Narketing163
Intelligence Profile
Narketing163 is a financially motivated threat actor named after one of their frequently used email addresses ([email protected]). Active since at least July 2023, the actor conducts large-scale phishing campaigns distributing commodity infostealer and keylogger malware disguised as business correspondence such as price quotes, order forms, and payment notices. Targets span multiple countries including Russia, Belarus, Kazakhstan, Azerbaijan, Armenia, Turkey, the USA, Germany, the UK, India, and others, across sectors including e-commerce, retail, chemicals, construction, healthcare, insurance, and food. The actor delivers malware via spearphishing attachments (compressed archives) deploying RedLine Stealer, Agent Tesla, FormBook, and Snake Keylogger against Windows systems. Exfiltration is performed via actor-controlled Roundcube mail servers. Emails are sent in Russian, Azerbaijani, Turkish, and English, with rotating sender IPs and use of anonymization tools such as VPNs and proxies.
Threat Analysis
Narketing163 is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Narketing163 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Narketing163 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.