Skip to content
  • Analysts
  • Contact Us
  • Services
  • Subscribe

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
  • Subscribe
Wednesday, February 08, 2023

Category: adfind

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
adfind cobaltstrike ransomware

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

November 28, 2022

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

BumbleBee Zeros in on Meterpreter
adfind bumblebee cobaltstrike Meterpreter

BumbleBee Zeros in on Meterpreter

November 14, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More

Follina Exploit Leads to Domain Compromise
adfind cobaltstrike Qbot

Follina Exploit Leads to Domain Compromise

October 31, 2022

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More

BumbleBee: Round Two
adfind bumblebee cobaltstrike Meterpreter

BumbleBee: Round Two

September 26, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

BumbleBee Roasts Its Way to Domain Admin
adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

Quantum Ransomware
adfind cobaltstrike icedid psexec quantum ransomware

Quantum Ransomware

April 25, 2022

In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for … Read More

Stolen Images Campaign Ends in Conti Ransomware
adfind cobaltstrike conti exploit icedid ransomware

Stolen Images Campaign Ends in Conti Ransomware

April 4, 2022

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered … Read More

Qbot and Zerologon Lead To Full Domain Compromise
adfind cobaltstrike Qbot

Qbot and Zerologon Lead To Full Domain Compromise

February 21, 2022

In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot … Read More

Diavol Ransomware
adfind bazar cobaltstrike diavol ransomware

Diavol Ransomware

December 13, 2021

In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of … Read More

CONTInuing the Bazar Ransomware Story
adfind bazar cobaltstrike conti ransomware

CONTInuing the Bazar Ransomware Story

November 29, 2021

In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More

IcedID to XingLocker Ransomware in 24 hours
adfind cobaltstrike icedid mountlocker xinglocker

IcedID to XingLocker Ransomware in 24 hours

October 18, 2021

Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early … Read More

BazarLoader and the Conti Leaks
adfind bazar cobaltstrike

BazarLoader and the Conti Leaks

October 4, 2021

Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
adfind BazarCall cobaltstrike conti ransomware trickbot

BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

August 1, 2021

Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More

IcedID and Cobalt Strike vs Antivirus
adfind cobaltstrike icedid

IcedID and Cobalt Strike vs Antivirus

July 19, 2021

Intro Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020.  We have now analyzed a couple ransomware cases in … Read More

From Word to Lateral Movement in 1 Hour
adfind cobaltstrike icedid

From Word to Lateral Movement in 1 Hour

June 20, 2021

Introduction  In May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access. They later performed a number of techniques from host discovery to … Read More

Sodinokibi (aka REvil) Ransomware
adfind cobaltstrike icedid ransomware revil Sodinokibi

Sodinokibi (aka REvil) Ransomware

March 29, 2021

Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More

Bazar, No Ryuk?
adfind bazar cobaltstrike ryuk

Bazar, No Ryuk?

January 31, 2021

Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More

Trickbot Still Alive and Well
adfind cobaltstrike trickbot

Trickbot Still Alive and Well

January 11, 2021

In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating … Read More

Ryuk Speed Run, 2 Hours to Ransom
adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

bazarcobalt strikekegtapransomwareryuk
Ryuk in 5 Hours
adfind bazar cobaltstrike ransomware rdp ryuk yara

Ryuk in 5 Hours

October 18, 2020

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More

adfindbazarcobalt strikekegtapmalspamryuk

Posts navigation

1 2 Next
Tweets by TheDFIRReport

Copyright 2023 | The DFIR Report | All Rights Reserved