Proofpoint observed new, targeted activity impacting French entities in the construction and government sectors. The threat actor used macro-enabled Microsoft Word documents to distribute a modified Chocolatey installer package, an open-source package installer. The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, Command-and-Control (C2) connections, data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent and the ultimate objective of the threat actor is currently unknown. Later stages of the attack chain involve malicious Python scripts being smuggled onto target systems hidden using steganography in .jpg images that are hosted on a site that presents as being a Jamaican credit union website.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is