Researchers studying cybersecurity have uncovered an assault operation that targets several Israeli organizations using frameworks like Donut and Sliver that are open to the public.

Leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware,” according to a report released by HarfangLab last week, indicating that the campaign is thought to be highly targeted.

The behavior is being monitored by the French business using the moniker “Supposed Grasshopper.” It is a pointer to a server in the control of the attacker (“auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin”), which is connected to via a first-stage downloader.

This is a basic Nim downloader whose job is to download the second-stage malware from the staging server. It is distributed via a virtual hard disk (VHD) file that may be distributed as part of a drive-by download strategy through bespoke WordPress websites.

The shellcode generating framework Donut, which is the second-stage payload that was extracted from the server, is used to launch Sliver, an open-source competitor to Cobalt Strike.

“The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads,” according to the investigators. “Overall, this campaign feels like it could realistically be the work of a small team.”


The campaign’s ultimate objective is still unknown, although HarfangLab hypothesized that it may possibly be connected to a lawful penetration testing operation. This option presents further concerns about openness and the necessity of pretending to be Israeli government entities.

The revelation coincides with the release of information by the threat research team at SonicWall Capture Labs on an infection chain that uses Excel documents that have been booby-trapped to release the Orcinius trojan.

“This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated,” the business stated. “It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys.”