On December 18th, Reuters reported that the hacker organization Predatory Sparrow, linked to Israel and also known as Gonjeshke Darande and Indra, launched an attack on Iranian gas stations on Monday, resulting in approximately 70% of Iran's gas station services being disrupted. In a statement on their Telegram channel , the group claimed that "this cyber attack was carried out in a controlled manner to avoid potential harm to emergency services" and declared it as a "response to the aggressive actions of the Islamic Republic and its proxies in the region."

12 月 18 日路透社发文表示，与以色列有联系的黑客组织Predatory Sparrow(又称Gonjeshke Darande、Indra)称周一针对伊朗加油站发动袭击，导致伊朗约 70% 的加油站服务中断。 该组织在 Telegram 上的一份声明中表示]“这次网络攻击是以受控方式进行的，以避免对紧急服务造成潜在损害”，并宣称这次网络打击是 "对伊斯兰共和国及其在该地区代理人侵略行为的回应"。

Recently, QiAnXin Threat Intelligence Center uncovered malicious LNK files targeting the South Korean region. These LNK files, upon execution, release bait files and VBS scripts. One sample employs a bait HWP document titled "Guidelines for Email Security Inspection." The initial assessment suggested APT37's involvement based on LNK file size and code execution characteristics. However, further analysis of the released VBS script's behavior and C2 communication revealed a closer association with the Konni group. This indicates that Konni has recently adjusted its tactics for LNK-type file attacks. Notably, Konni, APT37, and Kimsuky—three APT groups believed to have connections—share some similarities in the LNK files they use.

近期奇安信威胁情报中心发现一些针对韩国地区的恶意LNK文件，LNK文件运行后释放诱饵文件和VBS脚本，其中一个样本使用的诱饵HWP文档为关于如何进行电子邮件安全检查的指导手册。 根据LNK文件的大小和执行代码的特征，一开始我们认为样本来自APT37，但在进一步分析释放的VBS脚本后续行为和C2通信特点后，发现恶意样本与Konni组织关联更加紧密，这也表明Konni组织近期开始调整LNK类文件的攻击手法。此外值得一提的是，Konni，APT37和Kimsuky这三个被认为存在联系的APT组织，在使用的LNK类文件上也具有一些相似的特点。

QiAnXin Threat Intelligence Center has observed a recent targeted network attack on Kyivstar, the largest mobile network operator in Ukraine, resulting in service interruptions affecting users across the country. A Russian hacker group has claimed responsibility, and investigations are underway, suggesting a possible connection to the Sandworm APT group. Based on publicly available information, we have compiled relevant details of the attack and its impact.

奇安信威胁情报中心关注到最近乌克兰最大的移动网络运行商Kyivstar遭受定向网络攻击，导致服务中断，影响到乌克兰境内多地用户。随后俄罗斯黑客团伙声称对攻击事件负责，目前相关方正对该攻击展开调查，背后攻击团伙可能与Sandworm APT组织有关。我们根据当前网络上的公开信息，整理了该攻击事件的有关信息和造成的影响。

QiAnXin Threat Intelligence Center discovered an unusual behavior during routine endpoint operations, where a process named WindowsPackageManagerServer, through complex operations, eventually initiated the undetected Lumma Stealer. We promptly initiated an investigation and ultimately found the corresponding malicious installation package on the Microsoft App Store, presenting itself as the Russian version of the 7Zip software. Our tests confirmed that the official 7ZIP installation program was not available on the Microsoft App Store. However, the malicious installation package would appear when users searched for keywords related to "7z." Upon tracing, we found that this installation package first appeared in January 2023 and evaded detection for almost a year. Internally, we named this group UTG-Q-003 and publicly disclosed the details of the incident and IOCs to the open-source community for analysis and investigation by fellow security vendors.

奇安信威胁情报中心在日常终端运营过程中发现了一个异常的行为，一个名为WindowsPackageManagerServer的进程经过复杂的操作最终启动了免杀的Lumma Stealer，我们随即展开了调查，并最终在微软应用商店找到了对应的恶意安装包，内容为俄语版的7Zip软件。经过我们的测试微软应用商店并没有上架官方的7ZIP安装程序，如果用户搜索“7z”相关的关键词则会展示该恶意安装包。通过溯源发现该安装包最早出现于2023年一月份，几乎免杀了一整年。我们内部将该团伙命名为UTG-Q-003，并将该事件细节和IOC公开给开源社区，供友商分析排查。

QiAnXin Threat Intelligence Center recently discovered a batch of complex downloader samples. These samples, with multiple layers of nested PE file loading, ultimately download and execute subsequent payloads from a C2 server. One of the C2 server IP addresses was recently disclosed in connection with a software supply chain attack event, where attackers delivered malicious software by disguising it as npm packages related to encryption. Combining the information from the aforementioned report and the downloader samples themselves, it can be confirmed that these malicious downloader samples are related to the npm package supply chain attack event. Based on the code characteristics of the downloader and other related samples, we have associated them with historical attack samples of the Lazarus group. Considering Lazarus's common supply chain attack methods, we believe that the attackers behind this npm package poisoning incident are likely associated with Lazarus.

奇安信威胁情报中心近期发现一批较为复杂的下载器样本，这类样本经过多层嵌套的PE文件加载，最终从C2服务器下载后续载荷并执行。其中一个C2服务器IP地址在不久前被披露用于一起软件供应链攻击事件，攻击者通过伪装为与加密有关的npm包投递恶意软件。结合上述报告内容和下载器样本自身的信息，可以确认这些下载器恶意软件与此次npm包供应链攻击事件有关。