REF2924 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

REF2924 (Back to overview)

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.

Associated Families

There are currently no families associated with this actor.

References

2023-10-03 ⋅ Elastic ⋅ Andrew Pease, Cyril François, Daniel Stepanic, Salim Bitam, Seth Goodwin
Introducing the REF5961 intrusion set (RUDEBIRD, DOWNTOWN, and EAGERBEE)
EagerBee SManager REF2924 REF5961

2023-03-27 ⋅ Elastic ⋅ Remco Sprooten
REF2924: how to maintain persistence as an (advanced?) threat
Godzilla Webshell Behinder NAPLISTENER SiestaGraph REF2924

Credits: MISP Project