Malicious Autodesk plugin at root of cyber-espionage campaign

Hackers-for-hire appear to be making a buck in real estate sector cyber-espionage via Autodesk.

A company involved in billion-dollar real estate deals in New York, London, Australia, and Oman has recently become the target of a cyber-espionage campaign from a set of well-resourced hackers, according to new Bitdefender research published Wednesday.

The hackers waged the campaign against the target, an international architectural and video production entity, in a likely effort to collect financial information or negotiation details of competing contracts for a customer, Bitdefender assessed. They infiltrated the victim firm by imitating a plugin for a popular 3D computer graphics software, AutoDesk 3ds Max, and then deploying a malicious file against the target.

The perpetrators are likely hackers-for-hire who split their time between running nation-state cyber-operations and conducting corporate espionage on behalf of private sector entities, according to Bitdefender’s analysis. Which foreign government Bitdefender suspects employs the hackers wasn’t immediately clear, but Russia, China, Iran, and North Korea alike frequently rely on contractor talent or front companies to run their cyber-operations, according to the FBI and security researchers.

“The commoditization of [nation-state] APT-level hackers-for-hire could potentially entice rival luxury real estate investors involved in multi-billion-dollar contracts to seek these services to spy on their competition by infiltrating their contractors,” the researchers, who don’t identify the hackers’ suspected clientele, write in a blog on the research. “Industrial espionage is nothing new and, since the real estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage.”


Some clues about the hackers’ identities may be found in their infrastructure, according to Bitdefender — the command-and-control infrastructure for the campaign is located in South Korea, according to the researcher’s findings.

The hack

After the attackers deploy their malicious file against their target, they download another script, which is capable of collecting information, including computer name and username. The attackers can also download another malicious file that can capture screenshots, passwords, and browsing history, Bitdefender researchers found. The campaign also attempts to conceal its tracks in several ways, including by modifying file creation timestamps, the researchers said.

It was unclear if the attackers successfully stole any information.

AutoDesk previously issued a warning about the exploit that could run malicious code against targets, and the company has already provided instructions about how to remove the malware.


Bitdefender did not reveal the name of the victim company targeted in this recent activity, but it’s likely not the only one. The hackers have likely used this attack vector against other targets, according to Bitdefender’s telemetry, including entities in the U.S., South Korea, Japan, and South Africa.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts