Threat Research

Operation King TUT: The Universe of Threats in LATAM

Securonix

ESET researchers analyze LATAM threats under Operation King TUT, noting a shift to high‑value targets and evolving evasion methods. The study covers campaigns from 2019–2023, highlighting spearphishing, PowerShell/VBScript loaders, and RATs like njRAT and AsyncRAT across government and enterprise victims. #OperationKingTUT #KingTut #njRAT #AsyncRAT #Bandook #Remcos

Keypoints

  • The LATAM threat landscape shows increasing sophistication and targeted campaigns against high‑value entities.
  • Campaigns appear to involve multiple actors rather than a single threat group.
  • Attackers have shifted from general public targets to businesses and governmental entities.
  • Spearphishing emails masquerade as legitimate organizations, especially government or tax entities.
  • Malicious components include downloaders and droppers, often built with PowerShell and VBScript.
  • RATs are prevalent in the campaigns, notably njRAT and AsyncRAT; Bandook and Remcos appear in government-targeted operations.
  • There is evidence of ongoing tool updates and evasion techniques to improve campaign success.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Primarily spearphishing emails to reach potential victims, often masquerading as recognized organizations within specific countries in the region, particularly government or tax entities. Quote: “primarily spearphishing emails to reach potential victims, often masquerading as recognized organizations within specific countries in the region, particularly government or tax entities.”
  • [T1059.001] PowerShell – Malicious components like downloaders and droppers mostly created in PowerShell and VBS. Quote: “malicious components like downloaders and droppers, mostly created in PowerShell and VBS.”
  • [T1059.005] Visual Basic – See PowerShell entry; components created using VBS. Quote: “mostly created in PowerShell and VBS.”
  • [T1105] Ingress Tool Transfer – Use of downloaders/dropers to fetch additional payloads. Quote: “malicious components like downloaders and droppers.”
  • [T1562] Impair Defenses – Attackers update tools with evasion techniques to increase campaign success. Quote: “introducing different evasion techniques to increase the success of their campaigns.”
  • [T1071.001] Web Protocols – RATs provide remote access capabilities; campaigns involve NjRAT/AsyncRAT. Quote: “RATs, particularly from the njRAT and AsyncRAT families.”

Indicators of Compromise

  • [Other] IoCs – None explicitly listed in the article; aggregated IoCs are available on the GitHub repository referenced by the researchers.

Read more: https://www.welivesecurity.com/en/eset-research/operation-king-tut-universe-threats-latam/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint