feb 2023, 5:00pm 75 min
CRIMEWARE AND FINANCIAL PREDICTIONS FOR 2023
* Marc Rivero
* Dan Demeter
* Dmitry Galov
REPORTS
CLOUDWIZARD APT: THE BAD MAGIC STORY GOES ON
Kaspersky analysis of the CloudWizard APT framework used in a campaign in the
region of the Russo-Ukrainian conflict.
APT TRENDS REPORT Q1 2023
For more than five years, the Global Research and Analysis Team (GReAT) at
Kaspersky has been publishing quarterly summaries of advanced persistent threat
(APT) activity. These summaries are based on our threat intelligence research;
and they provide a representative snapshot of what we have published and
discussed in greater detail in our private APT reports.
TOMIRIS CALLED, THEY WANT THEIR TURLA MALWARE BACK
We continued to track Tomiris as a separate threat actor over three new attack
campaigns between 2021 and 2023, and our telemetry allowed us to shed light on
the group. In this blog post, we’re excited to share what we now know of Tomiris
with the broader community, and discuss further evidence of a possible
connection to Turla.
FOLLOWING THE LAZARUS GROUP BY TRACKING DEATHNOTE CAMPAIGN
The Lazarus group is a high-profile Korean-speaking threat actor with multiple
sub-campaigns. In this blog, we’ll focus on an active cluster that we dubbed
DeathNote.
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
* Email*
*
* *
* I agree to provide my email address to “AO Kaspersky Lab” to receive
information about new posts on the site. I understand that I can withdraw
this consent at any time via e-mail by clicking the “unsubscribe” link
that I find at the bottom of any e-mail sent to me for the purposes
mentioned above.
Subscribe
Δ
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2022
© 2023 AO Kaspersky Lab. All Rights Reserved.
Registered trademarks and service marks are the property of their respective
owners.
* Privacy Policy
* License Agreement
* Cookies
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
* Email
*
* *
* I agree to provide my email address to “AO Kaspersky Lab” to receive
information about new posts on the site. I understand that I can withdraw
this consent at any time via e-mail by clicking the “unsubscribe” link
that I find at the bottom of any e-mail sent to me for the purposes
mentioned above.
Subscribe
Δ
Notifications