“Asylum Ambuscade”: A Group Behind Massive Cybercrime and Espionage Campaigns

Cybercrime Group ‘Asylum Ambuscade’ Linked to Thousands of Cybercrime and Espionage Campaigns

The cybersecurity firm ESET has linked the threat actor ‘Asylum Ambuscade,’ also known as TA445, to thousands of cybercrime and espionage campaigns over the past three years. Although the group has been active since at least 2020, it was initially detailed in March 2022, when it targeted European government personnel who were helping Ukrainian refugees. Asylum Ambuscade primarily targeted small and medium-sized businesses (SMBs), individuals, and cryptocurrency traders, with over 4,500 victims identified worldwide. With the majority of Asylum Ambuscade’s victims located in North America, compromised entities have also been identified in Asia, Africa, Europe, and South America.

Level of Compromise

Asylum Ambuscade uses similar compromise chains for both its cybercrime and espionage campaigns. The attack chain usually starts with ads leading to a malicious JavaScript file and multiple redirections, or with spear-phishing emails with malicious attachments leading to a malware downloader. In order to avoid detection, the group uses different variants of the SunSeed downloader, written in Lua, Tcl, and Visual Basic, and the Ahkbot second-stage downloader, written in AutoHotkey or Node.js (named Nodebot). Both SunSeed and Ahkbot are not available on underground forums. ESET believes all of Asylum Ambuscade’s identified cybercrime and espionage campaigns are operated by the same threat actor.

Scope of Operations

While Asylum Ambuscade primarily targeted SMBs and individuals located in North America and Europe, it has recently started to branch out and run cyberespionage campaigns against governments in Central Asia and Europe. Previously, the group compromised “government officials and employees of state-owned companies in Central Asia countries and Armenia,” ESET says. The cybersecurity firm also believes that Asylum Ambuscade is responsible for a 2020 campaign targeting US and Canadian bank users and for the recently detailed Screentime campaign, where screenloggers were used to collect information on high-value targets.

Advice and Editorial

Asylum Ambuscade’s operations highlight several essential cybersecurity lessons. First, businesses, government entities, and individuals worldwide should always remain vigilant and be aware of the latest cybersecurity threats. Second, it is vital for organizations to keep their cybersecurity defenses up to date and conduct regular security awareness training for employees. Third, individuals and businesses should use multi-factor authentication, which provides an additional layer of security and protection against phishing and other cyberattacks. Fourth, the use of secure and encrypted communication channels and platforms should be emphasized to prevent unauthorized access and data breaches. Finally, governments and law enforcement agencies must allocate adequate resources and collaborate more effectively across borders to investigate and prosecute cybercriminals.

As the digital age advances, cybercriminals will continue to develop and refine their tactics to exploit weaknesses and vulnerabilities in people, processes, and technology. Therefore, governments, businesses, and individuals must work together to promote cybersecurity awareness and resilience. With the right combination of defensive strategies, vigilance, and precautionary measures, the fight against cybercrime can be won.