Search Results for “BazarLoader”

BazarLoader and the Conti Leaks

editor October 4, 2021

Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More

bazar cobaltstrike conti

BazarLoader to Conti Ransomware in 32 Hours

editor September 13, 2021

Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown … Read More

cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

editor May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

editor April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

editor April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

APT35 exploit Fast Reverse Proxy ProxyShell

APT35 Automates Initial Access Using ProxyShell

editor March 21, 2022

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks … Read More

Uncategorized

2021 Year In Review

editor March 7, 2022

As we come to the end of the first quarter of 2022, we want to take some time to look back over our cases from 2021, in aggregate, and look … Read More

adfind cobaltstrike Qbot

Qbot and Zerologon Lead To Full Domain Compromise

editor February 21, 2022

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More

Qbot

Qbot Likes to Move It, Move It

editor February 7, 2022

Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following … Read More

cobaltstrike

Cobalt Strike, a Defender’s Guide – Part 2

editor January 24, 2022

Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this report, we will focus on the network traffic it produced, and provide … Read More