Google Tracking 270 Government-backed Hacker Groups From Over 50 Countries

Google’s Threat Analysis Group (TAG) has tracked more than 270 government-backed cybercriminal associations in over 50 countries. From the beginning of 2021, they have noted that the attack rate of phishing campaigns is increasing and that’s why they have clients with about 50,000 alerts regarding phishing attempts or malware installations.

Soon after detecting such attacks, Google has offset a number of malicious campaigns that have been ejected by the Iranian group APT35. And not only this but this attack also include a social engineering campaign known as Operation SpoofedScholars.

For credential phishing attacks hackers used hacked websites

This is not the first time when APT35 is implementing any attack, however, in early 2021 APT35 have negotiated a website that has been affiliated with a UK university, and the main motive for negotiating with this website is to host a phishing kit.

The threat actors generally sent email messages that are linked to this website, and later it collects all essential credentials for platforms like:- 

  • Gmail
  • Hotmail
  • Yahoo

This type of method is generally being used by APT35, and they are relying upon these procedures since 2017, and are initiating attacks and targeting high-value accounts in the following sectors:-

  • Government organizations
  • Academia
  • Journalism
  • NGOs
  • Foreign policy
  • National security

Use of Spyware Apps

The APT35 hacking group tried to upload spyware in 2020 to the Google Play Store and screened it as VPN software so that nobody doubts it. 

After installing the application it will eventually start stealing all the sensitive data like:- 

  • Call logs
  • Text messages
  • Contacts
  • Location data from the user’s devices

But, luckily, the app was detected by the security experts of Google and soon they removed this malicious application from the Google Play Store.

APT35 is one of the strongest cybercriminal groups, and it is quite famous for its way of initiating an attack. The most important point regarding APT35 is that it has its imitation of conference officials to convey phishing attacks.

However, in this kind of attack, the victims need to navigate through at least one redirect before arriving on a phishing domain. And the most important point is that in this kind of attack link shorteners and click trackers are massively used, and sometimes it is also embedded within PDF files.

Phishing Domains

Here are the domains used by the attackers in their campaigns:-

  • nco2[.]live
  • summit-files[.]com
  • filetransfer[.]club
  • continuetogo[.]me
  • accessverification[.]online
  • customers-verification-identifier[.]site
  • service-activity-session[.]online
  • identifier-service-review[.]site
  • recovery-activity-identification[.]site
  • review-session-confirmation[.]site
  • recovery-service-activity[.]site
  • verify-service-activity[.]site
  • service-manager-notifications[.]info


Moreover, to keep users safe the security analysts have sent thousands of warnings every month as there is a huge rise in this type of attack. 

If any users get such a warning that does not imply that their account has been compromised, it simply states that you have been identified as a target.

The threat analysis will continue to send such warnings so that the victim gets alerted and try to keep themselves safe from this kind of phishing attack. 

While they have also claimed that they will continue to recognize such threat actors groups and will keep sharing all the appropriate information regarding them.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.