APT-Q-27 Targets Web3 Support Staff with Fake Screenshot Backdoor Campaign

Severity: High (Score: 72.5)

Sources: Cybersecuritynews, Gbhackers

Summary

A campaign linked to the Chinese threat group APT-Q-27 is targeting Web3 customer support teams by deploying a multi-stage backdoor via fake screenshot links. The attack exploits live chat workflows, utilizing signed .NET loaders and AWS S3 dead drops to deliver a memory-resident Farfli backdoor. This operation focuses on support agents, the human element of organizations, to gain access to sensitive systems. The specific tools and methods employed indicate a sophisticated approach to compromise victim machines without detection. The current status of the campaign suggests ongoing activity, with potential impacts on multiple organizations within the Web3 sector. The attack emphasizes the need for heightened vigilance among support teams in the cryptocurrency space. Key Points: • APT-Q-27 is using fake screenshots to target Web3 customer support staff. • The attack involves a multi-stage backdoor delivery method using .NET loaders. • Organizations in the Web3 sector are at risk due to the human-centric nature of the attack.

Key Entities

• Apt-q-27 (apt_group)
• GoldenEyeDog (apt_group)
• Malware (attack_type)
• Phishing (attack_type)
• Farfli (malware)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)
• AWS (company)