Security researchers from ESET have published a report detailing cyber activities of an advanced persistent threat (APT) group called ‘Polonium,’ which has used at least seven different custom backdoors in their attacks since September 2021.

Polonium is believed to be a cyber-espionage group operating from Lebanon and coordinating with Iran's Ministry of Intelligence and Security (MOIS). The threat actor exclusively targets Israeli entities. The group has attacked more than a dozen organizations in various verticals such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.

The researchers say that numerous versions and changes Polonium introduced into its custom tools indicate a continuous and long-term effort to spy on its targets to collect confidential data. The group doesn’t seem to engage in any sabotage or ransomware actions, according to ESET.

The company said it observed seven custom backdoors used by the group in attacks against Israel, including five previously undocumented ones. These are: CreepyDrive, which abuses OneDrive and Dropbox cloud services for command and control; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attacker’s servers.

Currently, it’s unclear how the group gained a foothold into targeted organizations, but ESET theorizes that Polonium could have used leaked Fortinet VPN account credentials for initial access.

In addition to the custom backdoors, the threat actor uses several other modules, including reverse shell modules and a module for creating a tunnel. The group also leverages custom and open-source keyloggers. The custom one monitors keystrokes and clipboard contents and supports both Hebrew and Arabic keyboards.

“Polonium is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega and OneDrive for C&C communications. Intelligence and public reports about Polonium are very scarce and limited, likely because the group’s attacks are highly targeted, and the initial compromise vector is not known,” the report concludes.