cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Proofpoint ID's 'Balikbayan Foxes', a new cyber criminal threat actor

Proofpoint threat researchers have identified a new, highly active cyber criminal threat actor TA2722, and have colloquially named the cyber threat group as the 'Balikbayan Foxes'.

user icon Nastasha Tupas
Fri, 29 Oct 2021
Proofpoint ID's 'Balikbayan Foxes', a new cyber criminal threat actor
expand image

The cyber criminal group impersonates Philippine health, labour and customs organisations as well as other entities based in the Philippines. A series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration (POEA) and the Bureau of Customs.

Other related campaigns masqueraded as the Manila embassy for the Kingdom of Saudi Arabia (KSA) and DHL Philippines. The messages were intended for a variety of industries in North America, Europe and Southeast Asia, with the top sectors including shipping, logistics, manufacturing, business services, pharmaceutical, energy and finance.

Proofpoint has assessed this actor is targeting organisations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities.


For example, the shipping, transportation and logistics companies would frequently engage with customs officials at ports of call. Additionally, the manufacturing and energy companies support and maintain large supply chain operations, likely requiring correspondence with both labour and customs organisations.

All the campaigns distributed either Remcos or NanoCore remote access trojans. Remcos and NanoCore are typically used for information gathering, data theft operations, monitoring and control of compromised computers. While the malware’s associated infrastructure changed over time, the sender emails were reused for a long period of time.

In 2020, the Philippine government entities issued multiple alerts warning users of the activity related to lures using themes such as COVID-19 infection information in the Philippines and the POEA labour information.

[Related: Cyber attack shuts down Iranian petrol stations, threat actors unknown]

Nastasha Tupas

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.