Thursday 15 October 11:00 - 11:30, Green room
Maher Yamout & Fatih Şensoy (Kaspersky)
The Griffith intrusion set represents a persistent threat to the fintech and iGaming sectors, encompassing both the established VB6-based DarkMe malware family and a newly emerged C++-based implant, dubbed GriffithRAT. This presentation demonstrates a tabletop analysis of how threat intelligence can be used to cluster seemingly disparate malware families into a unified intrusion set. We have been investigating this activity since late 2024, observing consistent intrusion techniques – including initial access via Telegram and Skype – and victim profiles.
We will present a comparative analysis of DarkMe and GriffithRAT, detailing their respective TTPs, infrastructure, and code characteristics. This will include a side-by-side comparison of key features, such as persistence mechanisms, data exfiltration techniques, and remote access capabilities. We will demonstrate how, despite differences in implementation (VB6 vs. C++), the overlapping TTPs and consistent targeting establish a clear link, justifying the classification of both as part of the Griffith intrusion set. Our analysis of GriffithRAT will cover its inner workings, including its modules – a custom-developed remote-desktop controller, keylogger, file-grabber, and persistence components – as well as signed delivery and execution methods. During our analysis, we have also observed potential bots attempting to influence VirusTotal results with manipulated comments. Our research indicates Griffith is a cyber-mercenary type of actor with campaigns targeting victims utilizing specific trading platforms. This presentation will provide attendees with a practical understanding of threat attribution methodologies, actionable indicators of compromise for both DarkMe and GriffithRAT, and a comprehensive view of a persistent threat actor’s evolving tactics.
 |
Maher Yamout Maher is a lead security researcher in the Global Research & Analysis Team (a.k.a. GReAT) at Kaspersky. With an extensive background in threat intelligence, cybersecurity, digital forensics, and incident response, Maher supports clients in analysing cyber risks and identifying advanced persistent threats targeting the Middle East, Turkey and Africa. Prior to joining Kaspersky, he served as a cybersecurity specialist in the public sector as well as a specialist senior manager at Deloitte Middle East. He led and participated in numerous security assessments for a multitude of clients in the UK, Middle East, and the GCC region. Among the security assessments he managed were red teaming, penetration testing, industrial control system security, mobile and web application security testing, and physical security testing. He has also contributed to various incident response efforts including phishing attacks, ransomware incidents, cyber espionage, APTs, POS malware, online banking theft, fraud, and insider threats.
|
 |
Fatih Şensoy Fatih Şensoy is a senior security researcher within Kaspersky's distinguished Global Research and Analysis Team (a.k.a. GReAT), where he leverages his expertise in reverse engineering and proactive threat hunting to uncover sophisticated cyber threats, researching the inner workings of implants to enrich detection mechanisms, provide a broader perspective on campaigns, overcome reverse engineering challenges, and track prolific actors over a long period of time. With a keen focus on tracking and unmasking advanced threat actors, Fatih provides critical insights into the methodologies employed by modern cyber adversaries that target various critical sectors. |
Back to VB2026 conference page
Register your interest for VB2026