Phlox Tempest

Also known as: DEV-0796, Phlox Tempest, ClickPirate, Chrome Loader, Choziosi loader

Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victimsโ€™ computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victimโ€™s device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.

๐ŸŒ Country Israel

Introduction

Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victimsโ€™ computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victimโ€™s device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.

Activities and Tactics

Country of Origin: ๐Ÿ‡ฎ๐Ÿ‡ฑ Israel

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CyberGate
  • Cyber Eye RAT
  • Chrome Remote Desktop

Attribution and Evidence

Country of Origin: Israel Additional attribution information pending cataloguing.

References

References pending cataloguing.