Africa’s financial sector has become a commodity on the dark web — and the line of buyers isn’t getting any shorter.
A group of hackers has been running a large-scale cyberattack campaign against Africa’s financial industry for nearly a year. Experts from the Unit 42 team at Palo Alto Networks have been monitoring this activity under the label CL-CRI-1014, which stands for Criminally Motivated Cluster. This designation highlights the commercial intent behind the attacks.
The main goal of the attackers is to gain initial access to corporate infrastructure and then resell that access to other cybercriminal groups via underground forums. Essentially, this group acts as an Initial Access Broker (IAB) — a role that poses serious threats to organizations rich in financial and personal data.
To carry out the attacks, the hackers use a toolkit that closely resembles legitimate software, making it hard to detect. Their arsenal includes:
- PoshC2 – for remote control and command execution
- Chisel – for traffic tunneling and bypassing network restrictions
- Classroom Spy – for covert remote desktop monitoring
A particularly dangerous tactic involves spoofing digital file signatures by copying them from legitimate applications. This helps disguise malicious programs as trusted software. Attackers also mimic icons from popular applications like Microsoft Teams, Palo Alto Cortex, and Broadcom VMware Tools, making the malware visually indistinguishable from standard programs.
Once inside a network, the attackers establish persistence using a three-pronged strategy:
- Creating a system service
- Placing a malicious shortcut in the Windows startup folder
- Adding a scheduled task named “Palo Alto Cortex Services”
These measures ensure the malware survives even after a system reboot.
In some cases, the hackers have stolen user credentials to deploy proxy servers on compromised machines, allowing them to hide communication with their command-and-control infrastructure. Notably, some versions of PoshC2 were specifically modified for the target environments.
Attacks involving PoshC2 in Africa’s financial sector are not new. Back in September 2022, Check Point detailed a campaign called DangerousSavanna, where phishing emails were used to spread Metasploit, PoshC2, DWservice, and AsyncRAT. Victims included banks and insurance companies in Ivory Coast, Morocco, Cameroon, Senegal, and Togo.
These incidents highlight how thin the line between legitimate and malicious software becomes in well-planned cyberattacks. When attackers use familiar tools, forge official signatures, and disguise malware with trusted icons, traditional defenses can easily be bypassed.
For organizations, the takeaway is clear: You can’t rely on appearance or superficial security indicators. True protection requires constant vigilance, deep inspection, and an understanding that threats may come dressed in familiar interfaces — especially in critical sectors like finance, where the cost of failure isn’t just money, but also trust.
