BlackLock actively recruits key players, known as traffers, to support the early stages of ransomware attacks. These individuals drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns.

The attack lifecycle involved initial access gained through a firewall vulnerability, followed by enumeration of network shares and lateral movement using Impacket and pass-the-hash attacks.

CAMO, short for Commercial Applications, Malicious Operations, showcases how cybercriminals are increasingly utilizing legitimate IT tools to evade security measures and conduct stealthy attacks.

In 2024, loaders were involved in nearly 40% of critical security incidents, with popular ones being SocGholish, GootLoader, and Raspberry Robin, aiming to deliver malware like ransomware, according to Reliaquest.

A comprehensive analysis of data theft incidents investigated by ReliaQuest from September 2023 to July 2024 revealed that Rclone, WinSCP, and cURL are among the most prevalent exfiltration tools used by threat actors.

ReliaQuest observed new execution techniques in a campaign from the JavaScript framework “ClearFake,” tricking users into copying, pasting, and manually executing malicious PowerShell code.

Russia-linked APT groups pose a significant threat to OT environments, as demonstrated by their recent attacks targeting critical infrastructure in Ukraine and its allies, with the potential for further disruption and long-term espionage operations.

QakBot, SocGholish, and Raspberry Robin are the most prevalent malware loaders causing havoc for security teams, with QakBot being the most versatile and persistent threat.

The attacker’s actions had the whiff of a Black Basta affiliate, with Qbot activity widely reported as being a cornerstone of Black Basta intrusions. Black Basta is a splinter group that emerged after the “Conti” ransomware syndicate was quelled.

Exotic Lily is an initial access broker who specializes in gathering credentials from high-value targets through employee impersonation, deep open-source intelligence (OSINT), and by creating convincing malicious documents.