Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



WIP26 espionage – Threat actors abuse cloud infrastructure in targeted telco attacks

February 2023 by SentinelLabs

In collaboration with QGroup GmbH, SentinelLabs is monitoring a threat activity tracked as WIP26. The threat actor behind WIP26 has been targeting telecommunication providers in the Middle East, and characterised by the abuse of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and command & control (C2) purposes.

The WIP26 activity is initiated by precision targeting of employees through WhatsApp messages that contain Dropbox links to a malware loader. Tricking employees into downloading and executing the loader ultimately leads to the deployment of backdoors that leverage Microsoft 365 Mail and Google Firebase instances as C2 servers. Referred to CMD365 and CMDEmber respectively, the main functionality of these backdoors is to execute attacker-provided system commands using the Windows command interpreter.

The use of public Cloud infrastructure for C2 purposes is an attempt to make malicious C2 network traffic look legitimate and therefore make detection harder for defenders. The backdoors SentinelLabs team observed masquerade as utility software, such as a PDF editor or browser, and as software that conducts update operations. The masquerading attempt involves the use of filenames, application icons, and digital signatures that indicate existing software vendors.

SentinelLabs’ research provides details on the WIP26 threat activity and further context around the use of CMD365 and CMDEmber.

Executive Summary

• A new threat cluster tracked as WIP26 has been targeting telecommunication providers in the Middle East.
• It is likely that WIP26 is espionage-related.
• WIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate.
• WIP26 involves the use of backdoors, dubbed CMD365 and CMDEmber, which abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
• WIP26 also involves the use of Microsoft Azure and Dropbox instances as data exfiltration and malware hosting sites.


The WIP26 activity is a relevant example of threat actors continuously innovating their tactics, techniques and procedures (TTPs) in an attempt to stay stealthy and circumvent defences. The use of public Cloud infrastructure for malware hosting, data exfiltration, and C2 purposes aims at making malicious traffic look legitimate. This gives attackers the opportunity to conduct their activities unnoticed. It is hoped that this research helps to emphasise WIP26 tactics in the continuous effort to identify threat groups engaged in targeting critical industries such as telecommunications.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts