- This robot vacuum has a side-mounted handheld vacuum and is $380 off for Black Friday
- This 2 TB Samsung 990 Pro M.2 SSD is on sale for $160 this Black Friday
- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
Stonefly Group Targets US Firms With New Malware Tools
The North Korean-based Stonefly group, also known by aliases such as APT45 and Silent Chollima, has been observed continuing its financially motivated cyber-attacks against US organizations despite a recent indictment by the US Department of Justice (DoJ).
The group, linked to North Korea’s Reconnaissance General Bureau, has shifted its focus from espionage to targeting private companies in sectors with little intelligence value.
Evidence of these attacks was discovered by Symantec’s Threat Hunter Team, which uncovered Stonefly’s use of sophisticated malware tools during intrusions into three US organizations in August 2024.
“The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates […] that appear to be unique to this campaign,” Symantec explained.
One of the most notable tools deployed was Backdoor.Preft, a multi-stage backdoor associated exclusively with Stonefly, capable of downloading files, executing commands and deploying additional plugins. Other malware was also identified, including Nukebot and the penetration testing framework Sliver.
Researchers noted several signs that these attacks were financially driven, rather than for gathering state intelligence. Though no ransomware was successfully deployed, the group’s recent shift toward using these tactics marks a significant change in its operational strategy.
According to Symantec, Stonefly’s reliance on public tools such as Mimikatz, Snap2HTML and Megatools illustrates a calculated blend of custom and open source software. This approach allows the group to maintain flexibility while obscuring their operations by using widely available technologies.
In July 2024, a member of Stonefly was indicted by US authorities for his role in extorting hospitals and other institutions.
“While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on the group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity,” Symantec said. “The group is likely continuing to attempt to mount extortion attacks against organizations in the US.”