However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. Following this, they were tricked into downloading previously unknown malware. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface. In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT’s networks to perfect their attack. The SolarWinds incident reported last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact The most remarkable findings This is our latest installment, focusing on activities that we observed during Q3 2021.
They are designed to highlight the significant events and findings that we feel people should be aware of.
The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.