Security Experts:

Connect with us

Hi, what are you looking for?



SWEED Hackers Target Manufacturing, Logistics Organizations

A threat actor active since at least 2017 has been mainly targeting victims with information stealers and remote access Trojans (RATs), Cisco’s Talos security researchers explain.

A threat actor active since at least 2017 has been mainly targeting victims with information stealers and remote access Trojans (RATs), Cisco’s Talos security researchers explain.

Referred to as SWEED, the group has been observed using malware such as Formbook, Lokibot and Agent Tesla, consistently distributing those via spear-phishing emails with malicious attachments across its campaigns.

One of the earliest identified SWEED operations leveraged droppers inside ZIP archives to distribute a packed version of the Agent Tesla spyware. Steganography was used to decode a .NET executable that used the same technique to retrieve the final payload, Talos reveals.

In early 2018, the actor was using Java-based droppers to obtain information about the target system and facilitate the download of Agent Tesla.

In April last year, the actor started employing an exploit for the Office vulnerability tracked as CVE-2017-8759. A PowerPoint document (PPXS) containing code to trigger the remote code execution vulnerability in Microsoft .NET Framework was used.

In May 2018, SWEED switched to abusing another vulnerability in Office, namely CVE-2017-11882. The bug affects the Equation Editor, a decades-old tool present in the suite.

This year, the actor was observed leveraging malicious macros in Office documents to deliver malware. Spear-phishing emails and malicious attachments continue to be used as part of the infection process, with an obfuscated VBA macro used to execute a PowerShell script that performs some checks and then downloads an AutoIT-compiled script that performs more checks and delivers Agent Tesla.

Across several of its campaigns, SWEED also used various techniques to bypass User Account Control (UAC) on the infected systems. In a campaign launched this year, a registry key pointing to the malware is created at first, then a Windows process running as high integrity is executed to use the key and bypass UAC.

The threat actor appears to be using a limited command and control (C&C) infrastructure, with the same servers repurposed across many different attacks, over long periods of time. An RDP server believed to have been actively leveraged by SWEED is being used in a multi-user capacity, the researchers note.

DDNS domains leveraged to facilitate connectivity to the shared RDP server have been also identified, along with a domain used to exfiltrate sensitive information collected by Agent Tesla, all of which show similar patterns of operation.

Several other domains that appear associated with various malware families and distribution campaigns resolve to the same server, Talos reveals. SWEED has been also observed using typosquatting for the domains hosting Agent Tesla binaries.

The group does not appear to have a geographic focus when choosing targets, as it hits companies all over the world. However, the actor appears focused on manufacturing and logistics organizations.

The security researchers were also able to identify online accounts apparently associated with the SWEED actor and customers. Eventually, they found the Skype and LinkedIn accounts of a person in Nigeria who might be a key member of the group.

“Currently, SWEED is actively targeting small and medium-sized companies around the world. Based on the TTPs used by this group, SWEED should be considered a relatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. We assess that SWEED also does not have effective operational security,” Talos concludes.

Related: LokiBot and NanoCore Malware Distributed in ISO Image Files

Related: New Agent Tesla Spyware Variant Discovered

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...