Advertisement
The activities of this advanced persistent threat (APT), which SentinelOne tracks as WIP19, show overlaps with Operation Shadow Force, but it is unclear whether this is a new iteration of the campaign or the work of a different, more mature adversary using new malware and techniques.
Mainly focused on entities in the Middle East and Asia, WIP19 is using stolen certificates to sign several malicious components. To date, the group was observed using malware families such as ScreenCap, SQLMaggie, and a credential dumper.