Tag: lateral movement

78 Attack Reports | 0 Vulnerabilities

Attack reports

Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack

A ClickFix social engineering attack on an unmonitored endpoint led to a multi-stage intrusion affecting over 11 hosts. The infection chain began with a malicious HTA payload that silently installed an MSI package containing Potemkin, a custom loader with a deterministic DGA. Potemkin delivered RMM…
credential theft
lateral movement
dga
clickfix
chisel
etherrat
blockchain c2
2026-06-16
hidden desktop
potemkin
rmmproject
Published: June 16, 2026
Downloadable IOCs: 14

Targets Education Sector with Oracle PeopleSoft Exploit

Between May 27 and June 9, 2026, UNC6240 (ShinyHunters) conducted an active compromise and extortion campaign targeting Oracle PeopleSoft application infrastructure. The threat actor exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management co…
lateral movement
meshcentral
higher education
shinyhunters
zero-day exploitation
data extortion
2026-06-11
CVE-2026-35273
oracle peoplesoft
unc6240
Published: June 11, 2026
Linked vulnerabilities : CVE-2026-35273 (CVSS 9.8)
Downloadable IOCs: 7

Ransomware Analysis: Go Binary and Fast Encryption

The Gentlemen is a Ransomware-as-a-Service operation, tracked as Storm-2697, that emerged in mid-2025 after splitting from Qilin ransomware following a payment dispute. Operating as a highly structured syndicate with at least 9 core operators, the group has compromised over 1,570 organizations acro…
cobalt strike
anydesk
lateral movement
ransomware-as-a-service
systembc
double extortion
CVE-2024-55591
2026-06-10
breachforums partnership
gentlemen
go binary
larva-368
storm-2697
xchacha20 encryption
Published: June 10, 2026
Linked vulnerabilities : CVE-2024-55591 (CVSS 9.8)
Downloadable IOCs: 2

Multi-Stage Malware Execution Chain Analysis

A sophisticated multi-stage malware execution chain was discovered during proactive threat hunting activities using endpoint telemetry and dynamic analysis. The attack sequence demonstrates advanced techniques including script masquerading, defense evasion mechanisms, staged payload extraction, and…
lateral movement
data exfiltration
c2 communication
multi-stage attack
defense evasion
2026-04-29
payload extraction
script masquerading
Published: April 29, 2026
Downloadable IOCs: 5

VECT: Ransomware by design, Wiper by accident

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves o…
lateral movement
wiper
chacha20
esxi
raas
multi-platform
teampcp
2026-04-28
encryption flaw
vect
Published: April 28, 2026
Downloadable IOCs: 7

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. Durin…
cobalt strike
anydesk
ransomware-as-a-service
mimikatz
systembc
lateral-movement
psexec
cobalt-strike
the gentlemen
2026-04-20
domain-compromise
esxi-encryption
group-policy-deployment
Published: April 20, 2026
Downloadable IOCs: 27

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command…
credential harvesting
lateral movement
edr
coolclient
mgbot
process injection
toneshell
command-and-control
vbcloud
vbshower
adaptixc2
powershower
cloudatlas
2026-04-17
network detection
post-exploitation framework
Published: April 17, 2026
Downloadable IOCs: 0

An Overview of The Gentlemen's TTPs

This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense…
exploit
ransomware
credential-theft
medusa
CVE-2024-37085
qilin
CVE-2023-27532
data-exfiltration
lateral-movement
babuk
vasa locker
babyk
raas
CVE-2024-55591
CVE-2025-32463
fortios
lockbit 5.0
defense-evasion
the gentlemen
2026-03-20
Published: March 20, 2026
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-55591 (CVSS 9.8), CVE-2023-27532, CVE-2025-32463 (CVSS 9.3)
Downloadable IOCs: 4

Beast Ransomware Toolkit: A Proactive Threat Intelligence Report

This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includ…
ransomware
exfiltration
encryption
reconnaissance
lateral-movement
raas
monster
2026-03-20
beast
toolkit
Published: March 20, 2026
Downloadable IOCs: 7

Casting a Wider Net: Scaling Threat

LeakNet, a ransomware operator, has expanded its initial access methods by utilizing ClickFix lures on compromised websites and implementing a new Deno-based, in-memory loader. The group has shifted from relying on initial access brokers to running its own campaigns. LeakNet's post-exploitation pla…
social engineering
ransomware
side-loading
lateral movement
in-memory execution
clickfix
psexec
s3 bucket
deno
2026-03-18
Published: March 18, 2026
Downloadable IOCs: 5

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, an…
ransomware
lockbit
lateral movement
cloudflare
byovd
sharepoint
tunneling
tightvnc
velociraptor
2026-03-16
yuze
Published: March 16, 2026
Downloadable IOCs: 10

Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise

SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service accou…
credential theft
lateral movement
fortigate
rmm tools
CVE-2025-59718
CVE-2025-59719
CVE-2026-24858
2026-03-11
ngfw
Published: March 11, 2026
Linked vulnerabilities : CVE-2025-59718 (CVSS 9.8), CVE-2025-59719 (CVSS 9.8), CVE-2026-24858 (CVSS 9.8)
Downloadable IOCs: 2

Fake Tech Support Delivers Havoc Command & Control

A sophisticated cyber attack campaign combines social engineering and advanced malware techniques. Attackers pose as IT support to gain initial access, then deploy a modified version of the Havoc C2 framework. The malware uses DLL sideloading, indirect syscalls, and custom loaders to evade detectio…
social engineering
dll sideloading
lateral movement
havoc
evasion techniques
havoc demon
remote monitoring tools
havoc c2
2026-03-05
syscalls
Published: March 5, 2026
Downloadable IOCs: 11

Signed malware impersonating workplace apps deploys RMM backdoors

Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like Scre…
screenconnect
phishing
rmm
persistence
lateral movement
mesh agent
digital signatures
2026-03-04
tactical rmm
workplace impersonation
Published: March 4, 2026
Downloadable IOCs: 20

Nefilim Ransomware

Nefilim ransomware emerged in March 2020, evolving from Nemty's code. It targets vulnerabilities in Citrix gateway devices and uses exposed Remote Desktop Protocol for initial access. The malware exfiltrates sensitive data before encryption and threatens to publish it if ransom isn't paid. Nefilim …
ransomware
encryption
credential theft
lateral movement
rdp
data exfiltration
CVE-2019-19781
nefilim
2026-02-24
aes-128
citrix
CVE-2019-11634
nemty
netwalker
Published: February 24, 2026
Downloadable IOCs: 14

Apache ActiveMQ Exploit Leads to LockBit Ransomware

A threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server, gaining initial access and later returning after being evicted. The attacker used Metasploit for post-exploitation activities, including privilege escalation, credential access, and lateral movement. Upon regaining access…
ransomware
lockbit
credential theft
lateral movement
rdp
metasploit
CVE-2023-46604
apache activemq
2026-02-23
Published: February 23, 2026
Downloadable IOCs: 3

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account cr…
data theft
lateral movement
webshell
sparkrat
remote code execution
vshell
CVE-2026-1731
2026-02-20
beyondtrust
Published: February 20, 2026
Linked vulnerabilities : CVE-2026-1731 (CVSS 9.9)
Downloadable IOCs: 14

Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day

UNC6201, a suspected PRC-nexus threat group, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. The group uses this flaw for lateral movement, persistent access, and deployment of malware including SLAYSTYLE, BRICKSTORM, and a new…
zero-day
persistence
lateral movement
brickstorm
c2
vmware
CVE-2026-22769
2026-02-18
dell recoverpoint
grimbolt
slaystyle
Published: February 18, 2026
Linked vulnerabilities : CVE-2026-22769 (CVSS 10.0)
Downloadable IOCs: 9

AI-assisted cloud intrusion achieves admin access in 8 minutes

An AWS environment was targeted in a sophisticated attack, with the threat actor gaining administrative privileges in under 10 minutes. The operation showed signs of leveraging large language models for automation and decision-making. Initial access was obtained through credentials found in public …
lateral movement
cloud security
privilege escalation
aws
2026-02-04
ai-assisted attack
gpu abuse
lambda injection
llmjacking
Published: February 4, 2026
Downloadable IOCs: 4

Interlock Ransomware: New Techniques, Same Old Tricks

The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's abi…
ransomware
zero-day
persistence
lateral movement
data exfiltration
2026-01-30
education sector
hotta killer
interlockrat
mintloader
nodesnakerat
Published: January 30, 2026
Linked vulnerabilities : CVE-2025-61155
Downloadable IOCs: 8

Targets critical infrastructure sectors in North America

UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesti…
apt
zero-day
credential harvesting
lateral movement
earthworm
impacket
sharphound
rubeus
critical infrastructure
china-nexus
active directory
CVE-2025-53690
dwagent
2026-01-16
certipy
goexec
gotokentheft
Published: January 16, 2026
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 29

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…
apt
windows
credential theft
lateral movement
exploits
CVE-2023-38831
authentication
phantomcore
remcos rat
CVE-2024-43451
ntlm
vulnerabilities
CVE-2025-24054
CVE-2025-24071
CVE-2025-33073
2025-11-26
warzone
avemaria
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)
Downloadable IOCs: 3

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL,…
espionage
phishing
defense
lateral movement
privilege escalation
aerospace
custom malware
minibike
2025-11-18
dcsyncer.slick
third-party compromise
sightgrab
trusttrap
lightrail
deeproot
crashpad
twostroke
pollblend
ghostline
Published: November 18, 2025
Downloadable IOCs: 16

Cat's Got Your Files: Lynx Ransomware

A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed An…
ransomware
lateral movement
rdp
backup deletion
data exfiltration
lynx ransomware
credential abuse
2025-11-17
network reconnaissance
Published: November 17, 2025
Downloadable IOCs: 7

Gootloader Returns: What Goodies Did They Bring?

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses…
obfuscation
ransomware
seo poisoning
blackcat
alphv
javascript
gootloader
lateral movement
noberus
rhysida
2025-11-06
vanilla tempest
quantum locker
wordpress exploitation
zeppelin
supper socks5 backdoor
Published: November 6, 2025
Downloadable IOCs: 136

Evasion and Persistence via Hidden Hyper-V Virtual Machines

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a m…
evasion
powershell
persistence
lateral movement
proxy
reverse shell
virtualization
2025-11-05
hyper-v
kerberos
alpine linux
curlcat
curlyshell
Published: November 5, 2025
Downloadable IOCs: 4

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 0

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…
ransomware
credential theft
lateral movement
CVE-2024-51324
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
warlock
dedicated leak site
2025-09-17
edr bypass
sharepoint exploitation
warlock group
Published: September 17, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

The Gentlemen ransomware group has emerged as a sophisticated threat actor targeting multiple industries across 17 countries, with a focus on the Asia-Pacific region. Their campaign demonstrates advanced capabilities, including the use of custom tools to bypass enterprise endpoint protections, expl…
ransomware
lateral movement
data exfiltration
defense evasion
custom tools
driver abuse
2025-09-09
the gentlemen ransomware
group policy manipulation
enterprise targeting
Published: September 9, 2025
Downloadable IOCs: 0

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various too…
ransomware
lateral movement
data exfiltration
sectoprat
systembc
grixba
2025-09-08
multi-group affiliation
betruger
multi-group operation
Published: September 8, 2025
Downloadable IOCs: 0

ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events i…
viewstate
lateral movement
reconnaissance
privilege escalation
earthworm
remote code execution
sharphound
deserialization
2025-09-04
CVE-2025-53690
sitecore
dwagent
weepsteel
Published: September 4, 2025
Downloadable IOCs: 0

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

A New Threat Actor Targeting Geopolitical Hotbeds

Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distributi…
backdoor
russia
credential theft
lateral movement
geopolitical
moldova
resocks
2025-08-12
georgia
clsid hijacking
mucoragent
proxy tools
Published: August 12, 2025
Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

Bumblebee Malware SEO Poisoning Campaign Leads to Akira Ransomware Deployment

A coordinated threat campaign has been identified leveraging SEO poisoning to distribute Bumblebee malware via trojanized installers of IT management tools. The campaign targets users searching for legitimate software like ManageEngine OpManager. Upon execution, Bumblebee establishes initial access…
seo poisoning
lateral movement
data exfiltration
akira
credential dumping
bumblebee
initial access
akira ransomware
trojanized installers
2025-08-05
Published: August 5, 2025
Downloadable IOCs: 19

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…
ransomware
zero-day
credential theft
lateral movement
vpn
mfa bypass
akira
sonicwall
2025-08-04
Published: August 4, 2025
Downloadable IOCs: 12

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector

A series of attacks targeting financial organizations across Africa has been observed since July 2023. The threat actor, tracked as CL-CRI-1014, uses open-source and publicly available tools like PoshC2, Chisel, and Classroom Spy to establish attack frameworks, create tunnels for network communicat…
lateral movement
poshc2
financial sector
chisel
2025-06-26
Published: June 26, 2025
Downloadable IOCs: 32

Fog Ransomware: Unusual Toolset Used in Recent Attack

A financial institution in Asia was targeted by Fog ransomware in May 2025, using an atypical toolset including legitimate employee monitoring software and open-source pentesting tools. The attackers deployed Syteca, GC2, Adaptix, and Stowaway, which are uncommon in ransomware attacks. They remaine…
espionage
data theft
persistence
lateral movement
CVE-2024-40711
fog ransomware
fog
asia
2025-06-12
unusual toolset
employee monitoring software
financial institution
pentesting tools
2025-06-17
Published: June 17, 2025
Linked vulnerabilities : CVE-2024-40711 (CVSS 9.8)
Downloadable IOCs: 0

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

TheWizards, a China-aligned threat actor, employs Spellbinder, a lateral movement tool that enables adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows the group to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The at…
china
lateral movement
adversary-in-the-middle
2025-04-30
software update hijacking
wizardnet
spellbinder
slaac spoofing
2025-05-09
darknights
Published: May 9, 2025
Downloadable IOCs: 8

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…
ransomware
malvertising
cobalt strike
dll sideloading
lateral movement
nitrogen
2025-05-02
nitrogenloader
Published: May 2, 2025
Downloadable IOCs: 2

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

Fake Zoom Ends in BlackSuit Ransomware

A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for later…
ransomware
cobalt strike
exfiltration
lateral movement
proxy
blacksuit
sectoprat
brute ratel
2025-03-31
d3f@ckloader
qdoor
Published: March 31, 2025
Downloadable IOCs: 0

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMe…
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell
Published: March 25, 2025
Downloadable IOCs: 1

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment…
backdoor
exploit
rmm
sliver
lateral movement
akira
cloudflared
2025-02-07
simplehelp
Published: February 7, 2025
Downloadable IOCs: 6

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 21

RansomHub Affiliate leverages Python-based backdoor

A threat actor utilized a Python-based backdoor to maintain access to compromised endpoints, later deploying RansomHub encryptors across the impacted network. The malware, an updated version of a previously documented backdoor, features obfuscation, deployment via RDP, and unique indicators of comp…
obfuscation
ransomware
socgholish
lateral movement
ransomhub
python backdoor
c2 infrastructure
socks5
2025-01-16
reverse proxy
Published: January 16, 2025
Downloadable IOCs: 6

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

A recent campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces has been observed. The threat actors gained unauthorized access to the firewalls' administrative controls, created new accounts, established SSL VPN connections, and made various configuration changes…
zero-day
lateral movement
fortigate
vulnerability scanning
fortinet
2025-01-11
ssl vpn
firewall
jsconsole
Published: January 11, 2025
Downloadable IOCs: 0

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

U.S. Organization in China Targeted by Attackers

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat
Published: December 6, 2024
Downloadable IOCs: 13

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Know Thy Enemy: A Novel November Case on Persistent Remote Access

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtu…
remote access
persistent
lateral movement
meshagent
2024-11-26
psexec
rdp brute force
Published: November 26, 2024
Downloadable IOCs: 6

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Dissecting A Multi-Stage PowerShell Campaign Using Chisel

A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope pro…
powershell
persistence
lateral movement
lnk file
multi-stage
command-and-control
2024-11-12
chisel
Published: November 12, 2024
Downloadable IOCs: 17

QSC: new modular framework in CloudComputating campaigns

Kaspersky researchers discovered QSC, a multi-plugin malware framework used by the CloudComputating group in cyber espionage campaigns. QSC consists of a Loader, Core module, Network module, File Manager module, and Command Shell module, allowing attackers to load specific plugins on demand. The fr…
lateral movement
2024-11-08
quarian backdoor
qsc framework
goclient backdoor
Published: November 8, 2024
Downloadable IOCs: 0

Investigating a SharePoint Compromise: IR Tales from the Field

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung …
credential harvesting
lateral movement
mimikatz
impacket
CVE-2024-38094
2024-11-05
domain compromise
sharepoint
fast reverse proxy (frp)
Published: November 5, 2024
Downloadable IOCs: 8

Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

This analysis examines two cybersecurity incidents: a web shell attack and a VPN compromise. The web shell attack involved uploading malicious files to a server, executing commands, creating a local admin account, and attempting to establish persistence. The VPN compromise led to lateral movement, …
anydesk
persistence
CVE-2020-1472
lateral movement
privilege escalation
web shell
defense evasion
2024-10-24
iis
mxdr
vpn compromise
Published: October 24, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

Unmasking Prometei: A Deep Dive Into MXDR Findings

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency m…
botnet
credential theft
lateral movement
dga
web shell
tor
cryptocurrency mining
2024-10-23
prometei
CVE-2021-27065
CVE-2021-26858
CVE-2019-0708
Published: October 23, 2024
Downloadable IOCs: 0

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint
Published: October 18, 2024
Downloadable IOCs: 1

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…
iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker
Published: October 4, 2024
Downloadable IOCs: 11

Threat Brief: Understanding Akira Ransomware

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and op…
ransomware
lateral movement
conti
akira
raas
2024-10-04
double extortion
defense evasion
CVE-2023-20269
chacha encryption
CVE-2019-6693
credential dumping
CVE-2021-21972
CVE-2022-40684
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-20269, CVE-2021-21972, CVE-2019-6693, CVE-2022-40684
Downloadable IOCs: 3

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken
Published: September 13, 2024
Downloadable IOCs: 4

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside…
ransomware
cobalt strike
discovery
lateral movement
credential access
cobaltstrike
blacksuit
systembc
2024-08-27
sharphound
get-datainfo.ps1
rubeus
Published: August 27, 2024
Downloadable IOCs: 16

CheckMesh: Hidden Threats in Your FW

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the atta…
credential theft
lateral movement
2024-08-05
meshagent
encrypted communication
advanced persistent threat
firewall compromise
Published: August 5, 2024
Downloadable IOCs: 9

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
backdoor
espionage
exfiltration
persistence
lateral movement
2024-08-02
bitsloth
Published: August 2, 2024
Downloadable IOCs: 8

Lost in the Fog: A New Ransomware Threat

Arctic Wolf Labs began monitoring the deployment of a new ransomware variant called Fog in early May 2024. The ransomware attacks targeted organizations in the education and recreation sectors within the United States. Evidence suggests threat actors gained initial access through compromised VPN cr…
ransomware
encryption
lateral movement
credential
2024-06-07
backup deletion
foggyweb
Published: June 7, 2024
Linked vulnerabilities : CVE-2024-4358 (CVSS 9.8), CVE-2024-1800
Downloadable IOCs: 5

Operation Crimson Palace: A Technical Deep Dive

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage
Published: June 6, 2024
Downloadable IOCs: 138

Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion

This report details a sophisticated cyber intrusion targeting MITRE's research network (NERVE) through the exploitation of Ivanti Connect Secure zero-day vulnerabilities. The threat actor, suspected to be UNC5221, initiated the attack by gaining unauthorized access and subsequently deploying variou…
persistence
CVE-2024-21887
CVE-2023-46805
2024-05-24
threat
lateral movement
wirefire
giftedvisitor
bushwalk
intrusion
cyberattack
beeflush
rootrot
brickstorm
Published: May 24, 2024
Downloadable IOCs: 4
Click here to see more Attack Reports