The APT group tracked as TA402 but widely known as Molerats has been observed using a new implant dubbed ‘NimbleMamba’. This comes as part of a cyber-espionage campaign leveraging geofencing and URL redirects to legitimate websites.
Proofprint discovered the campaign and their analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.
The threat actors first used the new implant in November 2021, carrying it through to late January 2022.