The “Horns&Hooves” campaign, active since March 2023, has targeted over 1,000 victims—primarily private users, retailers, and service businesses in Russia—by distributing remote access trojans (RATs) like NetSupport RAT and BurnsRAT. Attackers employ phishing emails with ZIP attachments containing malicious JScript files, masquerading as legitimate business communications to deceive recipients into executing the malware. These scripts download additional payloads, including stealer malware such as Rhadamanthys and Meduza, facilitating unauthorized access and data theft. The campaign exhibits ongoing development, with attackers continually modifying their methods to enhance effectiveness. Notably, there are indications linking this operation to the threat actor TA569 (also known as Gold Prelude or Mustard Tempest), recognized for deploying the SocGholish malware and providing initial access for subsequent ransomware attacks.
Source: The Hacker News
CyberCasta 
Leave a comment