Novel Spy Group Targets Telecoms in Precision-Targeted Cyberattacks

The primary victims so far have been employees of telcos in the Middle East, who were hit with custom backdoors via the cloud, in a likely precursor to a broader attack.

A previously unknown threat actor is targeting telecommunications companies in the Middle East in what appears to be a cyber-espionage campaign similar to many that have hit telecom organizations in multiple countries in recent years.
Researchers from SentinelOne who spotted the new campaign said theyre tracking it as WIP26, a designation the company uses for activity it has not been able to attribute to any specific cyberattack group.
In a report this week, they noted that they had
observed WIP26 using public cloud infrastructure
to deliver malware and store exfiltrated data, as well as for command-and-control (C2) purposes. The security vendor assessed that the threat actor is using the tactic — like many others do these days — to evade detection and make its activity harder to spot on compromised networks.
The WIP26 activity is a relevant example of threat actors continuously innovating their TTPs [tactics, techniques and procedures] in an attempt to stay stealthy and circumvent defenses, the company said.
The attacks that SentinelOne observed usually began with WhatsApp messages directed at specific individuals within target telecom companies in the Middle East. The messages contained a link to an archive file in Dropbox that purported to contain documents on poverty-related topics pertinent to the region. But in reality, it also included a malware loader.
Users tricked into clicking on the link ended up having two backdoors installed on their devices. SentinelOne found one of them, tracked as CMD365, using a Microsoft 365 Mail client as its C2, and the second backdoor, dubbed CMDEmber, using a Google Firebase instance for the same purpose.
The security vendor described WIP26 as using the backdoors to conduct reconnaissance, elevate privileges, deploy addition malware — and to steal the users private browser data, information on high-value systems on the victims network, and other data. SentinelOne assessed that a lot of the data that both backdoors have been collecting from victim systems and network suggest the attacker is prepping for a future attack.
The initial intrusion vector we observed involved precision targeting, SentinelOne said. Further, the targeting of telecommunication providers in the Middle East suggests the motive behind this activity is espionage-related.
WIP26 is one of many threat actors that have targeted telecom companies over the past few years. Some of the more recent examples — like a series of attacks on Australian telecom companies such as
Optus
,
Telestra
, and
Dialog
— were financially motivated. Security experts have pointed to those attacks as a sign
of increased interest in telecom companies
among cybercriminals looking to steal customer data, or to hijack mobile devices via so-called
SIM swapping schemes
.
More often though, cyberespionage and surveillance have been primary motivations for attacks on telecommunications providers. Security vendors have reported several campaigns where advanced persistent threat groups from countries like China, Turkey, and Iran have broken into a communication providers network so they could spy on individuals and groups of interest to their respective governments.
One example is
Operation Soft Cell
, where a China-based group broke into the networks of major telecommunications companies around the world to steal call data records so they could track specific individuals. In another campaign, a threat actor tracked as
Light Basin
stole Mobile Subscriber Identity (IMSI) and metadata from the networks of 13 major carriers. As part of the campaign, the threat actor installed malware on the carrier networks that that allowed it to intercept calls, text messages, and call records of targeted individuals.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Novel Spy Group Targets Telecoms in Precision-Targeted Cyberattacks