African Financial Institutions Targeted: “CL-CRI-1014” IAB Uses Open-Source Tools & Forged Signatures for Covert Access

For nearly a year, a hacker collective has been orchestrating a large-scale campaign targeting the financial sector across Africa. Experts from Unit 42 at Palo Alto Networks have sounded the alarm, tracking this operation under the designation CL-CRI-1014. According to the company, the abbreviation denotes a “criminally motivated cluster,” highlighting the attackers’ clear commercial intent.

The primary objective of the threat actors is to gain initial access to organizational infrastructure, which they subsequently resell to other criminal groups via underground forums. In this capacity, the group operates as a typical initial access broker—posing a significant threat to institutions that store vast amounts of financial and personal data.

To execute their intrusions, the hackers employ a well-established arsenal that is often indistinguishable from legitimate software. Their toolkit includes PoshC2 for command-and-control operations, Chisel for traffic tunneling and evading network restrictions, and Classroom Spy for remote monitoring of compromised systems.

Particular attention has been drawn to the group’s methods of obfuscation. They forge digital file signatures by mimicking those of well-known, legitimate applications. This tactic camouflages malicious code and complicates detection. Additionally, they adopt the icons of widely used software such as Microsoft Teams, Palo Alto Cortex, and Broadcom VMware Tools, allowing the malware to blend in visually with benign programs.

Once inside the network, the attackers establish persistence through three distinct mechanisms: creating a system service, placing a malicious shortcut in the Windows startup folder, and adding a scheduled task labeled “Palo Alto Cortex Services.” This ensures the continued presence of the malware, even after system reboots.

In several cases, user credentials were exfiltrated and leveraged to deploy proxy servers, effectively concealing communication between infected endpoints and command-and-control infrastructure. Some variants of PoshC2, researchers report, were specifically tailored to the targeted environments.

Notably, attacks involving PoshC2 have previously been observed within Africa’s financial landscape. In September 2022, Check Point detailed the DangerousSavanna campaign, which relied on spear-phishing to distribute Metasploit, PoshC2, DWservice, and AsyncRAT. The victims included banks and insurance firms in Côte d’Ivoire, Morocco, Cameroon, Senegal, and Togo.

Such incidents starkly illustrate how the boundaries between legitimate software and criminal misuse can blur in the face of sophisticated threats. When attackers appropriate familiar tools, replicate authentic signatures, and disguise malware with commonplace icons, conventional defenses often prove insufficient.

For organizations, this underscores a fundamental truth: security cannot rely solely on superficial indicators or formal credentials. Genuine protection demands relentless vigilance, in-depth inspection, and an unwavering readiness to confront threats that may be hidden behind the most familiar user interface—especially in critical sectors like finance, where the cost of a misstep transcends money and touches trust itself.