Cybercriminals Utilize Open-Source Tools to Target Financial Institutions in Africa
Jun 26, 2025
Threat Intelligence / Ransomware
Cybersecurity experts are highlighting a wave of cyberattacks aimed at financial institutions across Africa, dating back to at least July 2023. These attacks leverage a combination of open-source and publicly available tools to sustain access. Researchers from Palo Alto Networks’ Unit 42 are monitoring this activity under the label CL-CRI-1014, where “CL” stands for “cluster” and “CRI” signifies “criminal motivation.” The primary objective appears to be gaining initial access to systems, which is then sold to other criminal actors in underground forums, effectively turning the threat actor into an initial access broker (IAB). “The threat actor mimics signatures from legitimate applications to create forged file signatures, camouflaging their toolset and concealing malicious activities,” noted researchers Tom Fakterman and Guy Levi. “Threat actors frequently spoof legitimate products for illicit purposes.” The attacks are marked by the use of tools such as PoshC2 and others.
Threat Intelligence / Ransomware
Cyber Criminals Utilize Open-Source Tools to Target African Financial Institutions June 26, 2025 Threat Intelligence / Ransomware Recent investigations have revealed a troubling trend of cyber attacks aimed at financial institutions across Africa, with reports indicating that this wave of attacks began as early as July 2023. Cybersecurity experts at…
Cybercriminals Utilize Open-Source Tools to Target Financial Institutions in Africa
Jun 26, 2025
Threat Intelligence / Ransomware
Cybersecurity experts are highlighting a wave of cyberattacks aimed at financial institutions across Africa, dating back to at least July 2023. These attacks leverage a combination of open-source and publicly available tools to sustain access. Researchers from Palo Alto Networks’ Unit 42 are monitoring this activity under the label CL-CRI-1014, where “CL” stands for “cluster” and “CRI” signifies “criminal motivation.” The primary objective appears to be gaining initial access to systems, which is then sold to other criminal actors in underground forums, effectively turning the threat actor into an initial access broker (IAB). “The threat actor mimics signatures from legitimate applications to create forged file signatures, camouflaging their toolset and concealing malicious activities,” noted researchers Tom Fakterman and Guy Levi. “Threat actors frequently spoof legitimate products for illicit purposes.” The attacks are marked by the use of tools such as PoshC2 and others.
