_OperationLayover | TA2541 in SNIP3 campaign

OperationLayover also called TA2541 is a group that uses SNIP3 loader to attack targets related to the transport, aviation, and travel sectors around the world. A group that first appeared in 2013. Using Malware-as-a-service and Cryper-as-a-service Malware campaign models to attack their opponents, using these models have orchestrated and constantly updated executions. The group is originate from Nigeria, as a large number of VPNs have been seen being used from this country to launch attacks. Their main motivation is information theft and espionage by performing various exfiltration methods.


This group carries out its attacks using rudimentary techniques without an excessive level, but quite effectively. An example of this is the use of the Snip3 campaign in which the entry point is usually a mail with a document attached and later it combined different scripts to launch different Remote Admin Tools (RATs) which will be injected into .NET related software, where after the information theft the information will be exfiltrated

Once the attack is carried out, the actor will seek to exfiltrate sensitive information from the attacked company in order to use it against them

Visor de PDF

Here are the slides from RootedCON where I presented everything I extracted from this group that was found in different incidents, as well as the malwares used during the whole campaign (Sry is in Spanish):

Visor de PDF