Kaspersky catches hacker-for-hire group using ‘PowerPepper’ malware

The market is driven by cash-flush organizations that don’t want a malicious campaign traced back to them.
This is not one of the photos used in the so-called PowerPepper malware campaign. But the campaign does actually use photos of peppers. (Getty Images)

The hack-for-hire business is thriving.

Following the revelation in November that a new mercenary group had targeted organizations in South Asia, researchers on Thursday outlined how another suspected hack-for-hire shop has used malicious code to try to breach organizations in Europe and the Americas. It’s the latest innovation in a bustling market for buying access to government and corporate networks in a range of industries.

The new code, uncovered by analysts at security firm Kaspersky, can be used to remotely take over victim devices, and it interacts with the attackers via a communications-concealing protocol. The group responsible for the malware, known theatrically as DeathStalker, has been around for at least eight years but has only drawn public scrutiny in recent months, according to Kaspersky. And researchers have more digging to do.

“PowerPepper,” as the new malware is known, “is already the fourth malware strain affiliated with the actor, and we have discovered a potential fifth strain,” said Kaspersky’s Pierre Delcher. The hacking tool is called PowerPepper because the malicious code is delivered via an image of what appears to be a picture of a fern or peppers, a technique known as steganography. The hacking group used one-off social network accounts and VPN services to cover their tracks, Delcher said.


The DeathStalker mercenaries have previously tried to breach law and consultancy firms, Delcher said. But the researchers seem to know much more about the group’s malware than who is behind it. They did not say where the hackers are based or who has enlisted their services.

“We could not precisely identify most of the targets we discovered for PowerPepper,” Delcher said in an email. “Some decoy contents that have been leveraged during infections show a possible targeting of industrial organizations in Mexico and Turkey, and organizations in the UK.”

The latest maneuverings of DeathStalker follow a report in November from BlackBerry on another hack-for-hire group, dubbed CostaRicto, that was using custom malware to try to break into organizations in Bangladesh, India and several other countries.

Whether the intrusion attempts in this case have been successful remains unclear. But the attackers are giving themselves a chance for success by sending spearphishing emails with themes as varied as carbon emission regulations, the coronavirus and travel, depending on the target’s interest.

The hack-for-hire market is driven by cash-flush organizations that don’t want a malicious campaign traced back to them. The hacking mercenaries’ clients are hard to identify, but the targets often suggest government involvement. Another hack-for-hire group known as Bahamut has targeted Pakistani military officials, Sikh separatists in India and Indian business executives, according to a Reuters investigation.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts