Get the latest insights into threat actor activity straight from the frontlines fueled by data from Kroll’s incident response intelligence and elite analyst.

On February 19, software firm ConnectWise notified clients of two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) impacting on-premise versions of their remote management tool, ScreenConnect. Within days, the vulnerability was under heavy exploitation from several groups, including the Advanced Persistent Threat (APT) group known as Kimsuky.

In this exclusive briefing, Kroll’s Head of Threat Intelligence in EMEA, George Glass, will address how Kimusky weaponized the ScreenConnect vulnerability using new malware strain TODDLERSHARK.

Threat intelligence fueled by frontline incident response intel and elite analysts can provide a rich insight into threat actor activity. Security leaders need access to this frontline incident intelligence to understand if they are likely to be in a similar situation but also take immediate action on their defenses. During the briefing, George will highlight how the malware was deployed as part of an attempted compromise, then detected and stopped by the Kroll Responder team.

Key Takeaways

• The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript-based BABYSHARK malware that we've called TODDLERSHARK.
• How the malware was used in post-compromise activity.
• BABYSHARK has been associated, by several sources, with a threat actor that Kroll tracks as KTA082 (Kimsuky).
• The malware utilized legitimate Microsoft binary and alternate data streams and exhibited elements of polymorphic behavior.