Intelligence on Malware, Threat Actors, and Campaigns in Motion

Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on the UNC5518 campaign utilizing fake browser updates to distribute FAKETREFF, a JavaScript downloader.

Description

UNC5518 is a financially motivated cluster of activity that has distributed FAKETREFF, a JavaScript downloader that masquerades as a browser update. In at least some cases, UNC5518 appears to partner with clients or affiliates who use access obtained by the group to deploy additional malware. In 2024, several UNC5518 FAKETREFF campaigns were observed that led to QUICKBIND, NETSUPPORT, BANANACOOKIE, CLEANBOOST, CORNFLAKE, DARKGATE, and VOLTMARKER.

Overview

Campaign Type: 

Fake Browser Update

Motivation(s): 

Financial Gain

Source Region:  

Unknown

Confirmed Targeted Industries: 

Civil Society & Non-Profits, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, and Transportation.

Associated Threat Actors: 

Landupdate808, Storm0300

Associated Malware: 

AMADEV, CORNFLAKE, CORNFLAKE.V2, FAKETREFF, NUMOZYLUNCH, RAZORBRAKE, VOLTMARKER, VOLTRIGGER.

Targeted Countries: 

Australia, Canada, Denmark, France, United Arab Emirates, United Kingdom, United States.

Associated Tools

7ZIP, NETSUPPORT.

Find the full list of IOCs here:

Security Recommendations

CcHUB recommends that organizations;

Defenses Against Fake Browser Updates

• User Awareness: Train staff that real updates come only via the browser/system, never websites.

• Centralized Patch Management: Automate browser updates via IT, not end-users.

• Browser Hardening: Enforce auto-updates, block drive-by downloads, restrict plugins.

• Endpoint & Network Security: Use EDR/XDR, DNS/web filtering, and application allowlisting.

• Email & Web Gateways: Block malicious links/attachments; sandbox suspicious downloads.

• Access Control: Remove local admin rights; enforce least privilege.

• Incident Response: Have a playbook for browser-based malware campaigns.

To read more about the UNC5518 Fake Browser Campaign, kindly read the Google article here.
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)