A previously unknown threat actor is targeting telecommunications companies in the Middle East in what appears to be a cyber-espionage campaign similar to many that have hit telecom organizations in multiple countries in recent years.
Researchers from SentinelOne who spotted the new campaign said they’re tracking it as WIP26, a designation the company uses for activity it has not been able to attribute to any specific cyberattack group.
In a report this week, they noted that they had observed WIP26 using public cloud infrastructure to deliver malware and store exfiltrated data, as well as for command-and-control (C2) purposes. The security vendor assessed that the threat actor is using the tactic — like many others do these days — to evade detection and make its activity harder to spot on compromised networks.
“The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs [tactics, techniques and procedures] in an attempt to stay stealthy and circumvent defenses,” the company said.
Targeted Mideast Telecom Attacks
The attacks that SentinelOne observed usually began with WhatsApp messages directed at specific individuals within target telecom companies in the Middle East. The messages contained a link to an archive file in Dropbox that purported to contain documents on poverty-related topics pertinent to the region. But in reality, it also included a malware loader.
Users tricked into clicking on the link ended up having two backdoors installed on their devices. SentinelOne found one of them, tracked as CMD365, using a Microsoft 365 Mail client