Poison Ivy

Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has been linked to other harmful programs such as FakeM MSN, BiFrost, Elirks, and PlugX, with overlaps in PE resources and infrastructure ties indicating that the same developer may have been involved in creating these various samples. Poison Ivy has been used in attacks dating back to 2009, and traces of its use have been found in the network infrastructure of HenBox. A unique variant of Poison Ivy, known as GALLIUM, has been observed. This version appears to be modified and unique to the threat group GALLIUM. In addition to this, Poison Ivy has been used by various Advanced Persistent Threat (APT) campaigns, including the "menuPass" campaign in 2016 which targeted Japanese academics and organizations. Other well-known malware, such as PlugX, ShadowPad, and Gh0st RAT, were also used in conjunction with Poison Ivy in these attacks. The use of Poison Ivy extends to several other cyber threats. APT1 intruders occasionally use publicly available backdoors like Poison Ivy, but they predominantly use their custom backdoors. Another threat group, IndigoZebra, utilized Poison Ivy in covert operations targeting former Soviet Republics. Moreover, the malware was part of a cyber campaign likely intended to monitor Hong Kong media during periods of crisis, demonstrating its widespread use in global cyber espionage activities.