Game over — hackers are using a spoofed version of Minesweeper to snare victims

Russian hackers are targeting Western firms with Minesweeper nostalgia

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Russian hackers are targeting financial institutions in Europe and the United States with a nostalgia-laden gaming lure.

Two security agencies in Ukraine - CSIRT-NBU, and CERT-UA, hae warned of a new phishing campaign conducted by a threat actor they track as “UAC-0188”. This group is also known as “FRwL”, which is most likely an abbreviation of “From Russia with Love”, a 1963 James Bond film.

The group is sending phishing emails from “support@patient-docs-mail.com,” pretending to be a medical center. The emails come with the subject line “Personal Web Archive of Medical Documents,” and carry a 33 MB attachment, a .SCR file hosted on Dropbox containing  code from a Python clone of the famous Minesweeper Windows game. However, the clone also downloads additional scripts from a remote source which, after a few more steps, end up installing SuperOps RMM.

Abusing SuperOps RMM

SuperOps RMM, short for Remote Monitoring and Management, is a software platform designed to assist managed service providers (MSPs) and IT professionals in managing and monitoring client IT infrastructure remotely. It integrates various tools and functionalities to streamline IT operations, enhance security, and improve efficiency.

The tool is legitimate, but often abused, similar to what happened to Cobalt Strike. SuperOps RMM grants the attackers remote access to the compromised systems, which they can then use to deploy more seriousmalwareor infostealers, grabbing login credentials, sensitive data, banking information, and more.

IT admins should monitor their network activity for the presence of SuperOps RMM, and if they don’t usually use the software (or know not to have it installed at all), should treat the activity as a sign of compromise.

There was no word on who the usual targets are, or how many organizations the group managed to compromise.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature