A new cyber espionage campaign linked to the advanced persistent threat (APT) group known as GoldenJackal has been targeting air-gapped systems in governmental organizations across Europe, according to a new ESET research.
Spanning from May 2022 to March 2024, the campaign leveraged a custom-built, modular toolset to bypass security defenses. GoldenJackal’s arsenal includes several custom implants, such as JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher. These tools, written in C#, enable the group to monitor systems, steal data, spread malware, and remotely control infected devices. The group’s most recent toolset includes GoldenHowl, a backdoor that facilitates access to air-gapped systems, and GoldenRobo, a tool used to collect and exfiltrate files.
The campaign began in 2019 when GoldenJackal launched a targeted attack on a South Asian embassy in Belarus. The campaign used three main components: GoldenDealer to deliver executables to the air-gapped system via USB monitoring; GoldenHowl, and GoldenRobo.
“In the latest series of attacks against a government organization in Europe, GoldenJackal moved on from the original toolset to a new, highly modular one,” the researchers wrote. “This modular approach applied not only to the design of the malicious tools (as was the case with GoldenHowl), but also to their roles: they were used, among other things, to collect and process interesting information, to distribute files, configurations, and commands to other systems, and to exfiltrate files.”
While ESET did not definitively attribute the attacks to a specific nation-state, one clue could provide insight into the group's origins. The GoldenHowl malware uses a C&C protocol referred to as "transport_http," an expression commonly associated with other Russian-speaking APT groups such as Turla and MoustachedBouncer.