A new cyber-espionage campaign, Operation IconCat, targets Israeli organizations by disguising malicious implants as trusted antivirus updates, leveraging brand reputation and social engineering. The campaign includes two waves: one destructive, one espionage-oriented, linked by similar tactics and tools. #SentinelOne #CheckPoint #OperationIconCat #UNG0801
Keypoints
- The campaign disguises malware as legitimate security updates from well-known security vendors.
- Attackers use Hebrew phishing emails mimicking internal communications to deceive targets.
- The first wave deploys PYTRIC, a destructive wiper malware, while the second deploys RUSTRIC for espionage.
- Both campaigns exploit antivirus icon spoofing and share a similar operational playbook.
- Threat actors are believed to originate from Western Asia, with digital certificates linking to the campaigns.