"For the last few months, Kaspersky’s Global Research and Analysis Team (GReAT) has been actively tracking new command and control (C2) servers associated with the piece of malware used in this attack, which is commonly referred to as WellMess. WellMess was initially documented by JPCERT in July 2018, but has been sporadically active since then. Beginning in March 2020, we noticed an increase in C2 servers, indicating a potential new wave of activity. We have, so far, not observed any infrastructure overlap, code overlap in the malware, or other tactics, techniques, and procedures unique to a specific threat actor, suggesting WellMess is wholly unique.

"We have documented attacks using this malware on various companies and government institutions in the Middle East and North Africa, as well as a case in Europe related to an IT company. On July 22, as part of Kaspersky’s series of expert talks, GReAT will be giving an in-depth presentation on the WellMess malware. For those who wish to attend, they can register here: https://kas.pr/y8iz."