GoldenJackal Chronicles: Delving into Enigmas and Unanswered Questions
“GoldenJackal” is a relatively new APT group that we discovered in mid-2020 and publicly documented in 2023. Since 2019, this group has conducted several APT attacks targeting governmental and diplomatic entities in the Middle East and South Asia.
Over the past years, we have closely monitored the group and collected information about their Tactics, Techniques, and Procedures (TTPs). We’ve observed a consistent level of activity, which characterizes the group as a proficient and stealthy actor gradually expanding its operations. The hallmark of this group lies in its distinct set of .NET malware tools: JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher. These tools serve various purposes, including:
- Controlling victim machines
- Propagating across systems via removable drives
- Exfiltrating specific files from infected systems
- Stealing credentials
- Gathering information about local systems
- Collecting data on users’ web activities
- Capturing desktop screenshots
Based on their toolset and behavioral patterns, we believe the primary motivation of the actor is espionage. In the upcoming speech, I will cover the group’s most relevant facets, provide an overview of their toolset, explore their targeting strategies, and how they move laterally inside the targeted network. Additionally, I will highlight the unresolved aspects to inspire fellow researchers to shed light on these areas and aid in enhancing the community’s understanding of this cyber threat.
Mr. Giampaolo Dedola
Giampaolo Dedola is a Lead Security Researcher at Kaspersky`s GReAT (Global Research & Analysis Team), based in Italy. He focuses his research in the realm of APT attacks, hunting for new threats, analyzing malware, digging up incidents, and profiling the actors behind them.
Over the years, he investigated hundreds of APT campaigns, trying to extend his knowledge on different groups regardless of their origin or targets.
Before joining Kaspersky in 2017 he held the position of L3 SOC analyst, principal malware analyst, and forensic analyst.