Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Sophisticated Hacker-for-Hire Gang ‘Hidden Lynx’ Strikes Organizations Worldwide

A hacker-for hire crew known as the ‘Hidden Lynx’ has been tied to a series of sophisticated high-profile attacks targeting both businesses and governments around the world.

A hacker-for hire crew known as the ‘Hidden Lynx’ has been tied to a series of sophisticated high-profile attacks targeting both businesses and governments around the world.

Researchers at Symantec say the group, which numbers between 50 and 100, has been active since 2009 and has been involved not only in the infamous Operation Aurora, but also an attack on Bit9 in 2012 and an expansive campaign of watering hole attacks that affected thousands of machines earlier this year.

Known as the VOHO campaign, it combined both regional and industry-specific attacks and focused on organizations primarily operating in the United States.

“In a rapidly spreading two-phase attack, which started on June 25 and finished July 18, nearly 4,000 machines had downloaded a malicious payload,” according to a whitepaper Symantec released on the group. “These payloads were being delivered to unsuspecting victims from legitimate websites that were strategically compromised.”

Many of the victims being targeted were U.S. defense contractors protected by Bit9’s whitelisting software. To get around this obstacle, the attackers turned their attention to Bit9, ultimately breaching their file signing infrastructure and obtaining the ability to sign malware files in their bid to infect users.

“The attackers installed Backdoor.Hikit, a Trojan that provides extremely stealthy remote access to compromised systems,” according to the whitepaper. “This highly customized Trojan is typically installed onto servers in the victims’ DMZ, which was the case at Bit9. Credentials for another virtual machine were then stolen. These were used to access the virtual machine that contained one of Bit9’s digital code-signing certificates. The attackers used this code-signing infrastructure to sign thirty-two malicious files, some of which were then retrieved to be used in subsequent attacks on select organizations in the United States defense industrial base.”

Much of the tools and infrastructure linked to the attacks originate from network infrastructure based in China, Symantec reported. The frontline of the crew consists of a team that uses disposable tools along with basic techniques to attack different targets. This unit – dubbed Team Moudoor after the Trojan they use – also acts as intelligence collectors as well.

Advertisement. Scroll to continue reading.

A second team acts as an elite group used to crack the most valuable targets, and referred to as Team Naid by Symantec after the Trojan they use.

While researchers did not uncover any information about how much the group is being paid for its services, Symantec security researcher Vikram Thakur speculates it must be significant given the group’s uncommon size.  

“Hidden Lynx is unique because it is one of the most organized, sophisticated groups using cutting edge hacking techniques to access information from organizations in some of the most technically advanced countries in the world,” said Thakur.

Since 2011, six campaigns have been connected to the group. Roughly 53 percent of their victims were in the United States. The next biggest group – 15.53 percent – were located in Taiwan. Approximately 24 percent were in the finance industry, while 17 percent were in education. Just more than 15 percent were in the government sector.

“The group’s goal is to gain access to information within organizations in some of the wealthiest and most technologically advanced countries across the globe,” according to Symantec’s research paper. “It is unlikely that they can use this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest that they are contracted by multiple clients. This leads us to believe that this is a professional organization that offers a “hackers for hire” service.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...