Categories: Cyber CrimeSecurity

NightHunter extensive data theft campaign has been active since 2009

Experts from Cyphort Labs have discovered an extensive data theft campaign named Nighthunter that has been active since 2009 stealing victim’s credentials.

Security experts at Cyphort firm have recently uncovered a five-year-old attack campaign dubbed NightHunter arranged to steal user credentials for Dropbox, Facebook, and other web services. The malicious campaign is cross sector, every industry has been targeted without distinction, the experts haven’t noticed any targeted attack in the criminal operation.

“Campaign is amassing login credentials of users. At this point it does not seem likely that they are targeting specific organization or industries. We have seen threat activity across several verticals including energy, education, insurance and even charities. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype.” is explained in a blog post published by Cyphort.

Users’ credentials for principal web services including social networks, cloud storage and email service providers are precious commodities on the underground, security experts are aware of numerous cyber attacks which are conducted to gather this information.
The motivation of the bad actors behind NightHunter campaign are not clear and also the nature of the attackers (e.g. cyber criminals or hacktivists), anyway credentials for principal web services could be used by attackers for numerous illegal activities, to arrange a spam campaign or to control a Botnet hiding settings in a DropBox folder.
The NightHunter campaign uses SMTP email for syphon data as explained in the blog post:
NightHunter uses SMTP (email) for data exfiltration instead of more common CnC mechanisms that use web protocols. This could be to simply “hide (and steal data) in the plain sight” as organizations beef up web anomaly detection for dealing with advanced attacks.”

The bad actors used several different keyloggers ( e.g. Predator Pain, Limitless, and Spyrex) to steal the victims credentials and send out them via SMTP, a tactic that allows the attackers to remain hidden for a long time.

“The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.”

The researchers at Cyphort started the investigation on NightHunter when received a sample through a phishing email. The malware sample is a .net binary that steals victims’ credentials and sends them to a remote email server.

The attackers used phishing messaged with subject lines such as “Purchase Order” and “Inquiry”, the malicious mails are targeting credentials for Skype, Amazon, LinkedIn, Google, Yahoo, Hotmail, Rediff, and banks.

The experts examined many other samples also delivered with a similar mechanism, the actual number of  infected machines is at least 1,800 compromised PCs discovered by Cyphort, but it is likely that the majority of infected machine used by the attackers are either private or are not publicly accessible for this reason it is impossible for the company looking into the upload account.

“This attack is ongoing and we continue to monitor it,” “The attackers are very aggressive in their data-collection methodology, as well as the intervals of data exfiltration. Given the systematic nature of the actors behind this campaign, we are speculating that they are still in a ‘reconnaissance stage’ targeting credentials of high-level executives, but at this point it is impossible to speculate on their endgame with any degree of certainty.” said Cyphort co-founder Fengmin Gong.

Gong believes that bad actors who arranged the NightHunter campaign could improve their efficiency by using big-data techniques to mine the stolen credentials, allowing them to use stolen data also for targeted attacks.

NightHunter is considered one the most singular  campaigns discovered by the experts at Cyphort due to the complex data collection models it exhibits, the case is the evidence of the efficiency of phishing campaign.

Pierluigi Paganini

Security Affairs –  (NightHunter , phishing)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…

2 hours ago

Mirai botnets exploit Wazuh RCE, Akamai warned

Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…

5 hours ago

China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns

China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…

9 hours ago

DOJ moves to seize $7.74M in crypto linked to North Korean IT worker scam

US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes,…

21 hours ago

OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops

OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware,…

1 day ago

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a…

1 day ago