Wild Neutron

  • First known sample

    2011
  • Discovery

    2013
  • Number of targets

    1-100
  • Current status

    Active
  • Type

    Backdoor , Cyberespionage toolkit , Trojan
  • Targeted platforms

    OS X , Windows
  • The way of propagation

    Exploits , Watering hole attacks
  • Purpose/Functions

    Data theft
  • Special features
    The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests
  • Targets

    Financial institutions , Information technology , Investments , Manufacturing , Pharmaceutical , Private companies , Software companies , Specific individuals , Trade and commerce
  • Artefacts/Attribution
    The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication. In addition to that, Kaspersky Lab researchers have found another non-English string which is the Latin transcription of the Russian word “Успешно” ("uspeshno" -> "successfully").
  • Description

    A powerful threat actor active since 2011 targeting high-profile companies. It became well-known after successfully infecting companies, such as Facebook, Apple, Twitter, and Microsoft, by taking advantage of a Java zero-day exploit. This actor has also shown an interest in investment-related targets, suggesting they are conducting espionage for financial gain.

    Additional information