ALUMINUM THORN

First disclosed in April 2019 by LAB52 and again in June 2019 by Cisco Talos, this group has operated since at least August 2018. Based on the use of a combination of code and techniques from security blogs and open source projects, such as FruityC2 and Powershell Empire, Talos labelled the activity the Frankenstein campaign. The lure document themes and VT submission locations suggest the group may target entities or individuals in MENA countries including Jordan and Egypt. Limited public documentation of this groups activities suggests small focused operations or target sets that are outside the visibility or interests of the cybersecurity research community. In 2024 Secureworks observed this group conducting targeted phishing operations against government and defence entities in the middle east.