Security Experts:

Connect with us

Hi, what are you looking for?



Retaliation Attack Leads to Discovery of Hellsing ATP Group

Hellsing APT Strikes Back After Being Targeted by the Naikon Group

A small cyber espionage group might have remained under the radar, but their activities were exposed when they decided to retaliate against an attack launched by a different advanced persistent threat (APT) group.

Hellsing APT Strikes Back After Being Targeted by the Naikon Group

A small cyber espionage group might have remained under the radar, but their activities were exposed when they decided to retaliate against an attack launched by a different advanced persistent threat (APT) group.

Researchers at Kaspersky Lab were investigating Naikon, one of the most active threat groups in Asia, when they came across the activities of a different actor which they have dubbed “Hellsing.”

Naikon, a group known for its use of the RARSTONE backdoor, has targeted organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.

Just days after the Malaysia Airlines Flight 370 (MH370) disappeared last year, Naikon started targeting various government organizations in countries that had been involved in the search for the missing airplane. The attackers used spear-phishing emails containing documents designed to exploit Microsoft Word vulnerabilities in order to deliver a backdoor.

One of these emails was sent to an organization where the recipient questioned the legitimacy of the message. The target asked the sender (Naikon) to confirm that they had sent the email. Members of Naikon, who were apparently familiar with the targeted government agency’s internal structure, attempted to convince the recipient that the email was legitimate.

However, the target wasn’t convinced and didn’t open the malicious document, Kaspersky said. Furthermore, after a while, it sent its own spear phishing email, containing its own malware, to Naikon.

The group that decided to strike back has been dubbed “Hellsing” by Kaspersky Lab based on some debug information found by researchers in one of the malware samples. Hellsing, which has been active since at least 2012, has mainly targeted government organizations in Malaysia, Indonesia and the Philippines. Some targets have also been identified in the United States and India.

The APT actor has been using spear-phishing emails to deliver malware to victims’ computers. Based on command and control (C&C) server information gathered by Kaspersky, it’s possible that some of the victims are the Malaysian Ministry of Tourism and Culture, the Malaysian Maritime Enforcement Agency, and the Malaysian National Sports Council.

Researchers have determined that some of the infrastructure used by Hellsing overlaps with the infrastructure of other groups, such as PlayfullDragon (Gref), Cycldek (Goblin Panda), and Mirage (Vixen Panda).

Since APT attribution is a difficult task, Kaspersky has avoided pointing the finger at anyone. However, the company has noted that the name Hellsing, which appears to be the internal name used by the threat actor for one of its projects, could stem from a Japanese manga series.

Researchers have also determined that the malware samples used by the group have been compiled by someone in the GMT +8 or +9 time zones, assuming that they were compiled during regular working hours.

“The targeting of the Naikon group by Hellsing, in some sort of a vengeful vampire-hunting- ‘Empire Strikes Back’ style, is fascinating,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis. “In the past, we’ve seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. However, considering the targeting and origin of the attack, it seems more likely that this is an example of a deliberate APT-on-APT attack.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...