PHOREAL

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Phoreal is a type of malware, or malicious software, that is designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware has been deployed as part of the signature payloads used in APT32 operations, alongside other malware such as WINDSHIELD, KOMPROGO, SOUNDBITE, and BEACON. These operations have targeted various industries in countries around the world since at least 2014, with sectors ranging from network security and manufacturing to media, banking, and consumer products. APT32, also known for its interest in political influence and foreign governments, has been active since at least 2013. The group has not only targeted private sector entities with ties to Vietnam but also foreign governments, Vietnamese dissidents, and journalists. In 2016, APT32's operations expanded to include the United States' consumer products industry, deploying the Phoreal malware among others. The deployment of Phoreal represents a significant escalation in APT32's cyber-espionage campaign, demonstrating their ability to target and potentially compromise a wide range of industries and sectors globally. The Phoreal malware shares tactical commonalities with another group dubbed REF4322, which primarily targets Vietnamese entities to deploy a post-exploitation implant referred to as PHOREAL (aka Rizzo). As reported by FireEye and Elastic Security Labs, this suggests an interconnected web of cyber threats, all aimed at exploiting vulnerabilities in systems to gain unauthorized access or control. Understanding these commonalities can help in developing more effective defense strategies against such advanced persistent threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Implant
Exploit
Cobalt Strike
Malware
exploitation
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WINDSHIELDUnspecified
1
Windshield is a notorious malware, a harmful program designed to exploit and damage computers or devices. It is one of the signature malware payloads deployed by APT32 operations, alongside KOMPROGO, SOUNDBITE, and PHOREAL. This malicious software can infiltrate systems through suspicious downloads,
SOUNDBITEUnspecified
1
Soundbite is a type of malware, a harmful software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data host
KOMPROGOUnspecified
1
Komprogo is a type of malware, a harmful software program designed to exploit and damage computer systems or devices. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or e
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT32Unspecified
1
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
Ref2754Unspecified
1
REF2754 is a cybersecurity threat actor that has been linked with malicious activities targeting primarily Vietnamese entities. This group shares tactical similarities with another threat group referred to as REF4322, which is known for deploying a post-exploitation implant called PHOREAL (also know
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PHOREAL Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
MITRE
a year ago
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations | Mandiant