New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


WHO Targeted by Espionage Attempt Believed to be Linked to DarkHotel Threat Group

DarkHotel: The World Health Organization (WHO) has been dealing with a significant increase in cyber-attacks while also attempting to deal with the current COVID-19 pandemic. According to officials at the WHO, the number of cyber-attacks targeting the agency has doubled recently. One instance began on March 13th, in which attackers set up a malicious webpage designed to mimic the WHO’s internal mail system in an attempt to harvest credentials of WHO employees. An unnamed source has claimed that the threat group DarkHotel could be the perpetrators of the ongoing espionage campaign against the WHO. DarkHotel is believed to have been active in cyber-espionage campaigns dating as far back as 2007. The group gained their name for targeting high ranking government and corporate officials through attacks through the Wi-Fi at luxury hotel chains. The group is also known to utilize a number of zero-day exploits, including one through Internet Explorer, which was leveraged through malicious Office documents.

Analyst Notes

Analyst’s Note: This attack was first discovered by monitoring for new domain name registrations that look similar to the legitimate domain name of the World Health Organization ( Recognizing when new domain names are registered that look like a company’s domain name is an important part of a defense strategy, especially if the new domain is configured for email or a fake website is created using the domain. Binary Defense Counterintelligence services help clients monitor for new look-alike or “typo-squatting” domain registrations. Aside from direct attacks against the agency, attackers have also impersonated the WHO to add a sense of legitimacy to COVID-19 related email-based attack campaigns. The research being carried out by the WHO and numerous other agencies around the globe is a highly valuable commodity during this global pandemic. If an attacker were able to gain access to the research being conducted on stopping and curing COVID-19, that information would be invaluable to governments and pharmaceutical companies around the world. This would be doubly true if the attackers were to lock agencies like the WHO out of their systems after identifying such valuable information. Major national and international fears create opportunities for attackers to not only exploit companies, agencies, and organizations involved but also to target a fearful public who are desperate for information. More information on this incident can be found at