SocGholishs Intrusion Techniques Facilitate Distribution of RansomHub Ransomware Trend Micro US
pBusinessppImprove your risk posture with attack surface managementppSecurity that enables business outcomesppGain visibility and meet business needs with securityppConnect with confidence from anywhere on any deviceppSecure users and key operations throughout your environmentppMove faster than your adversaries with powerful purposebuilt XDR cyber risk exposure management and zero trust capabilitiesppMaximize effectiveness with proactive risk reduction and managed servicesppUnderstand your attack surface assess your risk in real time and adjust policies across network workloads and devices from a single consoleppDrive business value with measurable cybersecurity outcomesppSee more act fasterppEvolve your security to mitigate threats quickly and effectivelyppEnsure code runs only as intendedppGain visibility and control with security designed for cloud environmentsppProtect patient data devices and networks while meeting regulationsppStop threats with easytouse solutions designed for your growing businessppBridge threat protection and cyber risk managementppYour generative AI cybersecurity assistantppStop breaches before they happenppRealistic phishing simulations and training campaigns to strengthen your first line of defenseppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppThe most trusted cloud security platform for developers security teams and businessesppCloud asset discovery vulnerability prioritization Cloud Security Posture Management and Attack Surface Management all in oneppExtend visibility to the cloud and streamline SOC investigationsppSecure your data center cloud and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilitiesppSimplify security for your cloudnative applications with advanced container image scanning policybased admission control and container runtime protectionppProtect application workflow and cloud storage against advanced threatsppDefend the endpoint through every stage of an attackppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppOptimized prevention detection and response for endpoints servers and cloud workloadsppExpand the power of XDR with network detection and responseppStop adversaries faster with a broader perspective and better context to hunt detect investigate and respond to threats from a single platformppProtect against known unknown and undisclosed vulnerabilities in your networkppRedefine trust and secure digital transformation with continuous risk assessmentsppStop phishing malware ransomware fraud and targeted attacks from infiltrating your enterpriseppStop phishing ransomware and targeted attacks on any email service including Microsoft 365 and Google WorkspaceppSee threats coming from miles awayppEndtoend identity security from identity posture management to detection and responseppPrevent detect respond and protect without compromising data sovereigntyppAugment security teams with 247365 managed detection response and supportppAugment threat detection with expertly managed detection and response MDR for email endpoints servers cloud workloads and networksppOur trusted experts are on call whether youre experiencing a breach or looking to proactively improve your IR plansppStop breaches with the best response and detection technology on the market and reduce clients downtime and claim costsppGrow your business and protect your customers with the bestinclass complete multilayered securityppStand out to customers with competency endorsements that showcase your expertiseppDeliver modern security operations services with our industryleading XDRppPartner with a leading expert in cybersecurity leverage proven solutions designed for MSPsppWe work with the best to help you optimize performance and valueppDiscover resources designed to accelerate your businesss growth and enhance your capabilities as a Trend Micro partnerppAccelerate your learning with Trend Campus an easytouse education platform that offers personalized technical guidanceppAccess collaborative services designed to help you showcase the value of Trend Vision One and grow your businessppLocate a partner from whom you can purchase Trend Micro solutionsppSee how Trend outperforms the competitionppCrowdstrike provides effective cybersecurity through its cloudnative platform but its pricing may stretch budgets especially for organizations seeking costeffective scalability through a true single platformppMicrosoft offers a foundational layer of protection yet it often requires supplemental solutions to fully address customers security problemsppPalo Alto Networks delivers advanced cybersecurity solutions but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investmentpp50 reports later The Russianspeaking cyber underground is more dangerous than everppRead report pp50 reports later The Russianspeaking cyber underground is more dangerous than everppRead report ppContent has been added to your FolioppMalwareppTrend Research analyzed SocGholishs MaaS framework and its role in deploying RansomHub ransomware through compromised websites using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasksppBy Adam OConnor Ian Kenefick Jack Walsh Lucas Silva Laura Medina
March 14 2025
Read time words
ppSave to FolioppSummaryppFirst observed in 2018 Trend Research has been closely monitoring the activities of the SocGholish also known as FakeUpdates malwareasaservice MaaS framework This particular intrusion set is tracked by Trend Micro under the name Water Scylla whose activities lead to RansomHub ransomware deploymentppSocGholish is characterised by its highly obfuscated JavaScript loader which employs a range of evasion techniques that enable it to bypass traditional signaturebased detection methods effectivelyppThe primary method of propagation for SocGholish involves the compromise of legitimate websites Threat actors inject malicious scripts into these sites to hijack user traffic When users visit these compromised sites they are redirected to deceptive webpages that masquerade as legitimate browser update notifications Through social engineering tactics users are convinced to download a malicious ZIP file This file contains a JavaScript file which is the SocGholish loaderppThis blog entry focuses on a cluster that deploys backdoor components to enable initial access for RansomHub ransomwareasaservice RaaS affiliates Ransomhub is a top ransomware player in terms of the number of organisations impacted by data breaches just behind Akira in second place and CL0P in first and SocGholish a key enabler of these attacksppSocGholishs key role in enabling initial access for ransomware warrants the attention of defenders to thwart attacks The primary objective of SocGholish is to drop secondstage payloads which include backdoor components These backdoors provide threat actors with persistent access to infected systems facilitating further exploitation and payload deploymentppSocGholishs loader is highly versatile and capable of executing arbitrary tasks as directed by its operators It canppExecute arbitrary commands This allows threat actors to perform a wide range of malicious activities on the compromised systemppSince the start of the year SocGholish detections have been highest in the US followed by Japan then Taiwan Government entities top the list of most affected organizations with those in the banking and consulting industries coming in second and third respectively The persistent and evasive nature of SocGholish highlights its critical role in the initial stages of ransomware attacks This underscores the need for heightened awareness and robust cybersecurity measures to identify and mitigate such threats effectively
ppInitial access and executionppThe primary mechanism for SocGholish distribution involves several componentsppThreat actoroperated Keitaro TDS instancesppWater Scylla collaborates with threat actors who operate rogue Keitaro Traffic Direction System TDS servers Figure 4 for the purpose of delivering FakeUpdate pages with the SocGholish payloadppTrend Micro telemetry from 2025 alone has identified thousands of compromised websites injected with scripts pointing to these malicious TDS domains which may lead to SocGholish infections depending on the geolocation of the visitor Figure 5 below highlights the scale of these compromises which hijack users and facilitate malware deliveryppAmong the most frequently used TDS domains blackshelterorg has at least 1297 compromised websites redirecting to it followed by rednosehorsecom with 932 and newgoodfoodmarketcom with 550ppInitial executionppWhen the user opens the JavaScript file Figure 7 T1204002 User Execution Malicious File Windows Scripting Host wscriptexe T1059007 Command and Scripting Interpreter JavaScript executes the loader which proceeds to collect several pieces of information about the endpoint as shown in Table 1 This information is sent to the CC server to profile the environment Figure 6ppTable 1 Information collected by the SocGholish loader during environment profilingppCommand and control defense evasionppOur investigation identified dozens of tasks sent by the CC server to be executed by the loader They range from reconnaissance commands to the deployment of backdoor components to data exfiltrationppTask execution is supported by helper functions Such functions includeppTask executionppWhile SocGholish is running it beacons to the CC server Tasks are subsequently sent to SocGholish which are then executed by the loader Each time the task is executed the resulting output is piped to a temporary file and sent back to the CC server ppThe malicious tasks are executed in this orderppDiscovery tasksppCommand and control backdoor deployment tasksppThe following tasks were executed to deploy a Pythonbased backdoor in the compromised environment to gain persistent access and relay connections from the attackercontrolled server to machines inside of the compromised environment We attribute this activity to RansomHub affiliates where it is used by threat actors for command and control data exfiltration and ransomware deploymentppThe tasks Figure 14 are as followppThe file pypapy is a Python proxy client obfuscated with pyobfuscate Figure 15ppIt contains a hardcoded IP address and port for the RansomHub associated with the CC server T1095 NonApplication Layer Protocol Figure 16 This is a change from previous versions of this malicious script which accepted the IP address and port as command line argumentsppThe purpose of the backdoor is the create a connection to the hardcoded CC server and listen for commands from the attackers Commands are connection commands with supported targets in the format of an IP address or a domainppThe starttransferring function shown in Figure 17 unpacks the connection commands sent from the attacker server and creates connections to the target inside of the compromised environment effectively allowing threat actors to connect to any host internal or on the internet with a route from the compromised hostppCredential access and exfiltration tasksppIn order to gather as much sensitive browser data as possible the threat actors search for both default and additional browser profiles where the contents of browser stores are exfiltrated Notably app bound encryption keys are extracted from browsers in a likely effort to access encrypted at rest credentials located in browser stores The impact of these tasks is the theft of sensitive credentials leading to a potential broader compromise of business and personal accountsppThe following tasks Figures 1821 were observed carrying out this behaviorppAdditionally it was observed that the attacker utilized the certutil utility to extract the registry hives SAM SECURITY SYSTEM from a Volume Shadow Copy saving the content to the PROGRAMDATA folder into files named s1txt where represents the identifier for the specific hive dumped Figures 2224 T1003002 OS Credential Dumping Security Account Manager S0160 certutil T1006 Direct Volume AccessppSSH reverse shell with port forwarding deploymentppMultiple tasks were executed to deploy a reverse shell thats likely related to RansomHub for the purpose of command and control T1572 Protocol Tunneling and data exfiltration T1041 Exfiltration Over C2 Channel Figure 25ppThe tasks are as followppThe timing of these commands Figures 2630 along with the duplication of task execution and execution of a command with a syntax error suggests that this phase involved manual handson keyboard interactionppThe attacker also utilized the SMB protocol T1021002 Application Layer Protocol SMBWindows Admin Shares to connect to multiple hosts in the network using compromised credentials T1078 Valid Accounts Subsequently a BAT file was transferred into the PROGRAMDATA folder of the remote hosts Additionally a scheduled task was created to execute the BAT file every two hours on the remote hosts Figure 31 However the task and the file were deleted a few seconds later after being forcibly executed by the adversaryppAlthough the file being unavailable the telemetry available on the host indicates the batch file appears to be attempting to extract encrypted keys from local state files associated with Microsoft Edge and Google Chrome browsers and save the results in the PROGRAMDATA folder as a log fileppThe attacker manually searched for image files saved on the host and targeted files with names that potentially indicated they contained credentials related to cloud management servicesppSocGholish infrastructureppOur most recent tracking of SocGholish CC infrastructure shows 18 active CC servers whose domains are rotated at least once per week with some fluctuations in the frequency of domain rotation Figure 32 Fresh domains may lead to a higher infection success rateppSocGholish operators use compromised domains for CC infrastructure where a new subdomain is specifically created by the threat actors for use with SocGholish This technique known as domain shadowing is desirable from a threat actor perspective because it enables them to leverage the reputation of more mature domains which are less likely be blocked by automated detection systemsppRansomHub infrastructureppAs the objective of this cluster is to enable initial access for RansomHub our intelligence teams have continuously tracked the malicious infrastructure as it is deployed for use in the postSocGholish infection phase Figure 33 We identified 22 IP addresses across a diverse range of Autonomous Systems ASNs predominantly located in the US with just two located in the Netherlands and Germany respectivelyppSecurity recommendationsppSecurity and incident response teams must urgently address SocGholish infections as critical events and invoke incident response procedures to rapidly mitigate the impact of its malicious activity like backdoor deployment unauthorized access to sensitive data lateral movement data exfiltration and ransomwaredriven data destruction Defenders should also apply the following best practicesppFor their part website administrators and owners should be aware that vulnerable content management systems CMS and their plugin systems are frequently targeted by threat actors This is because they enable cybercriminals to abuse websites to hijack visitor traffic as is the case with SocGholish and distribute malwareppCompromised websites can have a significant impact on a business operations if their websites are being tagged as malicious by security solutions and web browser block lists Website administrators can mitigate this byppProactive security with Trend Vision OneppTrend Vision One is an enterprise cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities enabling greater command of the enterprises attack surface and providing complete visibility into its cyber risk posture The cloudbased platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights earlier threat detection and automated risk and threat response options in a single solutionppAs we noted earlier Trend Vision One customers can reduce their potential attack surface by ensuring that Behavior Monitoring and Predictive Machine Learning are enabled in Endpoint and Server PoliciesppTrend Vision One Threat IntelligenceppTo stay ahead of evolving threats Trend Vision One customers can access a range of Intelligence Reports and Threat Insights Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors their malicious activities and their techniques By leveraging this intelligence customers can take proactive steps to protect their environments mitigate risks and effectively respond to threatsppTrend Vision One Intelligence Reports App IOC SweepingppTrend Vision One Threat Insights AppppHunting Queries ppTrend Vision One Search App ppTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment ppSearching for the initial dropperpptags XSAEF11697 OR XSAEF11689 OR XSAE F8637 OR XSAE F8636 OR XSAE F7176 ppMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled ppConclusionppSocGholish is a prevalent and evasive threat The use of heavy obfuscation in the loader poses a challenge for static file detection technologies The fileless execution of commands may pose a challenge for certain detection technologiesppThe sheer volume of compromised websites leading to SocGholish coupled with the use of a commercial TDS for sandbox and crawler evasion and the use of AntiSandbox routines may pose a challenge for certain automated detection solutions like sandboxes which may enable SocGholish to run in environments leading to highly impactful attacksppIts collaboration with prevalent and dangerous RaaS operations like RansomHub means that SocGholish poses a significant threat to enterprises However there are several detection opportunities from suspect execution with suspicious process chains that perform discovery lateral movement credential access and data exfiltration to outbound connections to low reputation infrastructure and anomalous internal connections from compromised hostsppIndicators of compromise IOCsppDownload the list of IOCs hereppAdam OConnorppThreat AnalystppIan KenefickppSenior Adversary HunterppJack WalshppAdversary HunterppLucas SilvappIncident Response AnalystppLaura MedinappIncident Response AnalystppSelect a country regionppExperience our enterprise cybersecurity platform for freep
March 14 2025
Read time words
ppSave to FolioppSummaryppFirst observed in 2018 Trend Research has been closely monitoring the activities of the SocGholish also known as FakeUpdates malwareasaservice MaaS framework This particular intrusion set is tracked by Trend Micro under the name Water Scylla whose activities lead to RansomHub ransomware deploymentppSocGholish is characterised by its highly obfuscated JavaScript loader which employs a range of evasion techniques that enable it to bypass traditional signaturebased detection methods effectivelyppThe primary method of propagation for SocGholish involves the compromise of legitimate websites Threat actors inject malicious scripts into these sites to hijack user traffic When users visit these compromised sites they are redirected to deceptive webpages that masquerade as legitimate browser update notifications Through social engineering tactics users are convinced to download a malicious ZIP file This file contains a JavaScript file which is the SocGholish loaderppThis blog entry focuses on a cluster that deploys backdoor components to enable initial access for RansomHub ransomwareasaservice RaaS affiliates Ransomhub is a top ransomware player in terms of the number of organisations impacted by data breaches just behind Akira in second place and CL0P in first and SocGholish a key enabler of these attacksppSocGholishs key role in enabling initial access for ransomware warrants the attention of defenders to thwart attacks The primary objective of SocGholish is to drop secondstage payloads which include backdoor components These backdoors provide threat actors with persistent access to infected systems facilitating further exploitation and payload deploymentppSocGholishs loader is highly versatile and capable of executing arbitrary tasks as directed by its operators It canppExecute arbitrary commands This allows threat actors to perform a wide range of malicious activities on the compromised systemppSince the start of the year SocGholish detections have been highest in the US followed by Japan then Taiwan Government entities top the list of most affected organizations with those in the banking and consulting industries coming in second and third respectively The persistent and evasive nature of SocGholish highlights its critical role in the initial stages of ransomware attacks This underscores the need for heightened awareness and robust cybersecurity measures to identify and mitigate such threats effectively
ppInitial access and executionppThe primary mechanism for SocGholish distribution involves several componentsppThreat actoroperated Keitaro TDS instancesppWater Scylla collaborates with threat actors who operate rogue Keitaro Traffic Direction System TDS servers Figure 4 for the purpose of delivering FakeUpdate pages with the SocGholish payloadppTrend Micro telemetry from 2025 alone has identified thousands of compromised websites injected with scripts pointing to these malicious TDS domains which may lead to SocGholish infections depending on the geolocation of the visitor Figure 5 below highlights the scale of these compromises which hijack users and facilitate malware deliveryppAmong the most frequently used TDS domains blackshelterorg has at least 1297 compromised websites redirecting to it followed by rednosehorsecom with 932 and newgoodfoodmarketcom with 550ppInitial executionppWhen the user opens the JavaScript file Figure 7 T1204002 User Execution Malicious File Windows Scripting Host wscriptexe T1059007 Command and Scripting Interpreter JavaScript executes the loader which proceeds to collect several pieces of information about the endpoint as shown in Table 1 This information is sent to the CC server to profile the environment Figure 6ppTable 1 Information collected by the SocGholish loader during environment profilingppCommand and control defense evasionppOur investigation identified dozens of tasks sent by the CC server to be executed by the loader They range from reconnaissance commands to the deployment of backdoor components to data exfiltrationppTask execution is supported by helper functions Such functions includeppTask executionppWhile SocGholish is running it beacons to the CC server Tasks are subsequently sent to SocGholish which are then executed by the loader Each time the task is executed the resulting output is piped to a temporary file and sent back to the CC server ppThe malicious tasks are executed in this orderppDiscovery tasksppCommand and control backdoor deployment tasksppThe following tasks were executed to deploy a Pythonbased backdoor in the compromised environment to gain persistent access and relay connections from the attackercontrolled server to machines inside of the compromised environment We attribute this activity to RansomHub affiliates where it is used by threat actors for command and control data exfiltration and ransomware deploymentppThe tasks Figure 14 are as followppThe file pypapy is a Python proxy client obfuscated with pyobfuscate Figure 15ppIt contains a hardcoded IP address and port for the RansomHub associated with the CC server T1095 NonApplication Layer Protocol Figure 16 This is a change from previous versions of this malicious script which accepted the IP address and port as command line argumentsppThe purpose of the backdoor is the create a connection to the hardcoded CC server and listen for commands from the attackers Commands are connection commands with supported targets in the format of an IP address or a domainppThe starttransferring function shown in Figure 17 unpacks the connection commands sent from the attacker server and creates connections to the target inside of the compromised environment effectively allowing threat actors to connect to any host internal or on the internet with a route from the compromised hostppCredential access and exfiltration tasksppIn order to gather as much sensitive browser data as possible the threat actors search for both default and additional browser profiles where the contents of browser stores are exfiltrated Notably app bound encryption keys are extracted from browsers in a likely effort to access encrypted at rest credentials located in browser stores The impact of these tasks is the theft of sensitive credentials leading to a potential broader compromise of business and personal accountsppThe following tasks Figures 1821 were observed carrying out this behaviorppAdditionally it was observed that the attacker utilized the certutil utility to extract the registry hives SAM SECURITY SYSTEM from a Volume Shadow Copy saving the content to the PROGRAMDATA folder into files named s1txt where represents the identifier for the specific hive dumped Figures 2224 T1003002 OS Credential Dumping Security Account Manager S0160 certutil T1006 Direct Volume AccessppSSH reverse shell with port forwarding deploymentppMultiple tasks were executed to deploy a reverse shell thats likely related to RansomHub for the purpose of command and control T1572 Protocol Tunneling and data exfiltration T1041 Exfiltration Over C2 Channel Figure 25ppThe tasks are as followppThe timing of these commands Figures 2630 along with the duplication of task execution and execution of a command with a syntax error suggests that this phase involved manual handson keyboard interactionppThe attacker also utilized the SMB protocol T1021002 Application Layer Protocol SMBWindows Admin Shares to connect to multiple hosts in the network using compromised credentials T1078 Valid Accounts Subsequently a BAT file was transferred into the PROGRAMDATA folder of the remote hosts Additionally a scheduled task was created to execute the BAT file every two hours on the remote hosts Figure 31 However the task and the file were deleted a few seconds later after being forcibly executed by the adversaryppAlthough the file being unavailable the telemetry available on the host indicates the batch file appears to be attempting to extract encrypted keys from local state files associated with Microsoft Edge and Google Chrome browsers and save the results in the PROGRAMDATA folder as a log fileppThe attacker manually searched for image files saved on the host and targeted files with names that potentially indicated they contained credentials related to cloud management servicesppSocGholish infrastructureppOur most recent tracking of SocGholish CC infrastructure shows 18 active CC servers whose domains are rotated at least once per week with some fluctuations in the frequency of domain rotation Figure 32 Fresh domains may lead to a higher infection success rateppSocGholish operators use compromised domains for CC infrastructure where a new subdomain is specifically created by the threat actors for use with SocGholish This technique known as domain shadowing is desirable from a threat actor perspective because it enables them to leverage the reputation of more mature domains which are less likely be blocked by automated detection systemsppRansomHub infrastructureppAs the objective of this cluster is to enable initial access for RansomHub our intelligence teams have continuously tracked the malicious infrastructure as it is deployed for use in the postSocGholish infection phase Figure 33 We identified 22 IP addresses across a diverse range of Autonomous Systems ASNs predominantly located in the US with just two located in the Netherlands and Germany respectivelyppSecurity recommendationsppSecurity and incident response teams must urgently address SocGholish infections as critical events and invoke incident response procedures to rapidly mitigate the impact of its malicious activity like backdoor deployment unauthorized access to sensitive data lateral movement data exfiltration and ransomwaredriven data destruction Defenders should also apply the following best practicesppFor their part website administrators and owners should be aware that vulnerable content management systems CMS and their plugin systems are frequently targeted by threat actors This is because they enable cybercriminals to abuse websites to hijack visitor traffic as is the case with SocGholish and distribute malwareppCompromised websites can have a significant impact on a business operations if their websites are being tagged as malicious by security solutions and web browser block lists Website administrators can mitigate this byppProactive security with Trend Vision OneppTrend Vision One is an enterprise cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities enabling greater command of the enterprises attack surface and providing complete visibility into its cyber risk posture The cloudbased platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights earlier threat detection and automated risk and threat response options in a single solutionppAs we noted earlier Trend Vision One customers can reduce their potential attack surface by ensuring that Behavior Monitoring and Predictive Machine Learning are enabled in Endpoint and Server PoliciesppTrend Vision One Threat IntelligenceppTo stay ahead of evolving threats Trend Vision One customers can access a range of Intelligence Reports and Threat Insights Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors their malicious activities and their techniques By leveraging this intelligence customers can take proactive steps to protect their environments mitigate risks and effectively respond to threatsppTrend Vision One Intelligence Reports App IOC SweepingppTrend Vision One Threat Insights AppppHunting Queries ppTrend Vision One Search App ppTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment ppSearching for the initial dropperpptags XSAEF11697 OR XSAEF11689 OR XSAE F8637 OR XSAE F8636 OR XSAE F7176 ppMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled ppConclusionppSocGholish is a prevalent and evasive threat The use of heavy obfuscation in the loader poses a challenge for static file detection technologies The fileless execution of commands may pose a challenge for certain detection technologiesppThe sheer volume of compromised websites leading to SocGholish coupled with the use of a commercial TDS for sandbox and crawler evasion and the use of AntiSandbox routines may pose a challenge for certain automated detection solutions like sandboxes which may enable SocGholish to run in environments leading to highly impactful attacksppIts collaboration with prevalent and dangerous RaaS operations like RansomHub means that SocGholish poses a significant threat to enterprises However there are several detection opportunities from suspect execution with suspicious process chains that perform discovery lateral movement credential access and data exfiltration to outbound connections to low reputation infrastructure and anomalous internal connections from compromised hostsppIndicators of compromise IOCsppDownload the list of IOCs hereppAdam OConnorppThreat AnalystppIan KenefickppSenior Adversary HunterppJack WalshppAdversary HunterppLucas SilvappIncident Response AnalystppLaura MedinappIncident Response AnalystppSelect a country regionppExperience our enterprise cybersecurity platform for freep
