article featured image


A cybercrime group going by the name of Bluebottle has been linked to a set of attacks aimed at the financial sector in Francophone countries located in Africa, in the timeline between July and September 2022.

Symantec, a division of Broadcom Software, published a report claiming the activity shares overlaps with a threat cluster under the name OPERA1ER, which has carried out dozens of attacks aimed at banks, financial services, and telecom companies in Africa, Asia, and Latin America between 2018 and 2022.

The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign.


There are similarities in the toolset that appear to support the researcher`s claims, such as attack infrastructure, absence of custom-made malware, and targeting of French-speaking nations in Africa. Bluebottle breached three undisclosed financial institutions in three African nations, but it’s unclear whether the attacks were monetized.

This financially motivated threat actor, also known as DESKTOP-GROUP, has committed a string of heists totaling $11 million over the past four years, causing $30 million in damages.

However, recent attacks illustrate the group’s evolving tactics, including employing an off-the-shelf malware named GuLoader in the early stages of the infection chain as well as weaponizing kernel drivers to disable security defenses.

Symantec said it couldn’t trace the initial intrusion vector, although it detected job-themed files on the victim networks, indicating that hiring related phishing lures were likely put to use to trick the targets into opening malicious email attachments.

Additionally, in mid-May 2022, an attacker delivered information stealer malware in the form of a ZIP file containing a screen saver (.SCR) executable. Many other threat actors have been observed using optical disc images (.ISO) as a means of distributing malware.

If the Bluebottle and OPERA1ER actors are indeed one and the same, this would mean that they swapped out their infection techniques between May and July 2022.


Spear-phishing attachments trigger the deployment of GuLoader, which is then used to drop additional payloads, such as Netwire, Quasar RAT, and Cobalt Strike Beacon. Lateral movement is facilitated by tools such as PsExec and SharpHound.

Last month, Mandiant, SentinelOne, and Sophos found that multiple hacking crews have exploited a signed helper driver to terminate security software for similar purposes. The fact that several cybercriminal groups have used the same driver supports the theory that these threat actors are using a code signing service to pass attestation.

As The Hacker News points out, the attacks could spread to other Francophone nations around the world, since the threat actors are suspected to be French speaking.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *