Dookhtegan/HelixKitten (APT34): A Telegram user going by the name Dookhtegan has posted the source code to tools belonging to HelixKitten, APT34. Six tools were posted which included Glimpse which is a PowerShell-based trojan (also known as BondUpdater), PoisonFrog, which is an older version of Glimpse/BondUpdater, HyperShell which is a web shell (also known as TwoFace), HighShell another web shell, Fox Panel which is a phishing tool kit, and Webmask which is used for DNS tunneling. The dump also contains what is believed to be data belonging to victims of attacks by HelixKitten. In total, there appears to be information from 66 victims from throughout the Middle East, Africa, Eastern Asia, and Europe. The victims range across multiple industries, including government, telecom, finance, technology, transportation, insurance, medical, energy, gaming, education, construction, aerospace, and media. Two of the biggest names found in the list of victims are Etihad Airways and Emirates National Oil. The dump also revealed IP addresses and domains for a number of the group’s servers. Following the Shadow Brokers breach of the NSA, a significant spike in the use of the tools contained in the breach was seen as other actors began using the tools for their own purposes.
Analyst Notes
It is likely that a similar change in activity will be seen in the coming months.
