Flea

Flea, also known as APT15 or Nickel, is a China-linked threat actor primarily targeting foreign affairs ministries in Central and South American countries. The group's latest campaign utilizes a novel backdoor named "Graphican," which is an evolution of their custom backdoor Ketrican. This new backdoor maintains the same basic functionality as its predecessor but leverages Microsoft Graph API and OneDrive to establish its command-and-control (C&C) infrastructure. The Threat Hunter Team at Symantec, part of Broadcom, detailed this recent activity, highlighting Flea's continued malicious activities. In 2023, Flea notably targeted American ministries using the Graphican backdoor, demonstrating the group's focus on governmental entities. They are identified as a state-sponsored actor, suggesting that their actions align with certain strategic interests of the Chinese government. The Graphican backdoor is a powerful tool that enables Flea to infiltrate target networks, steal sensitive information, and potentially disrupt operations, emphasizing the severity of the threat posed by this actor. The name Flea also has historical connotations related to scavenging and repurposing found equipment, akin to the flea market concept. This might hint at the group's adaptability and resourcefulness in exploiting available resources for their operations. However, it's important to note that the naming conventions in the cybersecurity industry can be somewhat arbitrary and do not necessarily reflect the actual characteristics or methodologies of the threat actors.