APT TA423 Weaponizes Australian News Sites to Drop ScanBox Keylogger

A newly identified watering‑hole operation linked to APT group TA423 is compromising popular Australian news websites. The attackers have injected malicious JavaScript that serves the ScanBox keylogger to any visitor originating from the energy and government sectors in the South China Sea region. When a target loads the compromised page, the script silently harvests keystrokes, form data, and session cookies, then exfiltrates the information to command‑and‑control servers.

The intrusion gives the threat actors direct access to credentials and potentially privileged accounts, facilitating further intrusion into critical infrastructure and government networks. Defenders should prioritize monitoring outbound traffic for ScanBox signatures, implement strict content security policies on web gateways, and regularly scan external-facing sites for unauthorized script injections. Early detection and blocklisting of the malicious payload can prevent credential theft and limit the group’s ability to move laterally within targeted environments.

Categories: Threat Intelligence, Malware & Ransomware

Source: Read original article