African Financial Institutions Targeted: “CL-CRI-1014” IAB Uses Open-Source Tools & Forged Signatures for Covert Access

Cybersecurity researchers from Palo Alto Networks’ Unit 42 have uncovered an extensive and methodical attack campaign targeting financial institutions across Africa, attributing the activity to a threat cluster tracked as CL-CRI-1014. This actor, believed to operate as an Initial Access Broker (IAB), specializes in breaching networks and selling access on dark web markets to the highest bidder.

“We assess that the threat actor may be gaining initial access to these financial institutions and then selling it to others on the dark web,” the report states.

The CL-CRI-1014 campaign makes extensive use of open-source and publicly available tools, repurposing legitimate software for malicious goals. The attacker’s toolkit includes:

• PoshC2 – an open-source post-exploitation framework
• Chisel – a tunneling tool for evading firewalls
• Classroom Spy – a legitimate monitoring app retooled for cyberespionage

“The threat actor copied signatures from legitimate applications to forge file signatures, to disguise their tool set and mask their malicious activities,” the report warns.

By mimicking software from Microsoft, Cortex, and VMware—including their file icons and signatures—the attackers were able to blend into enterprise environments with ease.

In earlier attacks, CL-CRI-1014 relied on MeshAgent, but recent incidents show a shift toward Classroom Spy, a remote monitoring utility designed for schools. This pivot allows the attacker to silently deploy powerful surveillance capabilities in infected banking environments.

“Recent attacks by this threat actor have shown a slight shift in tooling, replacing MeshAgent with a remote administration tool named Classroom Spy,” the report states.

Once installed via PowerShell scripts, the tool grants attackers full visibility and control over the compromised machines, including screen monitoring, keystroke logging, camera access, and file transfer—under the guise of educational software.

PoshC2 is central to CL-CRI-1014’s operation. This PowerShell- and C#-based framework facilitates payload execution, lateral movement, and stealthy communication with command-and-control (C2) infrastructure.

The group employed clever anti-analysis mechanisms, such as a custom Nim-based packer that only activates payloads on Active Directory-joined machines—a clear effort to avoid detection in sandbox environments.

“The packer… does not execute the PoshC2 implant unless the host machine is part of an Active Directory domain.”

They also established persistence via scheduled tasks disguised as “Palo Alto Cortex Services,” and created services or startup links to re-execute implants after reboot.

To evade firewalls and move data covertly, the attackers used Chisel—a tunneling tool that converts the infected machine into a SOCKS proxy. This allowed them to exfiltrate data and establish covert access paths while hiding behind internal IPs and stolen credentials.

“Chisel’s client connects to an attacker-operated Chisel server… forwarding network communication from the server to other remote machines.”

Beyond tools and tactics, CL-CRI-1014’s sophistication lies in stealth and deception. The attackers:

• Masked their malware with forged digital signatures
• Renamed binaries to match enterprise tools (e.g., vmtoolsd.exe)
• Used hard-coded usernames, passwords, and IPs tailored to each target

“The threat actor used this method for most of the tools they deployed… attempting to impersonate a legitimate organization.”

Related Posts:

• New PowerShell Threat: Infiltrating Networks with Advanced Techniques
• Hacker forged Windows 11 upgrade website to trick users to download the virus