How a noisy ransomware intrusion exposed a longterm espionage foothold Help Net Security

pHelp Net Security newsletters Daily and weekly news cybersecurity jobs open source projects breaking news subscribe hereppGetting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization but can result in an unexpected silver lining the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for monthsppIn a recently published report threat researchers at Positive Technologies have detailed the findings of their investigation into two incidents at Russian companies which they have tied toppBoth groups exploited publicly known vulnerabilities in Microsoft Sharepoint Server CVE202553770 and Ivantis solutions CVE202421887 CVE20254427 CVE20254428 CVE202338035 to achieve initial access ppppQuietCrabs attack flow Source Positive TechnologiesppQuietCrabs leveraged an ASPX web shell the KrustyLoader loader malware and the Sliver command control implant Thor on the other hand uses wellknown and widely used tools ppIn this case though Thors presence was detected early enough to foil the deployment of ransomware ppQuietCrabs and the presumed Thor group operated in almost the same time period The gap between their malicious activities was only a few days the threat researchers noted though didnt mention when the attacks actually happened ppIt is also important that the investigation began at the point where Thor activity was first registered In other words QuietCrabs could have remained inside the infrastructure for much longer if not for Thor According to Mandiants investigations QuietCrabs average dwell time in victim infrastructure is 393 daysppThe researchers are almost entirely certain that one of the intrusions was by QuietCrabs as the KrustyLoader is unique malware thats associated with that group Some vendors describe KrustyLoader exclusively as Linux malware In our case however all incident artifacts were Windows samples they sharedppThe other more noisy activity has been attributed to Thor based on indicators of compromise that matched a previous attack report by another Russian cybersecurity companyppppThor attack flow Source Positive TechnologiesppIn July 2025 after reports of CVE202553770 aka ToolShell having been exploited as a zeroday by Chinese threat actors Linen Typhoon and Violet Typhoon against organizations worldwide Microsoft confirmed that a financially motivated Chinabased threat actor Storm 2603 has also been using the vulnerability to achieve access and deploy Warlock ransomwareppWe cannot confidently state that QuietCrabs is collaborating with Thor In this case the overlap is most likely coincidental as both QuietCrabs and Thor conduct broad scans of organizations for subsequent compromise the PT researchers opinedppWhile they say that QuietCrabs has been targeting organizations in the US UK Germany South Korea Russia Taiwan the Philippines Iran the Czech Republic and a number of other countries Thors victims appear to be mostly Russian orgsppWe were able to identify around 110 Russian companies as potential victims The affected organizations varied greatly both in economic sector and in the potential profit they offered the attackers they concludedppppSubscribe to our breaking news email alert to never miss out on the latest breaches vulnerabilities and cybersecurity threats Subscribe hereppp