SandStrike spyware spreads through VPN — Kaspersky

Sandstrike, a a previously unknown Android espionage campaign, has been spreading spyware to a Persian-speaking religion minority, Baháʼí. According to cybersecurity solutions company Kaspersky, Sandstrike distributes the spyware using virtual private network (VPN).

The attackers use social media platforms to lure victims. When an unsuspecting internet user clicked on the link, he or she will be directed to a Telegram channel where Sandstrike spyware is distributed through a seemingly harmless VPN.

Kaspersky experts also discovered an advanced upgrade of DeathNote cluster and, together with SentinelOne, investigated never-seen-before malware Metatron. This, and other discoveries are revealed in Kaspersky’s latest quarterly threat intelligence summary.

Kaspersky reports spike in crypto miner variants in Q3 2022
Kaspersky finds of Trojans targeting employee devices in PH

One of the well-known APT (Advanced Persistent Threat) groups Lazarus has been using DeathNote cluster against victims in South Korea, based on the discovery of Kaspersky.

“The actor possibly used a strategic web compromise, employing an infection chain similar to that which researchers have previously reported, attacking an endpoint security program,” Kaspersky said.

However, experts discovered that the malware and infection schemes have also been updated. The actor used malware that hadn’t been seen before, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator lay hidden in the victim’s environment for a month and collected system information.


According to Kaspersky, APT actors are not letting up. Kaspersky security experts found an undiscovered malware platform called Metatron. Initially, it targets telecommunications, internet service providers, and universities in Middle Eastern and African countries. Metatron is designed to bypass native security solutions while deploying malware platforms directly into memory.

In the third quarter of 2022, Kaspersky researchers detected numerous APT campaigns, whose main target is governmental institutions. Our recent investigations show that this year, from February onwards, HotCousin has attempted to compromise foreign affairs ministries in Europe, Asia, Africa and South America.

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats. Request access online.
  • Upskill your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • Use enterprise-grade EDR solution such as Kaspersky EDR Expert. It is essential to detect threats among a sea of scattered alerts thanks to automatic merging of alerts into incidents as well as to analyze and respond to an incident in the most effective way.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with social engineering techniques, such as phishing, introduce security awareness training and teach practical skills to your team, using tools such as the Kaspersky Automated Security Awareness Platform.