Ref2754

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
REF2754 is a cybersecurity threat actor that has been linked with malicious activities targeting primarily Vietnamese entities. This group shares tactical similarities with another threat group referred to as REF4322, which is known for deploying a post-exploitation implant called PHOREAL (also known as Rizzo). The overlap in tactics suggests that these two groups may be coordinating their attacks or even operating under the same umbrella organization. The attacks orchestrated by REF2754 have also shown connections with APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus, all of which are recognized Vietnamese threat groups. This further supports the theory of collaboration or shared operations among these entities. The commonalities between these groups extend beyond just their targets, indicating possible shared resources, strategies, or even leadership. Given the overlapping methodologies and target selection, there is a growing suspicion within the cybersecurity community that both REF4322 and REF2754 represent campaigns planned and executed by a Vietnamese state-affiliated entity. If this is true, it could signal a significant escalation in state-sponsored cyber threats originating from Vietnam. Further investigation is required to confirm these connections and understand the full extent of the threat posed by these actors.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Kitty
Exploit
Implant
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PHOREALUnspecified
1
Phoreal is a type of malware, or malicious software, that is designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware has
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OceanLotusUnspecified
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ref2754 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies