- This laptop power bank has served me well for years, and this Black Friday deal slashes the price in half
- This power bank is thinner than your iPhone and this Black Friday deal slashes 27% off the price
- New Levels, New Devils: The Multifaceted Extortion Tactics Keeping Ransomware Alive
- Elden Ring, 2022's Game of the Year, hits a record low price of $20 on Amazon for Black Friday
- This is the best car diagnostic tool I've ever used, and it's only $54 in this Black Friday deal
Stonefly Group Targets US Firms With New Malware Tools
The North Korean-based Stonefly group, also known by aliases such as APT45 and Silent Chollima, has been observed continuing its financially motivated cyber-attacks against US organizations despite a recent indictment by the US Department of Justice (DoJ).
The group, linked to North Korea’s Reconnaissance General Bureau, has shifted its focus from espionage to targeting private companies in sectors with little intelligence value.
Evidence of these attacks was discovered by Symantec’s Threat Hunter Team, which uncovered Stonefly’s use of sophisticated malware tools during intrusions into three US organizations in August 2024.
“The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates […] that appear to be unique to this campaign,” Symantec explained.
One of the most notable tools deployed was Backdoor.Preft, a multi-stage backdoor associated exclusively with Stonefly, capable of downloading files, executing commands and deploying additional plugins. Other malware was also identified, including Nukebot and the penetration testing framework Sliver.
Researchers noted several signs that these attacks were financially driven, rather than for gathering state intelligence. Though no ransomware was successfully deployed, the group’s recent shift toward using these tactics marks a significant change in its operational strategy.
According to Symantec, Stonefly’s reliance on public tools such as Mimikatz, Snap2HTML and Megatools illustrates a calculated blend of custom and open source software. This approach allows the group to maintain flexibility while obscuring their operations by using widely available technologies.
In July 2024, a member of Stonefly was indicted by US authorities for his role in extorting hospitals and other institutions.
“While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on the group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity,” Symantec said. “The group is likely continuing to attempt to mount extortion attacks against organizations in the US.”