Venom Proxy

Venom Proxy is a malicious software (malware) that has been associated with Seedworm, a cyber espionage group, since mid-2022. It is a multi-hop proxy tool developed for penetration testers and is written in Go. This malware, often used as Seedworm's "tool of choice," can infiltrate systems via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Seedworm tends to use a custom build of Venom Proxy in its activities, with Microsoft describing this association in an August 2022 blog post. The malware was part of a set of tools used by attackers in a series of intrusions that took place in November 2023. These tools included the SimpleHelp remote access tool, a new custom keylogger, and other publicly available and living-off-the-land tools. The SimpleHelp tool was used for continuous access to compromised devices and command execution, while the Venom Proxy software managed intranet-connected devices. A custom build of the Venom Proxy hacktool and the new custom keylogger were executed on the networks targeted by the attackers. Symantec's Threat Hunter Team, a group of security experts, reported these findings. They noted multiple incidents where SimpleHelp was used to connect to known Seedworm infrastructure in targeted telecommunications and media companies. In addition to SimpleHelp and Venom Proxy, the attackers also used AnyDesk and suspicious Windows Scripting Files (WSF), which have previously been associated with Seedworm activity. The team has been investigating these targeted attacks, enhancing protection in Symantec products, and providing analysis to help customers respond to these attacks.