Group2

Group2 is a recognized threat actor in the cybersecurity landscape, with its activities presenting significant risks to both private and public entities. Its methodology and the malware families it employs show strong overlaps with Karkoff, Saitama, and IIS Group2 clusters, all of which have known connections to APT34, a sophisticated cyber-espionage group. This suggests that Group2 might be part of a larger network of threat actors, potentially state-sponsored, given the association with APT34. In recent times, Group2 has demonstrated an evolution in its malicious tactics, techniques, and procedures (TTPs), as evidenced by the emergence of CacheHttp.dll. This represents an evolved version of the IIS Group2 backdoor, indicating that the group is actively refining its tools and strategies for more effective attacks. The evolution from previous versions such as IIS Group2 and RGdoor suggests an increasing sophistication in their approach to cyber espionage. The most notable change in Group2's attack method is the shift in communication protocol. Unlike the previous Group2 variant, which communicated via the HTTP body, the new CacheHttp.dll now communicates through the Cookie field. This adjustment could potentially make their activities harder to detect or block using conventional cybersecurity measures, thereby increasing the potential impact of their operations. The continued evolution and adaptation of Group2 underscore the importance of staying abreast with their changing tactics to ensure effective countermeasures.