"Russian Threat Group Suspect Uses Screenshotting to Observe Victims Before Striking, Says Analyst"
Proofpoint researchers have observed a new threat group, tracked as TA866, spreading malware via phishing emails since October 2022. Although the group's main motive is suspected to be financial gain, an analysis of associated operations reveals that espionage may be a secondary objective. The cybersecurity firm cannot confirm that the threat group is associated with Russia and executing espionage activities on behalf of the country, but an examination of TA866's working patterns suggests this may be the case. Targeting all industries in the US and Germany, the attacks appear to have proceeded into 2023. Proofpoint discovered a cluster of growing financially-driven activity called "Screentime," and TA866's attack vector involved sending emails with a malicious attachment or URL to deliver a payload of malware dubbed "WasabiSeed" and "Screenshotter." In certain instances, Proofpoint also observed follow-up attacks using the malware tools AHK Bot and Rhadamanthys Stealer. Thousands of phishing emails were sent in just a few months by TA866's campaigns, which an analyst spotted at the end of the last year. These emails used trusted software documents to lower victims' skepticism. TA866 is considered an organized actor capable of executing well-planned attacks at scale. Proofpoint says that the threat group has the ability and connections to acquire tools and services from other vendors, allowing it to target additional victims. This article continues to discuss researchers' findings and observations regarding TA866.