Tag: lockbit

34 Attack Reports | 0 Vulnerabilities

Attack reports

GOLD SALEM tradecraft for deploying Warlock ransomware

This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for …
ransomware
lockbit
cybercrime
warlock
velociraptor
2025-12-11
Published: December 11, 2025
Downloadable IOCs: 13

Dragons in Thunder

This report details the activities of two hacker groups, QuietCrabs and Thor, targeting Russian companies. QuietCrabs exploited RCE vulnerabilities in Microsoft SharePoint and Ivanti Endpoint Manager Mobile, using KrustyLoader and Sliver malware. Thor employed more common tools and techniques, atta…
lockbit
ivanti
sliver
babuk
sharepoint
krustyloader
CVE-2025-4427
CVE-2025-4428
russian targets
CVE-2025-53770
2025-11-28
rce vulnerabilities
thor
cyberspionage
Published: November 28, 2025
Linked vulnerabilities : CVE-2021-27065, CVE-2025-4428, CVE-2025-4427, CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 67

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…
phishing
ransomware
lockbit
credential theft
cloud abuse
lockbit 5.0
2025-10-29
tykit
clickup
google careers
figma
Published: October 29, 2025
Downloadable IOCs: 10

Warlock Ransomware: Old Actor, New Tricks?

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C frame…
espionage
ransomware
lockbit
warlock
2025-10-23
anylock
Published: October 23, 2025
Downloadable IOCs: 0

Velociraptor leveraged in ransomware attacks

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version …
ransomware
windows
privilege-escalation
lockbit
data-exfiltration
babuk
vmware
warlock
2025-10-09
CVE-2025-6264
velociraptor
open-source-tools
Published: October 9, 2025
Linked vulnerabilities : CVE-2025-6264
Downloadable IOCs: 5

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enablin…
ransomware
lockbit
socgholish
malware-as-a-service
initial access broker
raspberry robin
mintsloader
fake updates
2025-08-08
dridex
wastedlocker
netsupportrat
traffic distribution system
domain shadowing
hades
Published: August 8, 2025
Downloadable IOCs: 33

Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks

Unit 42 has identified significant overlaps between Microsoft's reported ToolShell activity and a threat cluster they track as CL-CRI-1040. This cluster utilizes a tool set called Project AK47, which includes a multi-protocol backdoor, custom ransomware, and loaders. The activity is linked to the e…
backdoor
ransomware
lockbit
lockbit 3.0
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
warlock
2025-08-06
warlock client
ak47 ransomware
x2anylock
project ak47
ak47c2
Published: August 6, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 27

Exploring Storm-2603's Previous Ransomware Operations

A focused analysis of Storm-2603, a threat actor linked to recent ToolShell exploitations alongside other Chinese APT groups, reveals their use of a custom malware C2 framework called 'ak47c2'. This framework includes HTTP and DNS-based clients. The group likely targeted organizations in Latin Amer…
ransomware
windows
lockbit
lockbit black
microsoft
april
virustotal
sharepoint
psexec
iocs
toolshell
2025-08-01
storm2603
io control
dllhijacking
warlock
Published: August 1, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 25

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …
ransomware
evasion
lockbit
persistence
encryption
dll sideloading
2025-08-01
masquerading
Published: August 1, 2025
Downloadable IOCs: 11

May 2025 Security Issues in Korean & Global Financial Sector

This comprehensive analysis covers cyber threats targeting financial companies in Korea and globally. It examines malware and phishing cases, top 10 malware strains, and statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data …
ransomware
lockbit
data breach
identity theft
play
dark web
2025-06-13
customer data
brokerage
arkana
safepay
Published: June 13, 2025
Downloadable IOCs: 0

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

Unfiltered look into LockBit’s operations

A breach of LockBit's dark web affiliate panels exposed a rare glimpse into their operations. The leaked data included Bitcoin addresses, admin credentials, and a chat log revealing negotiation tactics and ransom demands. Ransom amounts varied widely, with some victims confused about the demands. T…
ransomware
lockbit
data breach
initial access brokers
dark web
2025-05-15
affiliate panels
negotiation tactics
Published: May 15, 2025
Downloadable IOCs: 3

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

Head Mare and Twelve: Joint attacks on Russian entities

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contrac…
ransomware
lockbit
hacktivism
CVE-2021-26855
CVE-2023-38831
babuk
lockbit 3.0
cobint
infrastructure sharing
2025-03-13
phantomjitter
Published: March 13, 2025
Downloadable IOCs: 0

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Phorpiex - Downloader Delivering Ransomware

The report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the automated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code sale in 2021, and direct deployment of LockBit without network expansion. The analy…
phishing
ransomware
lockbit
botnet
phorpiex
downloader
gandcrab
2025-01-29
twizt
Published: January 29, 2025
Downloadable IOCs: 14

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 21

Hacktivists attack Russian organizations using rare RATs

The Cyber Anarchy Squad (C.A.S) is a hacktivist group targeting Russian and Belarusian organizations since 2022. They exploit vulnerabilities in public services and use free tools to inflict maximum damage. The group employs rare remote access Trojans like Revenge RAT and Spark RAT, alongside commo…
ransomware
russia
belarus
lockbit
meterpreter
telegram
babuk
spark rat
hacktivist
2024-12-18
revenge rat
data destruction
Published: December 18, 2024
Downloadable IOCs: 0

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…
backdoor
apt
ransomware
russia
lockbit
CVE-2023-38831
babuk
phantomcore
2024-12-11
hacktivist
boost.beast
Published: December 11, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 31

The State of Cloud Ransomware in 2024

Cloud ransomware attacks are evolving, primarily targeting storage services like Amazon S3 and Azure Blob Storage. Attackers exploit misconfigurations or use stolen credentials to access and encrypt data. Cloud service providers have implemented security measures, such as AWS's 7-day key deletion w…
lockbit
bianlian
cloud security
data exfiltration
rhysida
2024-11-14
CVE-2023-34362
cspm
cloud ransomware
pandora
s3 buckets
ransomes
web application attacks
identity management
kms
Published: November 14, 2024
Downloadable IOCs: 0

Inside the Open Directory of the “You Dun” Threat Group

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and …
ransomware
lockbit
cobalt strike
2024-10-28
weblogic exploitation
viper c2
chinese threat actor
Published: October 28, 2024
Downloadable IOCs: 3

Analyzing the familiar tools used by the Crypt Ghouls hacktivists

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often …
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint
Published: October 18, 2024
Downloadable IOCs: 1

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
rootkit
powershell
lockbit
attack
service
malicious
web shell
2024-10-15
threat actor
zero-day vulnerability
csa appliance
cve20248190
zero
life
Published: October 15, 2024
Downloadable IOCs: 17

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

The United States has experienced a significant increase in cyber attacks from June to October 2024, with over 800 organizations affected by ransomware across various sectors. Play, RansomHub, Lockbit, Qilin, and Meow have emerged as the most active ransomware groups. Notable incidents include the …
espionage
ransomware
lockbit
hacktivism
ransomhub
qilin
data breach
2024-10-10
rhysida
critical infrastructure
united states
Published: October 10, 2024
Downloadable IOCs: 0

Analysis of the BlackJack group: techniques, tools, and similarities with Twelve

The report examines the BlackJack hacktivist group targeting Russian organizations, focusing on their tools, techniques, and connections to the Twelve group. BlackJack employs freely available software like the Shamoon wiper and LockBit ransomware. Significant overlaps with Twelve include similar m…
ransomware
lockbit
2024-09-25
shamoon
twelve
Published: September 25, 2024
Downloadable IOCs: 1

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …
phishing
ransomware
russia
belarus
lockbit
CVE-2023-38831
2024-09-02
babuk
vasa locker
phantomdl
phantomcore
babyk
hacktivists
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 52

DeathGrip RaaS | Small-Time Threat Actors Aim High With LockBit & Yashma Builders

This analysis examines the emergence of DeathGrip, a Ransomware-as-a-Service (RaaS) operation that provides threat actors with easy access to sophisticated ransomware builders like LockBit 3.0 and Yashma/Chaos. The accessibility of these tools enables even those with minimal technical skills to lau…
ransomware
lockbit
2024-08-09
yashma
chaos
Published: August 9, 2024
Downloadable IOCs: 1

Threat Actor Masquerades as Hacktivist Group Rebelling Against AI

SentinelLabs identified a cybercriminal group, NullBulge, targeting AI- and gaming-focused entities. The group injects malware into public code repositories and gaming mods, leading victims to import malicious libraries. NullBulge uses tools like Async RAT and Xworm before delivering customized Loc…
xworm
lockbit
hacktivism
2024-07-16
async rat
Published: July 16, 2024
Downloadable IOCs: 9

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Decrypted: DoNex Ransomware and its Predecessors

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography
Published: July 10, 2024
Downloadable IOCs: 8

TargetCompany’s Linux Variant Targets ESXi Environments

Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
ransomware
lockbit
execution
2024-06-06
vmware esxi
targetcompany
cloud security
vampire
Published: June 6, 2024
Downloadable IOCs: 3

Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit

SentinelOne is the world's leading provider of self-defence and cybersecurity, with a platform powered by artificial intelligence and the power of the Singularity XDR, which aims to protect and respond to cyber attacks at scale.
lockbit
2024-05-21
bianlian
ikaruz red
turk hack
ikaruz
anka red
medusa
Published: May 21, 2024
Downloadable IOCs: 1

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…
ransomware
lockbit
botnet
2024-05-08
malspam
phorpiex
lockbit black
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 16
Click here to see more Attack Reports