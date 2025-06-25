Unit 42, the research team at Palo Alto Networks, has identified a new malicious campaign targeting many financial organizations across Africa.

The attackers, tracked as CL-CRI-1014, have been actively targeting the African financial sector since at least 2023. The Unit 42 researchers assessed that they act as initial access brokers (IABs), gaining initial access to their targets and then selling it to others on the dark web.

To deploy their attacks, the hackers typically leverage a set of open-source tools, including PoshC2, an attack framework, Chisel, a tunneling utility, as well as publicly available software like Microsoft’s PsExec and Classroom Spy, a remote administration tool. The latter replaced MeshAgent, which was used in CL-CRI-1014’s previous campaigns.

They also create tunnels for network communication and perform remote administration.

The Unit 42 findings were shared in a report published on June 24.

Attack Chain Explained

Here is a breakdown of the typical attack chain performed in CL-CRI-1014’s latest campaign as observed by the Unit 42 researchers: