Today we share details about Operation Triangulation, a campaign targeting iOS devices of Kaspersky employees. It was an unprecedented investigation, and we've done a lot to study this campaign with great scrutiny. Report and IoCs here: @kucher1n @2igosha.

We have just discovered two malicious PyPi packages masquerading as HTTP libraries: ‘ultrarequests’ and ‘pyquest’. The description of these packages is taken from the ‘requests’ package. The malicious code is in the class ‘HTTPError’ (‘exceptions[.]py’ file) [1/3]

Beware of links from popular YouTube videos, as they may contain #malware. We found such a video (64K views, 180K subscribers) that has a link to a Tor Browser installer in the description. That installer comes with a previously unknown spyware that we dubbed #OnionPoison. [1/4]

Magic is here! We have discovered a previously unknown #APT that has been attacking organizations in the area affected by the conflict between Russia and Ukraine. Observed victims were compromised with previously unknown implants that we dubbed #PowerMagic and #CommonMagic. [1/4]

Ever wanted to take another look at #OperationTriangulation malware? Then check out VirusTotal - we have uploaded malicious modules used in this campaign.

Have you wanted to take your own look at the #iOSTriangulation spyware? Well, we uploaded the #TriangleDB implant to VirusTotal:

Today I earned a bachelor's degree with highest honors from the Faculty of Computational Mathematics and Cybernetics at Lomonosov Moscow State University!

Unmunging hex strings is what I've been doing recently. #IOSTriangulation

As for now, we continue our investigation to find additional information about discovered implants and the threat actor behind it. More details on Securelist: [4/4].

It's interesting that the server sends the second stage implant only if the victim's IP is from #China, so the campaign targets only Chinese-speaking users. Features of the spyware include collecting system information, stealing browser history and executing shell commands. [3/4]

The malicious Tor installation has been configured to be less private (it stores browsing history, login data, etc.), and its freebl3.dll library is infected with malware. When the browser is launched, this library contacts the C2 server to receive a second stage implant. [2/4]

For technical details and IoCs, please refer to our article @Securelist:

The final stage is a W4SP stealer that gathers cookies, Discord tokens, crypto wallets as well as files that may contain credentials. We have already reported these two packages to the PyPi security team. More details upcoming on [3/3]

This code downloads an obfuscated next stage script from the zerotwo-best-waifu[.]online website. The stage in turn downloads another obfuscated script, drops it on disk and configures persistence. [2/3]

Victims compromised with #PowerMagic have been additionally infected with the #CommonMagic modular framework. It uses OneDrive to download malicious modules and upload their execution results. We identified two modules: a screenshot taker and a USB file stealer. [3/4]

Correct link for the 4th sample:

Observed victims downloaded a malicious ZIP archive with a lure document and a malicious LNK file that deploys the PowerShell #PowerMagic backdoor. It uses cloud storages such as OneDrive or Dropbox to receive PowerShell commands and execute them. [2/4]

Check out our blogpost made by @2igosha and I about these 2 malicious PyPi packages:.

@_manastas Thanks! It was about malware in open source repositories such as PyPI and npm.

The magic is coming. .

Check out our latest research!.

The biggest and boldest conference is making a triumphant return… join us at #thesas2023 CFP is open:

@lorenzofb We thought the same thing: the campaign targets users who have VPN access and are trying to find on YouTube how to download Tor.

What will financial threats landscape look like in 2023? Join Kaspersky’s panel discussion to find out more on cybersecurity predictions:

@shmleverser Thank you! It’s a G-Shock GST-B400.

@noarfromspace Thanks! Correct link for the 4th sample: