Search Results for “@0xtornado”

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

editor September 30, 2024

Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More

adfind cobaltstrike icedid macro nokoyawa ransomware xls

IcedID Macro Ends in Nokoyawa Ransomware

editor May 22, 2023

Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More

autohotkey keylogger

Collect, Exfiltrate, Sleep, Repeat

editor February 6, 2023

In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … Read More

adfind bumblebee cobaltstrike Meterpreter

BumbleBee Zeros in on Meterpreter

editor November 14, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More

adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

editor August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

editor April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

editor April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

adfind cobaltstrike Qbot

Qbot and Zerologon Lead To Full Domain Compromise

editor February 21, 2022

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More

cobaltstrike

Cobalt Strike, a Defender’s Guide – Part 2

editor January 24, 2022

Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide … Read More

exploit Fast Reverse Proxy PHOSPHORUS Plink ProxyShell ransomware

Exchange Exploit Leads to Domain Wide Ransomware

editor November 15, 2021

In late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case … Read More

adfind cobaltstrike icedid mountlocker xinglocker

IcedID to XingLocker Ransomware in 24 hours

editor October 18, 2021

Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early … Read More

Analysts

Current Analysts: @kostastsale – Reports @RoxpinTeddy – Reports @iiamaleks – Reports @pigerlin – Reports @tas_kmanager – Reports @samaritan_o – Reports @MetallicHack – Reports @yatinwad – Reports @_pete_0 – Reports @v3t0_ – … Read More