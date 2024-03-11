As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production.

Beginning in November 2023, X-Force observed ITG05 using the “search-ms” URI handler, a new technique for the group, leading victims to download malware hosted on actor-controlled WebDAV servers. ITG05 was also observed delivering MASEPIE, a new backdoor replacing Headlace to facilitate follow-on actions. In addition to MASEPIE, ITG05 developed another new backdoor dubbed OCEANMAP. X-Force analysis revealed the code basis of CREDOMAP was likely used in the creation of OCEANMAP. In place of CREDOMAP, ITG05 has opted for the use of a new simplified PowerShell script named STEELHOOK.

ITG05 is a Russian state-sponsored group consisting of multiple activity clusters and shares overlap with APT28, UAC-028, Fancy Bear and Forest Blizzard. The observed tools, tactics and procedures (TTPs) featured in the campaigns strongly correlate to recent ITG05 activity. Given their sustained operations tempo and continuously evolving methodologies, it is highly likely that ITG05 will continue to carry out malicious activity against global targets to support state objectives.