Harvester

APT Group Information theft and espionage 44 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 10

Countries highlighted in red

Afghanistan Bangladesh Hong Kong India Sri Lanka Pakistan Somalia Ukraine United States U.S. Virgin Islands

Sectors Targeted

Other Information Services 519 Insurance Carriers and Related Activities 524 Finance and Insurance 52 National Security and International Affairs 928110 Telecommunications 517 Utilities 22 Government Public Administration 92 National Security and International Affairs 928 Computer Systems Design Services 541512 Health Care and Social Assistance 62 Telecommunications Computer Systems Design and Related Services 5415 Information 51 IT

Details

Origin Unknown

Last Updated 30 Dec 2025

MITRE ATT&CK 59

T1003 - OS Credential Dumping T1005 T1016 T1020 T1021 T1027 - Obfuscated Files or Information T1033 T1036 - Masquerading T1039 T1041 - Exfiltration Over C2 Channel T1053 T1056.001 - Keylogging T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.005 - Visual Basic T1059.007 - JavaScript T1068 T1071 - Application Layer Protocol T1071.001 T1071.003 - Mail Protocols T1074 - Data Staged T1078 T1083 - File and Directory Discovery T1090 - Proxy T1095 - Non-Application Layer Protocol T1102 - Web Service T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1110 - Brute Force T1110.001 T1115 - Clipboard Data T1127 - Trusted Developer Utilities Proxy Execution T1134 - Access Token Manipulation T1135 - Network Share Discovery T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1199 T1213 T1218 - Signed Binary Proxy Execution T1219 - Remote Access Software T1486 - Data Encrypted for Impact T1495 - Firmware Corruption T1499.004 T1525 - Implant Internal Image T1526 - Cloud Service Discovery T1530 - Data from Cloud Storage Object T1547 - Boot or Logon Autostart Execution T1555 - Credentials from Password Stores T1566 - Phishing T1566.001 T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration to Cloud Storage T1570 T1585 - Establish Accounts T1608 - Stage Capabilities T1608.001 - Upload Malware T1608.002 - Upload Tool

Related Zero-Days 44

CVE-2017-0199 CVE-2018-0802 CVE-2018-4878 CVE-2019-0708 CVE-2020-0796 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 CVE-2021-40444 CVE-2021-40539 CVE-2021-42321 CVE-2021-44228 CVE-2022-0609 CVE-2022-22965 CVE-2022-26134 CVE-2022-30190 CVE-2022-41040 CVE-2022-41082 CVE-2022-41128 CVE-2022-42475 CVE-2023-20198 CVE-2023-23397 CVE-2023-28252 CVE-2023-34048 CVE-2023-38831 CVE-2023-46805 CVE-2024-1086 CVE-2024-12356 CVE-2024-21887 CVE-2024-21893 CVE-2024-24919 CVE-2024-3400 CVE-2024-38193 CVE-2024-38657 CVE-2024-39717 CVE-2024-43047 CVE-2024-47575 CVE-2024-4947 CVE-2024-50302 CVE-2024-50623 CVE-2024-53104 CVE-2024-53197 CVE-2024-8190 CVE-2024-8963

Known Names 1 entries

Harvester Symantec

Observed Target Countries 2

Based on ETDA data — countries highlighted in red

Afghanistan South Asia

Description

(Symantec) A previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on Afghanistan, in what appears to be an information-stealing campaign using a new toolset. The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.

Tools Used 3

Cobalt Strike Graphon Metasploit

Reports & References 1

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia

ETDA Profile

Harvester

Origin

[Unknown]

First Seen 2021

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗