Researchers from Cisco Systems have been monitoring the activities of a threat actor whose operations are aimed at high profile, money-rich industries such as oil, jewelry, banking and television.
According to Cisco, the attacks launched by the group start with a spear phishing email that appears to be an invoice, a receipt or a purchase order. The malicious emails have a Microsoft Word document attached to them and look fairly standard, but the attachment is not currently blocked by most antivirus engines.
When the document is opened, an “On-Open” macro written in Visual Basic for Applications (VBA) is run, and a malicious file is downloaded and executed on the victim’s computer. In an attack aimed at a company that focuses on research and manufacturing, the executable contacted three domains: dl.dropboxusercontent.com, londonpaerl.co.uk and selombiznet.in.
dl.dropboxusercontent.com is a legitimate Dropbox domain which the attackers have used to host four different components of the exploit payload, while londonpaerl.co.uk and selombiznet.in have been utilized as command and control (C&C) servers, Cisco said.
Researchers have determined that londonpaerl.co.uk is a typosquat of londonpearl.co.uk, the official website of pearls and pearl jewelry supplier London Pearl. An analysis of the fake website, which claims to belong to an employment agency, has shown that the threat group has been operational since at least 2007.
Based on domain “whois” information, Cisco has managed to identify several other domains used by the attackers for their malicious activities, including londonpearl-uk.co, france24.in, hussainscan.com and mylovekemy.in. The londonpearl-uk.co domain was used in May in attacks aimed at a single organization involved in industrial manufacturing. At the time, Cisco blocked five backdoor components used in the attacks which took place on the same day, within a 90-minute timeframe.
“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware. Many of the domains appear to be suspended presumably due to past malicious activity,” Craig Williams, technical leader for Cisco threat research, wrote in a blog post.
“In fact, during the investigation the threat actor changed the information on some of the domains several times. Luckily, if you monitor whois history you can still view all of this information, including the evasion attempt. While we were performing the investigation, items like addresses, email addresses, and such were changed, literally, in between browser refreshes.”
Cisco’s blog post doesn’t contain any information on the geographical distribution of victims, but the company’s representatives told SecurityWeek that they’re seeing a clear focus on Europe.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
