This week’s activities in cyber gangland. Trends in ransomware. Rackspace works to remediate a ransomware incident.

By the CyberWire staffAt a glance.This week's activities in cyber gangland.Trends in ransomware.Rackspace works to remediate a ransomware incident.Blind spots in air-gapped

networks.Updates on hybrid war activity.Third-party incidents in New Zealand and Belgium.Data breach at Amnesty International Canada linked to China.This week's activities in cyber

gangland.Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan. The Trojan has been active since 2018 and primarily targets Vietnamese

readers. The Trojan has the ability to steal credentials from the Facebook accounts of victims, including email, phone number, password, ID, and name. For more on Schoolyard

Bully, see CyberWire Pro.Bitdefender has published a report describing a Chinese cyberespionage operation targeting telecom providers in the Middle East. The threat actor gained

initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server. After gaining access, the threat actor deployed multiple tools to establish persistence,

move laterally, and escalate privileges. These included the Irafau and Quarian backdoors and the Pinkman Agent. Bitdefender suspects BackdoorDiplomacy, a China-linked

APT discovered last year by researchers at ESET. ESET noted that the group primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently,

telecommunication companies. Bitdefender attributes this campaign to BackdoorDiplomacy based on the domains used for command-and-control. For more on BackdoorDiplomacy, see

CyberWire Pro.Secureworks Counter Threat Unit researchers investigated the Drokbk malware, found to be operated by a subgroup of Iran’s government-sponsored COBALT MIRAGE

threat group, known as Cluster B. The malware uses GitHub as a dead drop resolver to locate its command and control (C2) infrastructure. GitHub allows for these threat actors to

fly under the radar more easily. “The use of Github as a virtual dead drop helps the malware blend in,” says Secureworks’ Principal Researcher and thematic lead for research

focused on Iran, Rafe Pilling, in a media release. “All the traffic to Github is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And

because Github is a legitimate service, it raises fewer questions.” This technique is also interesting, as it is unusual for Iranian malware, and represents a departure from past

Iranian practice. For more on Cobalt Mirage's recent campaign, see CyberWire Pro.Researchers at Google's Threat Analysis Group report that North Korean threat actor APT37