Water Hydra group (AKA DarkCasino), whose activity was first detected in 2021, is known for their cyberattacks targeting the financial industry globally, including banks, cryptocurrency platforms, and gambling sites. Initially confused with the Evilnum APT group, Water Hydra was later recognized as a distinct entity by November 2023 after a series of attacks, notably using a WinRAR vulnerability (CVE-2023-38831) to target stock traders.
CVE-2024-21412 allows attackers to bypass security protections in Windows through specially crafted .url files. According to researchers, CVE-2024-21412 has been exploited by Water Hydra to bypass Microsoft Defender SmartScreen and infect systems with malware known as DarkMe. This exploit involves spearphishing campaigns on various forums and stock trading Telegram channels, leveraging compromised websites to distribute malicious links. These links lead users to download a .url file disguised as an image, which, when opened, bypasses SmartScreen due to CVE-2024-21412 and executes malicious code without the user's knowledge.