Skip to main content

Woburn, MA – November 3, 2020 – The activity of advanced persistent threat (APT) groups in the third quarter of 2020 indicated a curious trend: while many threat actors continued to diversify their toolsets, at times resorting to extremely tailored and persistent tools, others successfully reached their goals through the employment of well-known, time-tested attack methods. This was one of a few global APT trends covered in Kaspersky’s latest quarterly threat intelligence report.

One of the most notable findings of the quarter was a campaign carried out by an unknown actor, which decided to infect one of its victims using a custom bootkit for UEFI – an essential hardware component of any modern computer device. This infection vector was part of a multi-stage framework dubbed MosaicRegressor. The infection of UEFI made the malware planted on the device exceptionally persistent and extremely hard to remove. On top of that, the payload downloaded by the malware to each victim’s device could be different. This flexible approach enabled the actor to hide its payload from unwanted witnesses.

Other actors made use of stenography. A new method abusing the Authenticode-signed Windows Defender binary, an integral and approved program for the Windows Defender security solution, was detected in the wild in an attack on a telecom company in Europe. An ongoing campaign attributed to Ke3chang utilized a new version of the Okrum backdoor. This updated version of Okrum abuses an Authenticode-signed Windows Defender binary through employment of a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection.

Many other actors also continue to update their toolsets in order to make them more flexible and less prone to detection. Various multi-stage frameworks, such as the one developed by the MuddyWater APT group, continue to appear in the wild. This tendency is true of other malware as well. For instance, the Dtrack RAT (remote access tool), which was updated with a new feature that enables the attacker to execute more types of payload.

However, some actors still successfully use low-tech infection chains. One example is a mercenary group named DeathStalker by Kaspersky researchers. This APT mainly focuses on law firms and companies operating in the financial sector, gathering sensitive and valuable information from the victims. Using techniques that have been mostly identical since 2018, a focus on evading detection has enabled DeathStalker to continue carrying out a number of successful attacks.

“While some threat actors remain consistent over time and simply look to use hot topics such as COVID-19 to entice victims to download malicious attachments, other groups reinvent themselves and their toolsets,” said Ariel Jungheit, Senior Security Researcher, Global Research and Analysis Team, Kaspersky. “The widening scope of platforms attacked, continuous work on new infection chains and the use of legitimate services as part of their attack infrastructure, is something we have witnessed over the past quarter. Overall, what this means for cybersecurity specialists is this: defenders need to invest resources in hunting malicious activity in new, possibly legitimate environments that were scrutinized less in the past. That includes malware that is written in lesser-known programming languages, as well as through legitimate cloud services. Tracking actors’ activities and TTPs allows us to follow as they adapt new techniques and tools, and thereby prepare ourselves to react to new attacks in time.”

A three-month APT trends summary for the last quarter summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, as well as other sources that cover major developments the corporate sector should be aware of. Kaspersky’s threat intelligence reports also include Indicators of Compromise (IoC) data, as well as Yara and Suricata rules to assist in forensics and malware hunting. For more information, please contact:

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing ongoing cyber-attack data and insights gathered by Kaspersky over more than 20 years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.

Read the full Q3 APT trends report on

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at

Media Contact

Sawyer Van Horn

(781) 503-1866

Threat actors got creative in third quarter

Q3 APT trends report finds many threat actors developing new techniques, while others stick with what works
Kaspersky Logo