'Asylum Ambuscade' Cyberattackers Blend Financial Heists & Cyber Espionage

In a rare mix of motivations, the cyberattack group has been linked to both financial cybercrime and political spying efforts on governments.

rainbow-colored code with magnifying glass
Source: Tiny Ivan via Alamy Stock Photo

Researchers have linked a series of financially motivated attacks and a group of advanced persistent threat (APT)-like espionage activities to a single cybercrime entity — though the attack sets were previously believed to be the work of two different actors.

A cybercrime group that researchers have dubbed "Asylum Ambuscade" is straddling the line between the two motivations, according to ESET analysis this week. The group has been active since at least 2020 but wasn't publicly outed until Proofpoint detailed a March 2022 APT-presumed effort that targeted European government staff involved in helping Ukrainian refugees ahead of the Russian invasion. In that campaign, the cyberattackers used spear-phishing to steal confidential information and webmail credentials from official government webmail portals.

Meanwhile, there's been a constellation of financially motivated cybercrime attacks that ESET researchers have been following, targeting bank customers and cryptocurrency traders, active since January 2022. In that time, the firm has counted more than 4,500 victims worldwide of these linked campaigns, mostly in North America (but also in Asia, Africa, Europe, and South America).

Two Motivations, One Cybercrime Actor

ESET researchers uncovered that the crimeware compromise chain is very similar that of the cyber-espionage campaigns previously detailed, down to the use of custom malware variants named SunSeed and AHKBOT. The main difference is the compromise vector, which in the financial attacks involved "spray-and-pray"-style malicious Google Ads and redirection chains.

"The compromise chains are almost identical in all campaigns," according to ESET's analysis. "In particular, SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage; [and] we don’t believe that SunSeed and AHKBOT are [commodities used by multiple actors and] sold on the underground market."

Thus, the researchers determined that "Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side [and] it appears to be branching out … against governments in Central Asia and Europe from time to time."

It's unclear if the group is a hack-for-hire outfit, a state-sponsored actor, or merely self-driven opportunists. In any event, ESET researchers concluded, "It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of Asylum Ambuscade activities."

It may be unusual, but it should be noted that it's not the first time the two halves of the cybercrime world have blended. The North Korean APT Lazarus Group infamously carries out cryptojacking and other financial heists to help fund the regime in Pyongyang, while also acting as a virulent cyber-espionage actor.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights