This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.

This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware.

Appendices for the report “Keep Calm and (Don’t) Enable Macros”

In this research note, we analyze a malware campaign targeting Hong Kong democracy activists. Two new malware families are used in the campaign that we name UP007 and SLServer. Previous reports have shown overlap in the tactics, tools, and procedures used in this campaign in other operations targeting groups in Burma, Hong Kong, and the Tibetan community.

This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We describe how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing

This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.

This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia. Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community.

This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.

این گزارش به کمپین رو به رشد حملات فیشینگ علیه کاربران در گستره ایران و حداقل یک حمله به یک فعال غربی می‌پردازد. این حمله‌ها تلاش دارند تا امنیت مضاعفی که از طریق رمز عبور دو مرحله‌ای در گوگل فراهم شده است را دور بزنند و به شکل گسترده‌ای مبتنی بر تماس‌های تلفنی و تلاش برای ورود در زمان حقیقی از سوی مهاجم است. جالب اینجاست که این حمله‌ها عموما با یک تماس تلفنی از کشور انگلستان شروع می‌شده و هکرها به یکی از دو زبان فارسی و یا انگلیسی ارتباط برقرار می‌کرده‌اند.