Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa

The Hacker News by The Hacker News
June 26, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jun 26, 2025Ravie LakshmananThreat Intelligence / Ransomware

Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access.

Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014, where “CL” refers to “cluster” and “CRI” stands for “criminal motivation.”

It’s suspected that the end goal of the attacks is to obtain initial access and then sell it to other criminal actors on underground forums, making the threat actor an initial access broker (IAB).

“The threat actor copies signatures from legitimate applications to forge file signatures, to disguise their toolset and mask their malicious activities,” researchers Tom Fakterman and Guy Levi said. “Threat actors often spoof legitimate products for malicious purposes.”

Cybersecurity

The attacks are characterized by the deployment of tools like PoshC2 for command-and-control (C2), Chisel for tunneling malicious network traffic, and Classroom Spy for remote administration.

The exact method the threat actors use to breach target networks is not clear. Once a foothold is obtained, the attack chains have been found to deploy MeshCentral Agent and later Classroom Spy to commandeer the machines, and then drop Chisel to bypass firewalls and spread PoshC2 to other Windows hosts on the compromised network.

To sidestep detection efforts, the payloads are passed off as legitimate software, using the icons of Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. PoshC2 is persisted on the systems using three different methods –

  • Setting up a service
  • Saving a Windows shortcut (LNK) file to the tool in the Startup folder
  • Using a scheduled task under the name “Palo Alto Cortex Services”

In some incidents observed by the cybersecurity company, the threat actors are said to have stolen user credentials and used them to set up a proxy using PoshC2.

“PoshC2 can use a proxy to communicate with a command-and-control (C2) server, and it appears that the threat actor tailored some of the PoshC2 implants specifically for the targeted environment,” the researchers noted.

This is not the first time PoshC2 has been used in attacks aimed at financial services in Africa. In September 2022, Check Point detailed a spear-phishing campaign dubbed DangerousSavanna that targeted financial and insurance companies located in Coast, Morocco, Cameroon, Senegal, and Togo to deliver Metasploit, PoshC2, DWservice, and AsyncRAT.

Cybersecurity

The disclosure comes as Trustwave SpiderLabs shed light on a new ransomware group called Dire Wolf that has already claimed 16 victims across the U.S., Thailand, Taiwan, Australia, Bahrain, Canada, India, Italy, Peru, and Singapore since its emergence last month. The top targeted sectors are technology, manufacturing, and financial services.

Analysis of the Dire Wolf locker has revealed that it’s written in Golang, and comes with capabilities to disable system logging, terminate a hard-coded list of 75 services and 59 applications, and inhibit recovery efforts by deleting shadow copies.

“Although no initial access, reconnaissance or lateral movement techniques used by Dire Wolf are known at this point, organizations shall follow good security practices as well as enable monitoring for the techniques revealed in this analysis,” the company said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
UK IT infrastructure processes images looking back 1.2 million light years | Computer Weekly

UK IT infrastructure processes images looking back 1.2 million light years | Computer Weekly

Recommended.

RingCentral Buys CommunityWFM For AI-Fueled Work Force, Contact Center Operations Capabilities

RingCentral Buys CommunityWFM For AI-Fueled Work Force, Contact Center Operations Capabilities

September 8, 2025
EPG voltooit Serie B-financieringsronde van bijna US $ honderd miljoen en versterkt leveringscapaciteiten van wereldwijde datacenters

EPG voltooit Serie B-financieringsronde van bijna US $ honderd miljoen en versterkt leveringscapaciteiten van wereldwijde datacenters

January 28, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio