Researchers at 360 Qihoo observed a wave of DDoS attacks launched by Russia-linked APT-C-53 (aka Gamaredon) and reported that the threat actors also released as open-source the code of a DDoS Trojan called LOIC. The instances of the malware spotted by the experts were compiled in early March, a few days after the Russian invasion of Ukraine began.
“We found that multiple C2 servers distributed an open-source DDoS Trojan program LOIC compiled by .net from March 4th to 5th, 2022.” reads the analysis published by 360 Qihoo.
While monitoring the activity of the APT group, experts observed threat actors conducting multiple attacks, including phishing campaigns and malware attacks. The experts were able to locate the C2 infrastructure used by the nation-state actors.
Below is the list of domains involved in the DDoS attacks:
decree.maizuko.** |
caciques.gloritapa.** |
delicate.maizuko.** |
jealousy.jump.artisola.** |
dense.gitrostan.** |
decision.lotorgas.** |
decency.maizuko.** |
junior.jacket.artisola.** |
defective88.maizuko.** |
deception.lotorgas.** |
destination.delight.coffiti.** |
cachinate.gloritapa.** |
January.josie.artisola.** |
defective19.maizuko.** |
deception.lotorgas.** |
destination.delight.coffiti.** |
The malicious code distributed by the APT group includes hardcoded IP addresses and ports for the targets.
“The distribution of the LOIC Trojan may be the prelude to a new round of DDoS attacks.” concludes the researchers that also shared Indicators of compromise for the attacks.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Gamaredon
[adrotate banner=”5″]
[adrotate banner=”13″]