| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Narketing163 is a financially motivated threat actor named after one of their frequently used email addresses (narketing163@gmail.com). Active since at least July 2023, the actor conducts large-scale phishing campaigns distributing commodity infostealer and keylogger malware disguised as business correspondence such as price quotes, order forms, and payment notices. Targets span multiple countries including Russia, Belarus, Kazakhstan, Azerbaijan, Armenia, Turkey, the USA, Germany, the UK, India, and others, across sectors including e-commerce, retail, chemicals, construction, healthcare, insurance, and food. The actor delivers malware via spearphishing attachments (compressed archives) deploying RedLine Stealer, Agent Tesla, FormBook, and Snake Keylogger against Windows systems. Exfiltration is performed via actor-controlled Roundcube mail servers. Emails are sent in Russian, Azerbaijani, Turkish, and English, with rotating sender IPs and use of anonymization tools such as VPNs and proxies.
There are currently no families associated with this actor.
There are currently no references.