What were the main cyberattacks addressed by Cymulate in September 2022?

Cymulate's research team addressed a range of attacks in September 2022, including nation-state campaigns (such as Iran's APT42 and MuddyWater), North Korea's Lazarus group targeting energy providers, Grandoreiro banking trojan, ChileLocker ransomware, Linux-targeted malware like Shikitega, Prynt Stealer information stealer, and Vice Society attacks on academia. All these threats are included in Cymulate’s Immediate Threat module.

How do nation-state actors target organizations according to Cymulate's September 2022 wrap-up?

Nation-state actors, such as Iran's APT42 and MuddyWater, targeted personal and corporate email accounts, deployed mobile malware for surveillance, and exploited vulnerabilities like Log4j 2 in SysAid applications. North Korea's Lazarus group used remote access trojans to infiltrate energy providers and maintain long-term access for data exfiltration.

What tactics did the cyber-espionage group WOROK use in Asia?

WOROK used publicly available reconnaissance tools (Mimikatz, EarthWorm, ReGeorg, NBTscan) and custom implants (PNGLoad) to target high-profile companies and local governments in Asia, the Middle East, and Africa. Their attacks often began with weaponized email attachments exploiting CVE-2018-0798.

What is Shikitega malware and how does it target Linux systems?

Shikitega is a Linux-specific malware delivering a multistage infection chain. It downloads and executes Metasploit meterpreter, exploits Linux vulnerabilities, sets persistence, downloads cryptominers, and abuses legitimate cloud services for Command & Control.

How does Prynt Stealer exfiltrate stolen credentials?

Prynt Stealer, derived from AsyncRAT and StormKitty, captures credentials from browsers, VPN/FTP clients, and messaging apps. It uses Telegram for exfiltration, with a backdoor channel sending stolen data to the malware developer’s private chat.

What attack methods does Vice Society use against academic institutions?

Vice Society uses intrusion, exfiltration, and extortion tactics, deploying ransomware variants like Hello Kitty/Five Hands and Zeppelin. They exploit compromised credentials, internet-facing applications, PrintNightmare vulnerabilities, scheduled tasks, DLL side-loading, and double extortion by threatening to release sensitive data unless ransom is paid.

What vulnerabilities are still commonly exploited according to Cymulate's research?

Older vulnerabilities, such as CVE-2018-0798 (Remote Code Execution in Microsoft Equation Editor), remain commonly exploited due to organizations not deploying critical patches or upgrading software.

What is the Immediate Threat module in Cymulate?

The Immediate Threat module in Cymulate includes up-to-date attack simulations based on current threat intelligence, allowing organizations to test their defenses against the latest cyber threats.

How does Cymulate empower organizations to fortify their defenses?

Cymulate empowers organizations through continuous assessment and validation of their security posture, threat simulation, and actionable insights. The platform focuses on innovation and comprehensive security testing to help organizations stay ahead of cyber threats.

What tools and techniques are used by Vice Society actors?

Vice Society actors use tools like SystemBC, PowerShell Empire, Cobalt Strike, and 'living off the land' techniques targeting Windows Management Instrumentation (WMI). They also exploit PrintNightmare vulnerabilities, scheduled tasks, DLL side-loading, and process injection for persistence and evasion.

How does Cymulate's Exposure Validation make advanced security testing fast and easy?

Cymulate Exposure Validation provides a unified platform for building custom attack chains, enabling fast and easy advanced security testing. Users can access all necessary tools in one place, streamlining the process of validating exposures.

What is the role of custom attack chains in Cymulate's platform?

Custom attack chains in Cymulate's platform allow users to simulate complex, multi-stage attacks tailored to their environment, helping identify vulnerabilities and improve resilience against real-world threats.

How does Cymulate support organizations in patch management?

Cymulate highlights the importance of patch management by simulating attacks that exploit unpatched vulnerabilities, helping organizations identify gaps and prioritize patching efforts to reduce risk.

What are the benefits of using Cymulate for exposure management?

Cymulate offers benefits such as continuous assessment, actionable insights, and the ability to simulate real-world threats, enabling organizations to proactively manage exposures and strengthen their security posture.

How does Cymulate help organizations stay ahead of cyber threats?

Cymulate equips organizations with tools and insights for continuous security validation, threat simulation, and exposure management, helping them anticipate and defend against evolving cyber threats.

What features does Cymulate offer for security validation?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, detection engineering, complete kill chain coverage, and an extensive threat library with daily updates.

Does Cymulate provide full kill-chain attack simulations?

Yes, Cymulate provides full kill-chain attack simulations covering threats like ransomware, malware, APT groups, CVEs, and MITRE ATT&CK TTPs, offering comprehensive visibility into organizational threat exposure.

What integrations does Cymulate support?

Cymulate integrates with a wide range of technology partners, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Cybereason, and more. For a complete list, visit our Partnerships and Integrations page.

How does Cymulate prioritize exposures?

Cymulate ranks vulnerabilities based on exploitability, business context, and threat intelligence, enabling focused remediation efforts and evidence-based prioritization.

How often is Cymulate's threat library updated?

Cymulate's threat library is updated daily, ensuring customers have access to the latest attack simulations and threat intelligence.

What is Cymulate's approach to automated mitigation?

Cymulate integrates with security controls to push threat updates for immediate prevention of missed threats, automating mitigation and improving operational efficiency.

How does Cymulate accelerate detection engineering?

Cymulate validates responses and builds custom detection rules for SIEM, EDR, and XDR, helping organizations improve mean time to detect and optimize their detection engineering processes.

Who can benefit from Cymulate's platform?

Cymulate is designed for CISOs, security leaders, SecOps teams, Red Teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing.

What business impact can customers expect from using Cymulate?

Customers report an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, 30% improvement in threat prevention, and a 52% reduction in critical exposures.

How does Cymulate address pain points for different security personas?

Cymulate provides tailored solutions for CISOs (metrics and investment justification), SecOps (automation and efficiency), Red Teams (offensive testing and threat intelligence), and vulnerability management teams (prioritization and remediation).

What problems does Cymulate solve for security teams?

Cymulate solves problems such as overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers.

How easy is Cymulate to implement and use?

Cymulate is agentless, requires minimal resources, and can be deployed quickly. Customers report ease of use, intuitive UI, and immediate value. Support is available via email and chat, and educational resources are provided.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its user-friendly platform, intuitive interface, and actionable insights. Testimonials highlight ease of implementation and immediate value.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. The fee is non-refundable and must be paid regardless of usage. For a quote, schedule a demo.

How does Cymulate compare to AttackIQ?

AttackIQ delivers automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers the industry's leading threat scenario library and AI-powered capabilities.

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader.

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth for full defense assessment. Cymulate offers comprehensive exposure validation, covering the full kill chain and providing cloud control validation.

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks Cymulate's complete exposure validation platform. Cymulate covers the full kill chain and includes cloud control validation.

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate leads with AI-powered BAS, the largest attack library, and a full CTEM solution.

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's focus on actionable remediation and automated mitigation. Cymulate provides a complete exposure validation platform with daily threat updates, no-code workflows, and vendor-specific remediation guidance.

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, ensuring robust security practices and global compliance.

How does Cymulate ensure data protection and privacy?

Cymulate incorporates data protection by design, has a dedicated privacy and security team, and is GDPR compliant. Data is hosted in secure AWS data centers with encryption in transit and at rest.

What application security practices does Cymulate follow?

Cymulate follows a strict Secure Development Lifecycle (SDLC), including secure code training, continuous vulnerability scanning, software composition analysis, and annual third-party penetration tests.

How does Cymulate train its employees in security awareness?

All Cymulate employees receive ongoing security awareness training, are subject to phishing campaign tests, and must adhere to comprehensive security policies.

Where can I find Cymulate's blog and newsroom?

For insights on threats, research, and company news, visit our blog and our newsroom.

Where can I find resources like reports, blogs, and webinars from Cymulate?

Access a combination of insights, thought leadership, and product information in our Resource Hub, as well as our blog, newsroom, and events and webinars page.

Does Cymulate provide educational resources like a blog, glossary, or resource hub?

Yes, Cymulate offers a Resource Hub, blog, and glossary of cybersecurity terms.

What kind of topics are covered in the Cymulate blog?

The Cymulate blog covers cybersecurity topics such as Kerberos authentication relay, red/blue/purple team strategies, types of network attacks, cloud threat detection, vulnerability management, and supply chain attacks.

Does Cymulate's blog discuss common types of network attacks and how to prevent them?

Yes, the blog post '10 Types of Network Attacks: Common Threats and How to Prevent Them' details how network attacks have evolved and provides guidance on prevention.

September 2022 Cyberattacks Wrap-up

By: Cymulate

Last Updated: August 7, 2025

Below is a non-exhaustive summary of the main attacks addressed by the Cymulate research team during September 2022. All the attacks mentioned are included in Cymulate’s Immediate Threat module.

Nation-state attacks

September saw high activity from nation states, including Iran’s apparent APT42 surge in targeted attacks against personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran, attacks designed to deploy mobile malware capable of tracking victim locations, recording phone conversations, accessing videos and images, and extracting entire SMS inboxes.

A US-CERT alert warns about IRGC-affiliated actors actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations.
In addition, Iran-based threat actor MuddyWater, AKA Mercury, presumed to be a subordinate element within the Iranian Ministry of Intelligence and Security, leveraged the exploitation of Log4j 2 vulnerabilities in SysAid applications against a number of organizations located in Israel. The recent spike of attacks exploits Log4j 2 unpatched vulnerabilities.

North Korea also seems to have increased its activity with a Lazarus orchestrated campaign leveraging a new Magic Rat new remote access trojan to target energy providers, including in the US, Canada, and Japan, by infiltrating organizations and attempting to maintain long-term access and exfiltrate data.

Asia in the Line of Fire

The cyber-espionage group WOROK, a group claiming to be a cyberespionage collective that is currently not attributed to any specific nation-state, deployed multiple, publicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, and NBTscan, and then deployed their custom implants: a first-stage loader, followed by a second stage .NET loader (PNGLoad). EOROK targeted high-profile companies and local governments, mostly in Asia, though also in the Middle East and Africa.

Active since 2016, another threat actor launched an attack against a telecommunications agency in South Asia began. They used Chinoxy and PivNoxy in their attack that started with a simple email that initially appeared to be a standard malicious spam email message. However, it contained a weaponized attached Word that carried the Royal Road malicious tool and carried with the CVE-2018-0798 exploit targeting an Equation Editor vulnerability.

While a payload was unavailable at the time of the investigation, OSINT research points to the Poison Ivy RAT, which FortiGuard Labs has previously highlighted.

Asian organizations, and potentially some in Mexico, are believed to be a reconnaissance target of a threat actor that we believe was also involved in Operation NightScout in 2021.

CVE-2018-0798 is a Remote Code Execution (RCE) vulnerability in Microsoft's Equation Editor (EQNEDT32), for which Microsoft released a fix on January 9, 2018.

The fact that attackers are still targeting this vulnerability highlights that not all organizations deploy critical patches or upgrade to the latest software.

The truth is that older vulnerabilities are still commonly and successfully being exploited.

Grandoreiro Banking Trojan and Chile Locker Ransomware

A recent Grandoreiro campaign targeted organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, Chemicals Manufacturing and others.

The attack consists of threat actors impersonating government officials from the Attorney General's Office of Mexico City and from the Public Ministry in spear-phishing emails designed to lure victims to download and execute "Grandoreiro", a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America.

Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot.

ChileLocker Ransomware targeted a Mexican Bank:

This crypto-ransomware encrypts the data of Windows and Linux VMWare ESXi servers using the NTRU (NTRUEncrypt Public Key Cryptosystem) algorithm and then demands a ransom in BTC to get the files back.

ChileLocker can be distributed by hacking through an insecure RDP configuration, email spam and malicious attachments, fake downloads, botnets, exploits, malicious ads, web injections, fake updates, repackaged and infected installers. It has the ability to gain access to executable files, can terminate processes, and spread over the local network.

It adds itself to the system startup, using the name SecurityUpdate in the Run section to execute at system startup.

Ongoing Linux Targeting

Continuing this year’s meteoric rise in malware and ransomware targeting Linux, this month saw the apparition of Shikitega, a new Linux-specific malware that delivers a multistage infection chain in multiple layers. The first layer contains only a few hundred bytes, with each module responsible for a specific task ranging from downloading and executing Metasploit meterpreter to exploiting Linux vulnerabilities, setting persistence in the infected machine, downloading and executing a cryptominer, or abusing legitimate cloud services to store some of its Command & Control servers.

Beware of Using Available Malware

Derived from AsyncRAT and StormKitty and written in .NET, Prynt Stealer is an information stealer with the ability to capture credentials stored on a compromised system, including web browsers, VPN/FTP clients, and messaging and gaming applications.

Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims, and its author secretively added a backdoor Telegram channel to collect the information stolen by other criminals using that malware by exfiltrated data gathered by other threat actors and sending it to a private Telegram chat monitored by the builder's developers.

Academia Under Vice Society Attack

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations.

Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. As of writing date, Vice Society actors deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but they may deploy other variants in the future. Their presumed favored attack method is to obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190 after spending time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [TA0010]. They then use a double extortion tactic, threatening to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally, as well as "living off the land" techniques targeting the legitimate Windows Management Instrumentation (WMI) service [T1047] and tainting shared content [T1080].

Other tactics used by Vice Society actors include

the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges [T1068].
scheduled tasks [T1053], creating undocumented autostart Registry keys [T1547.001], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [T1574.002] to maintain persistence.
masquerading their malware and tools as legitimate files [T1036], using process injection [T1055], and likely use evasion techniques to defeat automated dynamic analysis [T1497] to evade detection
running scripts to change the passwords of victims' network accounts to prevent the victim from remediating.

————–

Think your defenses are ready for today’s threats? Put them to the test. Run an automated simulation of active malware attacks to uncover exposures and harden resilience with actionable mitigation.

Test your threat resilience →

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Nation-state attacks Asia in the Line of Fire Grandoreiro Banking Trojan and Chile Locker Ransomware Ongoing Linux Targeting Beware of Using Available Malware Academia Under Vice Society Attack

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Task Scheduler– New Vulnerabilities for schtasks.exe

Cymulate uncovers schtasks.exe flaws that allow privilege escalation and event-log overwriting.