Neanderthals

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Neanderthals, a threat actor group identified by ESET researchers, have been exploiting the Telekopye toolkit to execute various types of scams. The group primarily recruits members via advertisements on underground forums and uses Telegram channels for communication and transaction tracking. They employ deceptive tactics and social engineering to trick victims (referred to as "Mammoths") into sharing sensitive information. These scammers also use VPNs, proxies, and TOR to maintain anonymity while conducting their operations. The Neanderthals are involved in several scam types facilitated by the Telekopye toolkit. In seller scams, they pose as sellers and deceive Mammoths into buying non-existent items. If the victims don't receive the goods, they are further targeted with refund phishing emails. The group is also engaged in real estate scams, creating bogus websites with apartment listings and luring Mammoths into paying reservation fees through phishing websites. They use web scrapers to sift through online marketplace listings to find ideal victims likely to fall for their schemes. ESET researchers have dissected specific features offered by Telekopye and the different scam types it facilitates, shedding light on the geographical areas these Neanderthals target and how they select their victims. For instance, in the real estate scam scenario, Neanderthals contact legitimate apartment owners feigning interest, gather details, and then create their own listings at reduced prices on other websites. The dynamics within and between various Neanderthal groups, their techniques for finding and selecting victims, and their methods of teaching each other to effectively use Telekopye have been discussed in detail in an ESET podcast.
What's your take? (Question 1 of 4)
07c0d156-9d5f-4803-b8e8-ec11089582d6 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Eset
Scam
Phishing
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Telekopyehas used
3
Telekopye is a sophisticated malware toolkit used by cybercriminals, particularly Russian hackers, to carry out broad phishing attacks. This malicious software, implemented as a Telegram bot, is designed to create fraudulent links, web pages, QR codes, and deliver convincing images via SMS messages
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Neanderthals Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
6 months ago
Telekopye: Chamber of Neanderthals’ secrets
CERT-EU
9 months ago
Telekopye: Hunting Mammoths using Telegram bot
CERT-EU
6 months ago
Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale
CERT-EU
6 months ago
Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
ESET
5 months ago
ESET Research Podcast: Neanderthals, Mammoths and Telekopye
CERT-EU
9 months ago
Scammers Target Online Markets with Telekopye Phishing Toolkit
CERT-EU
9 months ago
Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
CERT-EU
9 months ago
New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia
CERT-EU
9 months ago
Industrial HMIs at risk of attacks exploiting Rockwell ThinManager vulnerabilities
CERT-EU
9 months ago
Cyrus Labs purchased by Malwarebytes
CERT-EU
9 months ago
Organizations in NATO countries claimed to be compromised by hacktivist operation