{"id":50381,"date":"2023-02-02T00:00:00","date_gmt":"2023-02-02T00:00:00","guid":{"rendered":"urn:uuid:eba13948-838b-acec-7517-d4e0e3cac72d"},"modified":"2023-02-02T00:00:00","modified_gmt":"2023-02-02T00:00:00","slug":"what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/","title":{"rendered":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/water-dybbuk-641-cover.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,cyber crime,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-02-02\"> <meta property=\"article:tag\" content=\"cyber crime\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/what-socs-need-to-know-about-water-dybbuk.html\"> <title>What SOCs Need to Know About Water Dybbuk<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/what-socs-need-to-know-about-water-dybbuk.html\"><br \/>\n<meta property=\"og:title\" content=\"What SOCs Need to Know About Water Dybbuk\"><br \/>\n<meta property=\"og:description\" content=\"We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/water-dybbuk-641-cover-2.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"What SOCs Need to Know About Water Dybbuk\"><br \/>\n<meta name=\"twitter:description\" content=\"We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/water-dybbuk-641-cover-2.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.739266687559\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"253660635\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2660550458716\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.981651376147\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Crime<\/p>\n<p class=\"article-details__description\">We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.<\/p>\n<p class=\"article-details__author-by\">By: Stephen Hilt, Lord Alfred Remorin <time class=\"article-details__date\">February 02, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.5\">\n<div readability=\"38\">\n<p>BEC or Business Email Compromise is a significant problem for businesses around the world. According to the Federal Bureau of Investigation (FBI), BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. This amount accounts for a large share of the US$6.9 billion that Americans lost to the combination of ransomware, BEC, and financial scams, based on the FBI report. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail Transfer Protocol (SMTP) services like SendGrid to send emails designed to bypass the filters from email service providers and security services that protect emails. By using these genuine services (but with stolen accounts), scammers can legitimize their emails. These schemes, when combined with cybercrime and open-source tools, often lead to BEC campaigns that are highly effective and successful for the scammers.&nbsp;<\/p>\n<p>In September 2022, Trend Micro researchers observed a new potential BEC campaign that was targeting large companies around the world which we believe has been running since April 2022.&nbsp; By carefully selecting their target victims and leveraging open-source tools, the group behind this campaign stayed under the radar for quite some time.<\/p>\n<p>This attack leveraged an HTML file (which was JavaScript that had been obfuscated) that was attached to an email. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript (JS) and on the PHP code deployed by the attackers from the server side.<\/p>\n<p>Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. The threat actors behind this campaign used a malicious JavaScript attachment (detected by Trend Micro as Trojan.JS.DYBBUK.SMG) that redirects users to a fraudulent Microsoft phishing page. The screenshot below in Figure 1 shows an actual malicious spam used in this attack.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"936eb3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-1.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-1.jpg\" alt=\"Figure 1. Email with an attachment containing a malicious JavaScript redirection\"> <\/a><figcaption>Figure 1. Email with an attachment containing a malicious JavaScript redirection<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>Once the email attachment is opened, the target\u2019s computer will reach out to the command-and-control (C&amp;C) server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. The redirector C&amp;C server can also filter incoming traffic and redirect victims by checking the IP address and user-agent of their target. If criteria does not match the target victim\u2019s, users are either redirected to a normal website (in this case a Google Search result for \u201ccovid\u201d) or shown a 404 page. However, this functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a22b03\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-2.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-2.jpg\" alt=\"Figure 2. Water Dybbuk\u2019s communication to its phishing page\"> <\/a><figcaption>Figure 2. Water Dybbuk\u2019s communication to its phishing page<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The malware attachment is an HTML file that contains a malicious obfuscated JavaScript code. The file includes a hardcoded email address of the target. This can be used in multiple ways, such as validating the target and supplying email address data to the form login page of the phishing site. Details of how the attack works are explained in a separate section.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9b650b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-3.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-3.jpg\" alt=\"Figure 3. Embedded JavaScript code with target\u2019s email address\"> <\/a><figcaption>Figure 3. Embedded JavaScript code with target\u2019s email address<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. This toolkit was discovered being used by a group that targeted more than 10,000 organizations for BEC campaign back in July via the Microsoft Research Team. However, we didn\u2019t find any links to the Water Dybbuk group from the previous report. Both the BadaxxBot and exilginx2 toolkits that were used by the threat actors in this campaign will be explained in more detail in the analysis section.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b44b14\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-4.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-4.jpg\" alt=\"Figure 4. Microsoft phishing page using the Evilginx2 toolkit\"> <\/a><figcaption>Figure 4. Microsoft phishing page using the Evilginx2 toolkit<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42\">\n<div readability=\"29\">\n<p>After a successful phishing attempt, the threat actors will login to their target\u2019s email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc.<\/p>\n<p><span class=\"body-subhead-title\">Technical Analysis&nbsp;<\/span><\/p>\n<p>We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures (TTPs) used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample.<\/p>\n<p>For several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. We identified that the threat actors behind this campaign use an open source JavaScript Obfuscator tool which is hosted on https:\/\/obfuscator.io\/. Several options can also be enabled to prevent scripts from being debugged and make them tougher to reverse-engineer.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"348331\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-5.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-5.jpg\" alt=\"Figure 5. The obfuscated JavaScript from Water Dybbuk\"> <\/a><figcaption>Figure 5. The obfuscated JavaScript from Water Dybbuk<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><span class=\"body-subhead-title\">How the attack works<\/span><\/p>\n<p>The HTML file attached to the malicious spam email contains an obfuscated JavaScript code which runs once the file has been opened in a browser. The execution flow of this malware is simple and straightforward. First, it checks if additional information needs to be validated before returning the redirect phishing URL to its target victim. The information to be validated includes the IP address and the browser\u2019s user-agent string, which are used for filtering on the server side. Earlier versions of this malware use https:\/\/api.ipify.org\/ to retrieve the IP address. If IP address checking is not enabled, it will continue requesting a redirect URL for the phishing page.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"49f4ee\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-6b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-6b.jpg\" alt=\"Figure 6. Manually deobfuscated code from Water Dybbuk\"> <\/a><figcaption>Figure 6. Manually deobfuscated code from Water Dybbuk<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The HTTP request for the redirect URL also includes the target\u2019s email address. This enables the phishing attempt to look legitimate since the email address is already provided in the login screen. If there are any errors or if IP validation did not pass the server-side criteria, a default URL redirection (typically to a non-malicious URL) is performed to prevent any suspicion.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c6ba25\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-7b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-7b.jpg\" alt=\"Figure 7. URL redirection to Google.com the \u201cCOVID\u201d search term \"> <\/a><figcaption>Figure 7. URL redirection to Google.com the \u201cCOVID\u201d search term <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The webpage of the first redirect URL contains a heavily obfuscated JavaScript using a similar obfuscator to the first stage. Within the JavaScript code is another obfuscated webpage that will be decoded and loaded on the browser.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c1990d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-8.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-8.jpg\" alt=\"Figure 8. The obfuscated second stage from Water Dybbuk\"> <\/a><figcaption>Figure 8. The obfuscated second stage from Water Dybbuk<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"1de074\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-9b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-9b.jpg\" alt=\"Figure 9. Deobfuscated version of the second stage. \"> <\/a><figcaption>Figure 9. Deobfuscated version of the second stage. <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><span class=\"body-subhead-title\">Redirector C&amp;C: BadaxxBot<\/span><\/p>\n<p>From one of the C&amp;C servers used by Water Dybbuk redirect victims, we noticed that the threat actors used a compromised server from a government site. The files for the phishing toolkit are still hosted on the compromised server and one of the files hosted in the server revealed the name of the toolkit used in this campaign \u2014 BadaxxBot.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3331e3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-10.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-10.jpg\" alt=\"Figure 10. The readme text file of the phishing toolkit\"> <\/a><figcaption>Figure 10. The readme text file of the phishing toolkit<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49\">\n<div readability=\"43\">\n<p>The BadaxxBot toolkit is advertised in a Telegram channel by the user @baddaxbot, who is responsible for selling the malware. We observed that the same @baddaxbot user was also selling compromised accounts on another Telegram channel. As the tool can be bought and leveraged by other attack groups, it would not be surprising to see this malware used in other BEC campaigns.&nbsp; \u2014 For example, it was also observed to be part of a campaign targeting banks in the Philippines based off the configuration files shared from VirusTotal.&nbsp;<\/p>\n<p>The redirection ends on a C&amp;C server hosting an Evilginx2 phishing toolkit configured for phishing credentials and session cookies from Microsoft Office 365 accounts.&nbsp;<\/p>\n<p>Evilginx2 is a man-in-the-middle attack framework used to intercept and manipulate web traffic. It is designed to be used in phishing attacks and can be used to bypass two-factor authentication. It works by setting up a malicious web server that acts as a proxy between the victim and the legitimate website. The framework can be used to steal credentials and intercept the session cookies of commonly targeted platforms such as Microsoft Office 365, Microsoft Outlook, Facebook, and LinkedIn, among others.<\/p>\n<p>Evilginx2 and the obfuscator are open-source, which along with the off-the-shelf malware toolkit BadaxxBot, means that they can also be used by any other cybercrime group. These combination of tools and the choice of server to deploy the redirector C&amp;C server makes Water Dybbuk unique and worth monitoring for security teams. Based on the indicators of compromise (IOCs) and TTPs we discovered, we can track the continuous progression of this BEC group and how they change some parameters to avoid detection.<\/p>\n<p><span class=\"body-subhead-title\">Targets<\/span><\/p>\n<p>From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. This shows that while the targets might be spread across the world, the attackers took the time to ensure that the victims were well worth their payouts.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a69bca\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-11a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-11a.jpg\" alt=\"Figure 11. The revenue of the observed targets of this campaign \"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2ab798\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-11b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-11b.jpg\" alt=\"Figure 11. The revenue of the observed targets of this campaign \"> <\/a><figcaption>Figure 11. The revenue of the observed targets of this campaign <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>While the targets of this campaign were spread across the globe, the majority were located within the United States.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"f437bf\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-12a.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-12a.jpg\" alt=\"Figure 12. Target breakdown by country (top) and target breakdown by country excluding the US (bottom)\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"be553d\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-12b.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-12b.jpg\" alt=\"Figure 12. Target breakdown by country (top) and target breakdown by country excluding the US (bottom)\"> <\/a><figcaption>Figure 12. Target breakdown by country (top) and target breakdown by country excluding the US (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"c24947\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-13.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/water-dybbuk-13.jpg\" alt=\"Figure 13. Geographical locations of the targets\"> <\/a><figcaption>Figure 13. Geographical locations of the targets<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"50.420659858602\">\n<div readability=\"45.927729772192\">\n<p>We had access to a system that was a target of this attack, which provided us a unique angle that is rarely observed by researchers (unless they were also targets). This led us to gain some interesting insights into this scheme, which aided us in finding more infrastructure, and both new and historical campaigns from this threat actor.&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2 . Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. The email addresses of the targets are hard-coded into the malware, which adds legitimacy to the phishing attempt upon redirection and also reveals the targeted nature of this campaign. This indicates that the threat actors behind Water Dybbuk can filter specific victims by verifying their email addresses and IP addresses on the C&amp;C server.<\/p>\n<p>While BEC attempts involve social engineering to engage with victims and ultimately wire funds, it is important to note that phishing attempts are also typically used to gain access to email accounts that will be used for scamming&nbsp; victims who are contacts of the compromised account. Most of these attacks are not very technical or involve much work.&nbsp;<\/p>\n<p>The effort the attacker needs to put into this scam is low in comparison to other types of attacks that companies face.&nbsp; However, the potential profits are very high, thus we expect that these types of attacks will continue to happen. In the 2021 IC3 report, BEC attacks were listed as the most costly form of cybercrime. Therefore, it is important for defenders to always check incoming email attachments for obfuscated JavaScript, and monitor outbound network traffic for examples of suspicious behavior. This can help further prevent BEC campaigns such as this and can even serve as a first line defense before any human interactions occur.<\/p>\n<p>A common method of getting victimized by BEC scams is through phishing attacks. It is important for security and IT teams to continuously remind employees on&nbsp; how to spot such emails. Constant phishing exercises using tools such as Phishing Insight that are conducted for employees can help minimize the effectiveness of these attacks, and turn what is traditionally the weakest link for this business model (the human element) into an organization\u2019s greatest defensive strength.&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise&nbsp;<\/span><\/p>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/iocs-what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-criminal-open-source-toolkits.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/what-socs-need-to-know-about-water-dybbuk.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50382,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9508,9509],"class_list":["post-50381","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-endpoints","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-02T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/water-dybbuk-641-cover.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits\",\"datePublished\":\"2023-02-02T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\"},\"wordCount\":2052,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\",\"name\":\"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg\",\"datePublished\":\"2023-02-02T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg\",\"width\":785,\"height\":754},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/","og_locale":"en_US","og_type":"article","og_title":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-02T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/water-dybbuk-641-cover.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits","datePublished":"2023-02-02T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/"},"wordCount":2052,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Endpoints","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/","url":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/","name":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg","datePublished":"2023-02-02T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits.jpg","width":785,"height":754},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/what-socs-need-to-know-about-water-dybbuk-a-bec-actor-using-open-source-toolkits\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50381"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50381\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50382"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}