Security Arsenal is tracking an active campaign dubbed "Sniper Dz," targeting users across the Middle East and North Africa (MENA). According to intelligence disclosed by Group-IB, this threat actor is leveraging a sophisticated social engineering vector that impersonates politicians, public figures, and trusted organizations on Facebook.
The campaign utilizes high-urgency lures—promising free mobile internet packages, financial compensation, and government subsidy programs—to trick users into interaction. The technical delivery mechanism involves fraudulent browser alerts and likely credential harvesting interfaces. For defenders, the urgency is clear: this is not a theoretical threat but an active operation designed to bypass skepticism through trust abuse and regional incentive manipulation.
Technical Analysis
Threat Actor: Sniper Dz Target Geography: Middle East and North Africa (MENA) Primary Vector: Social Engineering via Facebook (Impersonation) and Malicious Browser Alerts.
The Attack Chain
- Initial Access (Social): The attackers create or compromise Facebook accounts mimicking trusted entities (government officials, telecom providers). This establishes a baseline of trust necessary to bypass user skepticism.
- The Lure: Posts promote "too good to be true" offers, specifically tailored to the region's socio-economic context (e.g., free data, subsidies).
- Execution (Browser Interaction): Users clicking these offers are redirected to malicious landing pages. The news summary indicates the use of "browser alerts." In this context, this typically refers to:
- Fake Tech Support/System Alerts: JavaScript-driven popups mimicking OS-level warnings to lock the user's attention.
- Push Notification Spam: Abuse of the browser notification API to persist on the endpoint.
- Shortcut Modification: A common technique in these scams involves modifying browser shortcut targets to force-load the phishing site upon every browser launch.
- Objective: Credential harvesting (Facebook/Email credentials) and financial fraud. While no specific CVE is exploited, the attack abuses user trust and browser UI features.
Exploitation Status
- Status: Confirmed Active Exploitation (Source: Group-IB via The Hacker News).
- CVE: None associated. This is a human-centric technical threat.
Detection & Response
The following detection logic focuses on the post-exploitation behaviors typical of these scams: browsers spawning shells (to download payloads or perform post-phishing actions) and the modification of browser shortcuts to force malicious redirections.
SIGMA Rules
---
title: Sniper Dz - Browser Spawning PowerShell
id: 8a4c2d91-1f3e-4b5c-9a6d-7e8f9a0b1c2d
status: experimental
description: Detects web browsers spawning PowerShell, a common behavior in phishing campaigns and credential theft to download follow-on payloads or steal tokens.
references:
- https://group-ib.com/
author: Security Arsenal
date: 2026/06/15
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1566.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\brave.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate system administration via web portals
level: high
---
title: Sniper Dz - Browser Spawning Command Prompt
id: 9b5d3e02-2g4f-5c6d-0b7e-8f9a1b2c3d4e
status: experimental
description: Detects web browsers spawning cmd.exe, often used in scam campaigns to execute hidden scripts or modify system settings.
references:
- https://group-ib.com/
author: Security Arsenal
date: 2026/06/15
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\cmd.exe'
condition: selection
falsepositives:
- Legitimate developer tools or web-based terminal emulators
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt queries for process creation events where a browser process spawns a shell, indicating potential malicious script execution following a user interaction with a phishing link.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ('chrome.exe', 'msedge.exe', 'firefox.exe', 'brave.exe')
| where FileName in ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for browser processes (Chrome/Edge) that are running with suspicious command-line arguments, such as specific URLs or data URIs, which are often indicative of "Browser Alert" scams forcing the user to a specific page.
-- Hunt for browser processes with suspicious command line arguments
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()\WHERE Name =~ '(chrome|msedge|firefox)'
AND CommandLine =~ '(http|https)'
AND CommandLine !~ '--type=' -- Filter out background helper processes
Remediation Script (PowerShell)
Many browser-based scams achieve persistence by modifying the Target path of browser shortcuts on the desktop or taskbar to include a URL argument that forces the user to the malicious site. This script audits and cleans standard browser shortcuts.
# Remediation Script: Clean Browser Shortcuts
# Run as Administrator
$ErrorActionPreference = "SilentlyContinue"
$Browsers = @("chrome.exe", "msedge.exe", "firefox.exe")
$UserDesktop = [Environment]::GetFolderPath("Desktop")
$PublicDesktop = [Environment]::GetFolderPath("CommonDesktopDirectory")
Write-Host "[*] Starting remediation of potentially malicious browser shortcuts..."
function Repair-Shortcut {
param ($Path)
$Shell = New-Object -ComObject WScript.Shell
$Shortcut = $Shell.CreateShortcut($Path)
# Check if shortcut targets a browser
$TargetName = Split-Path $Shortcut.TargetPath -Leaf
if ($TargetName -in $Browsers) {
# Check for arguments (URLs or scripts)
if ($Shortcut.Arguments -ne "") {
Write-Host "[!] Suspicious shortcut found: $Path"
Write-Host " - Target: $($Shortcut.TargetPath)"
Write-Host " - Current Arguments: $($Shortcut.Arguments)"
# Remediation: Clear arguments
$Shortcut.Arguments = ""
$Shortcut.Save()
Write-Host " [+] Action Taken: Arguments cleared."
}
}
}
# Scan User and Public Desktops
if (Test-Path $UserDesktop) { Get-ChildItem $UserDesktop -Filter "*.lnk" | ForEach-Object { Repair-Shortcut $_.FullName } }
if (Test-Path $PublicDesktop) { Get-ChildItem $PublicDesktop -Filter "*.lnk" | ForEach-Object { Repair-Shortcut $_.FullName } }
Write-Host "[*] Remediation complete."
Remediation
- User Awareness & Reporting: Immediately alert your user base—specifically those in MENA regions—about this campaign. Advise them to verify Facebook profiles by checking for verified badges (where applicable) and cross-referencing official government sources before engaging with "subsidy" offers.
- Browser Shortcut Audit: Deploy the PowerShell script above across endpoints via your RMM or SCCM to remove persistence mechanisms established by the "Browser Alert" component of the scam.
- Social Media Hygiene: Enforce the principle of least privilege on social media accounts used for business. Enable Login Alerts and Two-Factor Authentication (2FA) to prevent account takeovers that could be used to propagate these scams internally.
- Web Filtering: If IOCs (Indicators of Compromise) for the phishing domains become available from your threat intelligence provider (e.g., Group-IB), block them immediately at the proxy/DNS level.
- Endpoint Detection: Ensure EDR policies are tuned to flag "Browser spawning Shell" events as high priority, as this is the technical pivot point from social engineering to system compromise.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.