VB2020-Takai-etal.pdf (4 MB)

NTT Security analyzes CryptoMimic, also known as Dangerous Password, an APT actor active since around 2018 against banks, finance-related organizations, and especially cryptocurrency companies worldwide. The observed intrusion chain used tailored emails or LinkedIn messages with shortened links that delivered ZIP archives containing decoy documents and LNK files, then invoked mshta to run remote VBScript. The campaign staged Cabbage RAT components that profiled the victim environment, sent system and task data to C2, and only continued when the operator judged the target attractive. The report emphasizes CryptoMimic’s short-lived URLs, cloud-service redirects, and careful anti-analysis behavior, while noting that the actor’s country-level attribution remained unknown.