Asylum Ambuscade Cyberattackers Blend Financial Heists & Cyber Espionage

In a rare mix of motivations, the cyberattack group has been linked to both financial cybercrime and political spying efforts on governments.

Researchers have linked a series of financially motivated attacks and a group of advanced persistent threat (APT)-like espionage activities to a single cybercrime entity — though the attack sets were previously believed to be the work of two different actors.
A cybercrime group that researchers have dubbed Asylum Ambuscade is straddling the line between the two motivations, according to
ESET analysis
this week. The group has been active since at least 2020 but wasnt publicly outed until
Proofpoint detailed
a March 2022 APT-presumed effort that targeted European government staff involved in helping Ukrainian refugees ahead of the Russian invasion. In that campaign, the cyberattackers used spear-phishing to steal confidential information and webmail credentials from official government webmail portals.
Meanwhile, theres been a constellation of financially motivated cybercrime attacks that ESET researchers have been following, targeting bank customers and cryptocurrency traders, active since January 2022. In that time, the firm has counted more than 4,500 victims worldwide of these linked campaigns, mostly in North America (but also in Asia, Africa, Europe, and South America).
ESET researchers uncovered that the crimeware compromise chain is very similar that of the cyber-espionage campaigns previously detailed, down to the use of custom malware variants named SunSeed and AHKBOT. The main difference is the compromise vector, which in the financial attacks involved spray-and-pray-style malicious Google Ads and redirection chains.
The compromise chains are almost identical in all campaigns, according to ESETs analysis. In particular, SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage; [and] we don’t believe that SunSeed and AHKBOT are [commodities used by multiple actors and] sold on the underground market.
Thus, the researchers determined that Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side [and] it appears to be branching out … against governments in Central Asia and Europe from time to time.
Its unclear if the group is a
hack-for-hire outfit
, a state-sponsored actor, or merely self-driven opportunists. In any event, ESET researchers concluded, It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations, and as such we believe that researchers should keep close track of Asylum Ambuscade activities.
It may be unusual, but it should be noted that its not the first time the two halves of the cybercrime world have blended. The North Korean APT
Lazarus Group infamously carries out cryptojacking
and other financial heists to help fund the regime in Pyongyang, while also
acting as a virulent cyber-espionage actor
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Asylum Ambuscade Cyberattackers Blend Financial Heists & Cyber Espionage