Venom Proxy

Malware updated 23 days ago (2024-11-29T14:43:41.452Z)
Download STIX
Preview STIX
Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Seedworm tends to use a custom build of Venom Proxy in its activities, with Microsoft describing this association in an August 2022 blog post. The malware was part of a set of tools used by attackers in a series of intrusions that took place in November 2023. These tools included the SimpleHelp remote access tool, a new custom keylogger, and other publicly available and living-off-the-land tools. The SimpleHelp tool was used for continuous access to compromised devices and command execution, while the Venom Proxy software managed intranet-connected devices. A custom build of the Venom Proxy hacktool and the new custom keylogger were executed on the networks targeted by the attackers. Symantec's Threat Hunter Team, a group of security experts, reported these findings. They noted multiple incidents where SimpleHelp was used to connect to known Seedworm infrastructure in targeted telecommunications and media companies. In addition to SimpleHelp and Venom Proxy, the attackers also used AnyDesk and suspicious Windows Scripting Files (WSF), which have previously been associated with Seedworm activity. The team has been investigating these targeted attacks, enhancing protection in Symantec products, and providing analysis to help customers respond to these attacks.
Description last updated: 2024-05-04T19:41:16.091Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Simplehelp
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Seedworm Threat Actor is associated with Venom Proxy. Seedworm, also known as MuddyWater, TEMP.Zagros, Static Kitten, and several other monikers, is a threat actor believed to be linked with Iran's Ministry of Intelligence and Security (MOIS). This cyberespionage group has been active since 2017, targeting various sectors globally, including governmentUnspecified
2
Source Document References
Information about the Venom Proxy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more