Cybercrime group ‘Asylum Ambuscade’ adds espionage to its activities

A previously recognized group of cybercriminals is also running several espionage campaigns against governments in Central Asia and Europe, researchers said Thursday.

Cybersecurity company ESET is warning about Asylum Ambuscade, a cybercrime group that has operated since at least 2020, targeting businesses, banks and cryptocurrency firms in North America.

Lately the group has conducted espionage against government entities in Europe and Central Asia, ESET said. The report does not link the group with a specific country.

“It appears Asylum Ambuscade is branching out, running some recent cyberespionage campaigns on the side, against governments in Central Asia and Europe from time to time,” said ESET researcher Matthieu Faou. “It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of its activities.”

The group’s 2022 espionage campaigns targeted government officials in multiple European nations that border Ukraine. ESET researchers said the goal is to steal confidential information and credentials used to log into government webmail platforms.

The attacks typically start with a spearphishing email that has a malicious Excel spreadsheet or Word document. The hackers then use the AHKBOT malware to spy on the victim through their device.

The malware allows hackers to take screenshots, track keystrokes, steal passwords, download files and more.

In one instance, the group used an exploit of the popular Follina vulnerability affecting Microsoft products. The document was a Ukrainian-language alert about Russian hacking group Gamaredon.

But the espionage tactics are only one part of the group’s activities, according to ESET, which found more than 4,500 victims of Asylum Ambuscade around the world.

Most of the victims are based in North America, but ESET researchers said they found some in Asia, Africa, Europe and South America.

The researchers noted that while targeting of cryptocurrency traders made sense, it is unclear why they were targeting small and medium sized businesses. ESET theorized that the group sells its access to other criminal hackers who use it for their own campaigns like ransomware.

Proofpoint, Trend Micro and several other cybersecurity firms have previously spotlighted the group’s activities over the years, highlighting its campaigns to attack officials in Europe whose governments were involved in helping Ukrainian refugees shortly after Russia’s invasion of the country.