Omar Avilez

And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.

And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.

So we discovered a C2 server that was, you know, utilized by Conti.

So we discovered a C2 server that was, you know, utilized by Conti.

So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.

So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.

At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had

At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had

a backdoor that the attackers were using, which was a backdoor known as Bandook.

a backdoor that the attackers were using, which was a backdoor known as Bandook.

And they compromised the company. So it was an important target.

And they compromised the company. So it was an important target.

What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.

What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.

And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.

And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.

Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.

Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.

Yeah, it was a very complicated moment. We didn't know what to do.

Yeah, it was a very complicated moment. We didn't know what to do.