The Slingshot APT is a sophisticated cyber-espionage platform that was identified in an incident involving a suspected keylogger. The platform is capable of interacting with a virtual file system, which is a sign of advanced APT actors. The initial loader replaces the victim's legitimate Windows library 'scesrv.dll' with a malicious one of exactly the same size. The Slingshot loader interacts with several other modules, including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others. The infection vector for Slingshot remains unknown for most victims, but the attackers were able to get access to Mikrotik routers and place a component downloaded by Winbox Loader, a management suite for Mikrotik routers, which infected the administrator of the router. The cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018). The paper observed almost one hundred Slingshot victims in the following countries: Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.
