Researchers have linked a series of financially motivated attacks and a group of advanced persistent threat (APT)-like espionage activities to a single cybercrime entity — though the attack sets were previously believed to be the work of two different actors.

A cybercrime group that researchers have dubbed "Asylum Ambuscade" is straddling the line between the two motivations, according to ESET analysis this week. The group has been active since at least 2020 but wasn't publicly outed until Proofpoint detailed a March 2022 APT-presumed effort that targeted European government staff involved in helping Ukrainian refugees ahead of the Russian invasion. In that campaign, the cyberattackers used spear-phishing to steal confidential information and webmail credentials from official government webmail portals.

Meanwhile, there's been a constellation of financially motivated cybercrime attacks that ESET researchers have been following, targeting bank customers and cryptocurrency traders, active since January 2022. In that time, the firm has counted more than 4,500 victims worldwide of these linked campaigns, mostly in North America (but also in Asia, Africa, Europe, and South America).

Two Motivations, One Cybercrime Actor

ESET researchers uncovered that the crimeware compromise chain is very similar that of the cyber-espionage campaigns previously detailed, down to the use of custom malware variants named SunSeed and AHKBOT. The main difference is the compromise vector, which in the financial attacks involved "spray-and-pray"-style malicious Google Ads and redirection chains.

"The compromise chains are almost identical in all campaigns," according to ESET's analysis. "In particular, SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage; [and] we don’t believe that SunSeed and AHKBOT are [commodities used by multiple actors and] sold on the underground market."

Thus, the researchers determined that "Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side [and] it appears to be branching out … against governments in Central Asia and Europe from time to time."

It's unclear if the group is a hack-for-hire outfit, a state-sponsored actor, or merely self-driven opportunists. In any event, ESET researchers concluded, "It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of Asylum Ambuscade activities."

It may be unusual, but it should be noted that it's not the first time the two halves of the cybercrime world have blended. The North Korean APT Lazarus Group infamously carries out cryptojacking and other financial heists to help fund the regime in Pyongyang, while also acting as a virulent cyber-espionage actor.