Cyberespionage threat umbrella group TA410 which is composed of FlowingFrog, JollyFrog, and LookingFrog has launched a new campaign leveraging a new version of the FlowCloud remote access trojan with audio recording, clipboard event monitoring, and camera device controlling capabilities, The Hacker News
entities across the U.S., Africa, and the Middle East have been previously attacked by TA410, which was first reported by Proofpoint in 2019. However, ESET researchers discovered that TA410 had subgroups that shared intelligence but were somewhat independent of each other.
JollyFrog has been observed to leverage Korplug, also known as PlugX, QuasarRAT, and other off-the-shelf malware, and FlowFrog uses the Royal Road RTF weaponizer to deliver the Tenydron downloader for installing FlowCloud and a Gh0stRAT-based backdoor. The report also showed that spear-phishing and internet-exposed applications are being exploited by the group for initial access.
"This indicates to us that their victims are targeted specifically, with the attackers choosing which entry method has the best chance of infiltrating the target," said ESET malware researcher Alexandre Ct Cyr.