Iran: Researchers from Recorded Future observed evidence of the Remote Access Trojan PupyRAT targeting the European energy sector. Although the researchers could not attribute the attack to a specific threat group, they noted that the Iran-backed threat group APT 33, also known as Elfin, has previously used PupyRAT to target critical infrastructure. It is assumed the threat actors are using these network intrusions for reconnaissance and to collect sensitive information about the organizations and industry as a whole. The group used publicly available tools to carry out their attacks including PupyRAT, a tool used for defensive red-teaming exercises across the security industry. PupyRAT is an open-source project written in Python that can operate on Windows, Linux, macOS, and Android. APT 33 has used the tool in the past, which is why analysts have suggested that this could be the work of the Iranian threat actors. Recorded Future saw a PupyRAT command and control (C2) server that was communicating with a mail server from a European energy sector organization. Although this does not imply a compromise, the repeated communications from the C2 server and the mail server indicate an intrusion is likely.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in