Palo Alto Networks Unit 42 has uncovered a sophisticated threat campaign, CL-CRI-1014, that’s been quietly targeting financial institutions across Africa since mid-2023. What’s striking about this campaign is not just the tooling, but the strategy.
Instead of using custom malware, the attackers rely on publicly available and open-source tools — commonly used by IT admins and red team members. They then go a step further: forging digital file signatures to make malicious payloads look like legitimate software from trusted vendors.
This allows them to:
-
Bypass basic endpoint defenses
-
Maintain long-term access without triggering alerts
-
Blend in with legitimate traffic and processes
This is yet another sign that attackers are moving away from complex malware and toward abusing what’s already in the environment. And with trust in file signatures being exploited, traditional security signals are no longer enough.
Lessons Learned:
-
Trust can be weaponized – even signed and open-source tools can be abused.
-
Initial access isn’t always loud – attackers may dwell silently before selling access.
-
Detection must go deeper – beyond file signatures, focus on behavior and persistence.
-
Open-source ≠ risk-free – validate and monitor every tool in your environment.
-
Assume visibility gaps exist – Prioritize collecting security data from devices and network traffic.
