BISCUIT

"Biscuit" is a sophisticated malware variant that was notably used in an attack campaign titled "Operation Bitter Biscuit". This operation was first reported by AhnLab in October 2017, targeting entities in South Korea, Japan, India, and Russia. The offensive made use of the Bisonal remote access trojan (RAT) and its successors, Bioazih and Dexbia. Bisonal and its variants are known for their stealthy infiltration methods and damaging capabilities, including data theft and operational disruption. In 2018, AhnLab released another paper detailing further instances of "Operation Bitter Biscuit", this time focusing on Korean and Japanese entities. The attackers were observed using a Bisonal variant similar to one previously employed during the same operation. This variant was attributed to the Tonto Team, a group known for its malicious cyber activities. Alongside Bisonal, the attackers also utilized ShadowPad, adding another layer of complexity to their operations. The term "Biscuit" has also been associated with a security vulnerability (CVE-2023-40429), identified by researchers Michael Thomas and 张师傅(@京东蓝军). It's important to note that ransomware groups, like the one involved in "Operation Bitter Biscuit", often gain access to victim environments via VPN services, especially where multi-factor authentication is not enabled. These groups deploy malware such as ransomware, which blocks users from accessing their own data and systems until a ransom is paid.