Pakistan Fintech Companies Among DeathStalker’s New Victims
A report from Kaspersky Global Research and Analysis reveals that Pakistani fintech companies are under cyber attack threat. This attack on fintech companies in Pakistan has been linked to the DeathStalker hacker group. It is a known threat actor that has primarily targeted small and medium-sized enterprises, financial institutions, and government agencies. Since 2012, DeathStalker has focused on information gathering rather than financial gain. However, its latest operations could pose serious risks to sensitive data within the fintech companies of Pakistan.
Fintech in Pakistan holds great potential, especially given the large unbanked population and growing digital adoption. However, it faces significant challenges. Limited access to funding is a primary issue, as fintech investment fell by 80% in 2023 amid a broader economic downturn. Additionally, regulatory complexities and the sharp depreciation of the Pakistani rupee make international transactions and investor confidence more challenging.
The group has been distributing DarkMe via Telegram, a remote access Trojan (RAT) spyware. The lethal spyware infiltrates networks, steal data, and maintain prolonged access to targeted systems. The group often distributes this malware through Trojan-laden archives sent via Telegram channels. When opened by unsuspecting users, the archives initiate the deployment of DarkMe malware on the victim’s device. The Trojan’s sophisticated capabilities enable it to access sensitive data and execute commands remotely. Once DarkMe is installed, it carries out several obfuscation steps, including file padding. Increasing the file size, it evades the antiviruses, making analysis more challenging for cybersecurity teams.
DeathStalker’s use of Telegram is strategic, leveraging the messaging platform’s wide reach and the trust it enjoys among users. According to Kaspersky’s Maher Yamout, these attackers often rely on the social familiarity of platforms like Telegram. In some past campaigns, Skype was used as well to make their attacks look less suspicious. Since many businesses and individuals are comfortable receiving files through these platforms, this tactic exploits trust to spread malware. The group’s adaptation to Telegram has made it easier to reach unsuspecting victims across geographical boundaries, enhancing their global reach.
DeathStalker has also shown a marked ability to employ deception tactics to conceal their involvement. They frequently use false flags, mimicking other advanced persistent threat (APT) groups in their attack signatures to mask their identity. This tactic makes it difficult for cybersecurity experts to attribute attacks definitively to DeathStalker. By misdirecting investigators, they attempt to avoid responsibility for their actions and remain undetected as long as possible.
Amid DeathStalker attacks, experts suggest that organizations in the fintech, trading, and legal sectors enhance their cybersecurity protocols. Yamout advises businesses to be particularly wary of unsolicited files or links received from suspicious sources through messaging platforms. Businesses are also advised to stay updated on cybersecurity threats, as the rapid evolution of cyber tactics requires constant vigilance.
The DeathStalker group’s choice to use Telegram as a distribution platform is notable and has sparked discussions in cybersecurity circles. Traditionally, email phishing has been one of the primary methods used to deliver malware to potential targets. DeathStalker can bypass some traditional security mechanisms by utilizing platforms that people perceive as safe, such as Telegram. Several organizations have filters and security measures in place for emails. However, fewer have similar protections for social messaging platforms, where users are more likely to trust the sender without suspicion.
The campaign deploys DarkMe, a malware built for various malicious activities with minimal detection risk. This Trojan provides access to stored information, installs additional malware, and executes commands remotely. Its capabilities are broad, but its most dangerous feature may be its self-hiding functions. Once DarkMe infiltrates a device, it carefully removes traces of its presence. By increasing its size and altering its behavior to resemble benign software, it can evade detection by all security analyses.
Another distinctive characteristic of DeathStalker’s operations is their selective targeting. Rather than casting a wide net, the group focuses on specific organizations within fintech and trading. This is where sensitive data like transaction records, trade secrets, and client information can yield valuable intelligence. Their focus on information gathering, rather than theft, makes them unique among cybercriminals. By collecting information without direct financial theft, they have managed to evade detection in many cases. This lets them remain active for extended periods within compromised networks.
This intelligence-driven approach underscores the significance of adopting a defense-in-depth strategy for cybersecurity, especially for sectors that hold large volumes of sensitive data. Businesses and organizations must strengthen threat detection and create policies to manage external communication channels like Telegram. Malware deployment methods are hard to detect, so they must use multi-layered security protocols to stay protected. Intrusion detection systems, behavioral analytics, and regular audits can help identify suspicious activity patterns that may go unnoticed.
The cybersecurity community has been tracking DeathStalker closely, observing a series of highly targeted campaigns that reveal a sophisticated understanding of the businesses they attack. By studying the group’s previous campaigns, researchers have identified common characteristics that could help future victims identify signs of an impending attack. One key observation is that DeathStalker’s campaigns often begin with spear-phishing, where attackers carefully select and study targets, crafting their messaging to suit each intended victim. In the case of Telegram-based attacks, they may pretend to be financial advisors, clients, or partners to increase the chance that their Trojan-laden files will be opened.
With the rise of remote work and digital communication, businesses must prepare to defend themselves against increasingly sophisticated cyber threats that exploit trusted communication platforms. DeathStalker’s success in leveraging familiar applications like Telegram indicates a shift in how attackers are adapting to changing digital habits. Experts recommend that businesses adopt zero-trust policies, whereby every user, device, and application must be verified before gaining access to sensitive data. This practice can significantly limit the extent of damage should a breach occur.
Moreover, cybersecurity experts suggest educating employees on recognizing potential threats. While technology solutions are crucial, human awareness remains a powerful line of defense. Organizations can mitigate risks by providing training sessions that outline the types of phishing attempts and malware deployments that attackers use, including those seen in DeathStalker’s campaigns. Since social engineering plays a large role in these attacks, educating employees about the potential dangers associated with opening unsolicited files or clicking on unverified links can help prevent initial infections.
The threat posed by DeathStalker to fintech companies in Pakistan serves as a warning to fintech, trading, and other sensitive sectors that maintaining cybersecurity is an evolving challenge. Given the group’s track record and its current tactics, experts believe that DeathStalker will continue to innovate, potentially incorporating new social platforms and novel obfuscation techniques. Continuous monitoring, adopting robust cybersecurity frameworks, and implementing employee training programs are crucial steps for organizations aiming to protect their operations and clients from cyber threats.