Security researchers at Proofpoint have discovered that threat actors have repurposed a nearly 15-year-old attack tool called Hupigon to launch a new campaign targeting both faculty and students at colleges and universities across the US.
Hupigon is a remote access trojan (RAT) that has been around since at least 2006 and it is often associated with state-sponsored APT threat actors.
The new campaign uses a “hot or not” dating format where users must choose between one of two pictures by clicking on the link under the picture.
However, when a recipient of the malicious email clicks either link, an executable containing Hupigon begins to download. Running the downloaded file installs the RAT on their system which gives the attackers control of their PC.
This new campaign has already delivered over 150,000 malicious messages to over 60 different industries with 45 percent focused on education, colleges and universities. Between April 14 and 15 of this year, message volumes reached approximately 80,000 messages, coinciding with an observed rotation in payload.
Hupigon has many features and capabilities and the RAT allows attackers to access an infected machine, log keystrokes, steal passwords and monitor a user’s webcam which could be used later to launch sextortion attacks.
Proofpoint associates Hupigon with historic APT campaigns based on the language of the builder, open source breach reporting and multiple reports of similar APT actor behavior between 2010 and 2012.
Users can avoid falling victim to this latest campaign by monitoring their inboxes closely and not clicking on any links in emails from unknown senders.