GoldenJackal explained

GoldenJackal is an advanced persistent threat active since 2019.^[1]

Targets

According to Kaspersky targets include the governments of Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.^[1] ^[2]

They have also targeted the European Union in 2022.^[3]

Methods

Some attacks have been seen to use the Follina vulnerability.^[1] This exploit uses malicious Microsoft Word documents that execute PowerShell commands via the Microsoft Support Diagnostic Tool.^[4]

Toolkit

In the attack on the European Union a new toolkit was noted by ESET.^[3] ^[2] This included code written in Go and Python.^[3] ^[2] This toolkit can steal documents from airgapped machines by some elements of the kit infecting machines via USB flash drive.^[3] ^[2] Infected machines that aren't connected to a network can hide stolen documents on a USB drive in a way that infected machines connected to a network can retrieve and send to attacker.^[3] ^[2]

Possible Russian connection

ESET noted that the command and control protocol used by the groups malware is typically used by Turla, which is connected the Federal Security Service of Russia, suggesting the group may be Russian speakers.^[5]

Notes and References

News: GoldenJackal state hackers silently attacking govts since 2019 . Toulas . Bill . 2023-05-23 . 2024-10-15 . Bleeping Computer.
News: European govt air-gapped systems breached using custom malware . Toulas . Bill . 2024-10-08 . 2024-10-16 . Bleeping Computer.
News: A Mysterious Hacking Group Has 2 New Tools to Steal Data From Air-Gapped Machines . Goodin . Dan . 2024-10-12 . https://archive.today/20241012100657/https://www.wired.com/story/goldenjackal-hacking-group-new-tools-air-gapped-machines/ . 12 Oct 2024 . 2024-10-15 . Wired.
News: New Microsoft Office zero-day used in attacks to execute PowerShell . Ilascu . Ionut . 2022-05-30 . Bleeping Computer.
News: Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware . Lyons . Jessica . 2024-10-09 . 2024-10-16 . The Register.