Asylum Ambuscade Attack Detection: Hacking Collective Engaged in Multiple Cyber-Espionage and Financially-Motivated Cybercrime Campaigns

On February 24, 2022, a little more than a year ago, the russian federation started an offensive invasion of Ukraine by land, air, and sea. The war escalated in cyberspace as well. As a result, we are now witnessing the first-ever full-fledged cyber war in human history, with multiple offensive counterparts engaged in attacks against Ukraine and its allies.  

One of the hacking collectives revealed to be actively engaged in the confrontation is Asylum Ambuscade. Being a relatively new payer in the cybercrime arena, this hacker group mixes financially-motivated operations and cyber-espionage activity against governmental institutions.

In March 2022, security experts identified that Asylum Ambuscade stands behind a sophisticated attack against European government personnel aiding Ukrainian refugees. Also, a series of attacks against Central Asian officials have been tracked by researchers. Simultaneously, the group continuously engages in cybercriminal campaigns against the private sector to obtain financial gains.

Detecting Asylum Ambuscade Attacks 

Mixing different motivations in its campaigns, Asylum Ambuscade is now considered one of the most prolific hacking collectives in the cybercrime arena, with 4,500 victims identified worldwide since the beginning of 2022. To proactively detect the associated malicious activity and protect organizational infrastructure from Asylum Abuscade intrusions, cybersecurity professionals require a trusted source of curated detection content. SOC Prime´s Platform for collective cyber defense aggregates and extensive set of Sigma rules addressing threat actor´s TTPs. 

All detections are compatible with 25+ SIEM, EDR, and XDR solutions and mapped to MITRE ATT&CK framework v12 to help security professionals streamline the investigation and threat hunting operations.

Press the Explore Detections button below to immediately drill down to a Sigma rules bundle aimed at detecting Asylum Ambuscade attacks. All the rules are accompanied by extensive metadata, including ATT&CK and CTI references. To simplify the content search, SOC Prime supports filtering by tags “Asylum Ambuscade” and “SunSeed” based on the group’s monicker and the name of a custom malware planted by the attackers during the cyberespionage campaign targeting European officials helping Ukrainian refugees.

Explore Detections

Overview of Asylum Ambuscade’s Cybercrime and Espionage Campaigns

Being active since 2020, Asylum Ambuscade managed to fly under the radar until March 2022, when Proofpoint documented a state-sponsored cyber-espionage campaign targeting European public sector entities that. The discovery was based on the alert by CERT-UA tracking the group as UNC1151 (UAC-0051).

During this attack, threat actors supposedly compromised an email account of the Ukrainian armed service member to launch a phishing attack which resulted in SunSeed malware delivery. According to the experts, this malicious campaign aimed to extract sensitive information and dump email creds from official government resources. 

While cyber-espionage campaigns initially came to the limelight, Asylum Ambuscade has also been involved in a series of cybercriminal operations focused on gaining financial profits. ESET inquiry states that the hacking collective has targeted over 4,500 private organizations since Jan 2022, including cryptocurrency traders, small-to-medium enterprises (SMBs), financial institutions, and individuals. Notably, most of the victims were located in North America; however, researchers also observed attacks against Asian, African, and European targets.

White motivation to attack cryptocurrency traders seems obvious – stealing cryptocurrency – the motives to target SMBs remain a question. Security experts suspect that Asyllum Ambuscade cybercriminals might sell access to ransomware operators or use it to proceed with espionage activities. 

Asylum Ambuscasde’s cyber-espionage and cybercrime operations follow a similar attack kill chain. The attack starts from a malicious Google Ad leading to a JavaScript file through multiple redirections or a phishing email with a malicious attachment that drops malware downloader. Eventually, both routines end up with SunSeed or Ahkbot malware infection. To stay under the radar of cybersecurity researchers, Asylum Ambuscade hackers leverage different variants of the SunSeed downloader written in Lua, Tc, and Visual Basic. For Ahkbot infection, AutoHotkey or Node.js tool named NodeBot is used. 

Combining the TTPs typical for nation-state actors and cybercrime groups, Asylum Ambuscade poses a significant menace for public and private organizations worldwide. Rely on SOC Prime to be fully equipped with detection content against any exploitable CVE or any TTP used in the ongoing cyber attacks. Access the world’s fastest feed of security news, tailored threat intelligence, and the largest repository of curated 10,000+ Sigma rules continuously enriched with new detection ideas. Unlock the power of augmented intelligence and collective industry expertise to equip any security team member with an ultimate tool for advanced detection engineering. Identify blind spots and timely address them to ensure complete threat visibility based on the organization-specific logs without moving data to the cloud. Register to SOC Prime Platform now and empower your security team with the best tooling for a secure tomorrow.