{
	"id": "f6fb1522-464b-4cd2-80e7-c5c64faca6b9",
	"created_at": "2026-04-10T03:21:13.099931Z",
	"updated_at": "2026-04-10T13:13:10.523286Z",
	"deleted_at": null,
	"sha1_hash": "2714442444754db767799b8702e99df7327c5556",
	"title": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 18876264,
	"plain_text": "Another Confluence Bites the Dust: Falling to ELPACO-team\r\nRansomware\r\nBy editor\r\nPublished: 2025-05-19 · Archived: 2026-04-10 02:16:27 UTC\r\nKey Takeaways\r\nThe threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution.\r\nUsing this access, the threat actor executed a consistent sequence of commands (installing AnyDesk,\r\nadding admin users, and enabling RDP) multiple times, suggesting the use of automation scripts or a\r\nplaybook.\r\nTools like Mimikatz, ProcessHacker, and Impacket Secretsdump were used to harvest credentials.\r\nThe intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant,\r\napproximately 62 hours after the initial Confluence exploitation.\r\nWhile ransomware was deployed and some event logs were deleted, no significant exfiltration of data was\r\nobserved during the intrusion.\r\nThis case was featured in our December 2024 DFIR Labs CTF and is available as a lab today here. It was\r\noriginally published as a Threat Brief to customers in October 2024.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: 20+ private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver,\r\netc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor\r\nInsights reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nTable of Contents:\r\nCase Summary\r\nAnalysts\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 1 of 49\n\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nIn late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection\r\nvulnerability, first from IP address 45.227.254[.]124, which just ran whoami and exited. Shortly thereafter, a\r\ndifferent IP address used the same exploit, running curl to deploy a Metasploit payload (Meterpreter) and establish\r\na C2 channel to 91.191.209[.]46. The same IP address that delivered the initial Confluence exploit (used to run\r\nwhoami) was later used to establish a direct AnyDesk connection.\r\nOn the second day of the intrusion, the threat actor initiated multiple AnyDesk sessions, each lasting only a few\r\nseconds to just under two minutes. No commands were executed, and no meaningful activity occurred during\r\nthese brief connections. It remains unclear whether these short sessions were the result of technical issues with\r\ntheir AnyDesk server or a deliberate tactic.\r\nOn the fourth day, the threat actor started by focusing on privilege escalation. The threat actor first performed\r\nseveral unsuccessful attempts using various named pipe impersonation and token duplication techniques, they\r\nthen successfully escalated to SYSTEM using the RPCSS variant of named pipe impersonation. This allowed the\r\ncreation of a local administrator account (“noname”) and the re-installation of AnyDesk as a service (delivered via\r\nthe Metasploit C2) for persistent remote access.\r\nHaving established an alternative means of access running as system, which then became their primary vector for\r\nthe remainder of the intrusion, the threat actor pivoted to widespread discovery. This involved scanning the\r\nnetwork and enumerating SMB shares using SoftPerfect’s NetScan to identify potential targets for lateral\r\nmovement. After identifying the domain controllers the threat actor executed an unsuccessful series of attempts to\r\nexploit Zerologon (CVE-2020-1472) against them.\r\nThe threat actor then dropped tools focused on credential access, including Mimikatz, ProcessHacker, and\r\nImpacket’s Secretsdump. Minutes after utilizing these tools, the threat actor managed to compromise a domain\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 2 of 49\n\nadministrator account, granting them widespread access and control within the target environment. That domain\r\nadmin account was likely compromised through LSASS dumping, as evidenced by later use of NTLM hashes\r\nduring lateral movement. The threat actor was also observed attempting to exploit PrintNightmare (CVE-2021-\r\n34527) using rpcdump.exe; this failed due to not meeting requirements, which we detail in this report.\r\nLeveraging the compromised domain administrator credentials, the threat actor initiated lateral movement within\r\nthe network, utilizing Impacket wmiexec and RDP to access additional systems. The threat actor also created a\r\nnew SMB share on the initially compromised Confluence server to facilitate the next steps of the intrusion. This\r\nshare contained a number of tools used for lateral movement and subsequent ransomware deployment.\r\nThe final stage of the intrusion involved the deployment of ransomware. Approximately 62 hours after the initial\r\ncompromise of the Confluence server, the threat actor deployed ELPACO-team.exe, identified as a variant of\r\nMimic ransomware, onto multiple servers, including backup and file servers by RDPing into them and executing\r\nthe exe locally after copying it over SMB. While some data transfer was observed via the AnyDesk traffic, there\r\nwas no evidence of collection or widespread data exfiltration prior to ransomware deployment.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by pcsc0ut, IrishDeath, and Tornado\r\nInitial Access\r\nThe intrusion began in June 2024 when a threat actor exploited CVE-2023-22527 against an unpatched Atlassian\r\nConfluence server that accepted incoming connection requests from the internet. The network traffic triggered a\r\nSuricata alert from the Emerging Threats open ruleset which was released in January 2024:\r\nET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M2 (sid 2050543)\r\nLogs from the server indicated that many other attempts to exploit this vulnerability against this server had been\r\nmade over months from many other IP addresses. The most common command that was run was “whoami”. One\r\nsuch exploitation to run “whoami” occurred 20 minutes before this intrusion started, and came from IP address\r\n45.227.254[.]124, evidenced in the network traffic capture below, and the Sysmon event logs from the Confluence\r\nserver at the same time showing whoami.exe starting from parent process tomcat9.exe.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 3 of 49\n\nFigure: PCAP of network traffic showing Confluence exploitation of CVE-2023-22527\r\nFigure: Sysmon logs of whoami.exe process starting with a parent process of tomcat9.exe\r\nApproximately 20 minutes after the initial successful whoami command execution from 45.227.254[.]124, the\r\nintrusion commenced from a new IP address, 91.191.209[.]46, utilizing a slightly modified version of the exploit.\r\nIt’s plausible that the exploitation script used in the second instance, which downloaded and executed the\r\nMetasploit payload, could have been derived from or inspired by publicly available proof-of-concept as seen from\r\nthis GitHub Repository. The intruder exploited the vulnerability a second time to run the command:\r\nFigure: PCAP showing exploit to run curl and start the downloaded payload\r\nThe close timing of these events, coupled with the subsequent use of the original IP (45.227.254[.]124) as the\r\nintruder’s self-hosted AnyDesk server, strongly suggests these were not coincidental.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 4 of 49\n\nFigure: Sysmon log showing child process of tomcat9.exe that started the intrusion\r\nThe download of the executable HAHLGiDDb.exe triggered several Suricata alerts, providing initial possible\r\nidentification of the payload as either a Cobalt Strike Stager or Metasploit\r\nETPRO MALWARE Cobalt Strike Stager Payload\r\nET HUNTING PE EXE Download over raw TCP\r\nETPRO HUNTING Suspicious Offset PE EXE or DLL Download on Non-Standard Ports\r\nET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)\r\nThe file HAHLGiDDb.exe was saved to a path which is a suspicious location for executable files to be saved to or\r\nexecuted from:\r\nC:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\\r\nFigure: Malicious exe file saved to NetworkService temp folder\r\nThe portable executable file HAHLGiDDb.exe was unusual in that it only imported two Windows API functions:\r\nVirtualAlloc and ExitProcess, and contained only the main entry point function and one other function.\r\nReverse engineering the binary using a debugger confirmed that it resolves the Windows library functions it\r\nrequires dynamically at runtime, using hashes for obfuscation, and it closely matches the behavior and code\r\npatterns of a Metasploit shellcode loader as described in this blog by Nviso. This sample is different from that in\r\nthe Nviso blog in that this sample is 64-bit code that downloads and attempts to inject a Meterpreter DLL into\r\nother processes, and the Nviso blog describes a 32-bit version that spawns a remote cmd shell.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 5 of 49\n\nFigure: Disassembled instructions from HAHLGiDDb.exe show patterns of Metasploit loader\r\nExecution\r\nThe Metasploit loader, HAHLGiDDb.exe, connected to the same IP address that exploited the Confluence\r\nvulnerability to deliver the payload, 91.191.209[.]46 on TCP port 12385 to download the next stage payload. The\r\npayload, a Portable Executable (PE) file, was not encrypted and was easy to identify in network traffic.\r\nFigure: Downloading 2nd stage PE file (starting bytes 4d5a) from 91.191.209.46 port 12385\r\nThe PE file that was downloaded over port 12385 was a 64-bit Windows DLL format that had zero exported\r\nfunctions other than DllMain, which is the function that runs whenever a process loads the DLL. It is somewhat\r\nunusual for a legitimate DLL to have no exported functions, because the main point of a software library is to\r\nprovide functions that the programs calling them can use.\r\nThe Metasploit loader saved the next stage payload as a DLL named nbjlop.dll in the same folder that the\r\nMetasploit loader ran from.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 6 of 49\n\nFigure: Sysmon File Create log showing nbjlop.dll created by Metasploit loader\r\nThe Metasploit loader created a named pipe with the same name as the DLL file without the extension, \\\\nbjlop\r\nFigure: Sysmon Event ID 17: pipe creation event\r\nThroughout the intrusion, several new Metasploit loaders were delivered via the Confluence exploit and executed\r\nat different times. In every instance, the same pattern was observed: a randomly-named DLL file was dropped to\r\ndisk followed by a pipe event at close to the same time using a pipe name that was the same as the DLL filename,\r\nwithout the .dll extension. The events are shown in the table below.\r\nDLL File Path (Sysmon Event ID 11)\r\nPipe Name (Event\r\nID 17)\r\nC:\\Windows\\SERVIC~1\\NETWOR~1\\AppData\\Local\\Temp\\nbjlop.dll \\\\nbjlop\r\nC:\\Windows\\SERVIC~1\\NETWOR~1\\AppData\\Local\\Temp\\npixmw.dll \\\\npixmw\r\nC:\\Windows\\SERVIC~1\\NETWOR~1\\AppData\\Local\\Temp\\cjlodi.dll \\\\cjlodi\r\nC:\\Windows\\SERVIC~1\\NETWOR~1\\AppData\\Local\\Temp\\wucnic.dll \\\\wucnic\r\nUsing Sigma, it is not possible to express a detection query that matches parts of strings between two types of\r\nevents. However, many threat detection query languages include a JOIN query type and string manipulation\r\nfunctions. Consider crafting a threat hunting query to match DLL file creation events with pipe creation events\r\nafter removing the extension from the DLL filename and removing the backslashes from the pipe name. In the\r\ninvestigation of this case, such a query yielded clean results including only the Metasploit activity, even though\r\nthere were many DLL file creation events and many pipe creation events.\r\nApproximately three minutes after the Metasploit loader process started, it downloaded AnyDesk.exe and saved it\r\nto the Atlassian Confluence program directory.\r\nFigure: Sysmon Event ID 11: AnyDesk.exe file created by Metasploit loader\r\nJust over four minutes after the initial Metasploit payload was delivered, the threat actor again exploited\r\nConfluence to deliver another Metasploit loader and Meterpreter, following the same pattern as above, with the\r\nMetasploit EXE and DLL filenames randomized. The loader name this time was RfHBBgXXYF.exe, and it was\r\ndownloaded to the same user profile temp folder as before.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 7 of 49\n\nFigure: curl command executed via Confluence exploit to deliver and execute Metasploit loader\r\nOne difference between the first Metasploit process and the second is that on the second attempt, the Metasploit\r\nloader created a cmd.exe process with no command line arguments, then proceeded to access that process and was\r\ngranted access 0x1fffff, which means PROCESS_ALL_ACCESS. The Metasploit loader then created the batch\r\nfile u1.bat in the Atlassian\\Confluence folder in Program Files. The purpose of u1.bat is described in the\r\nPersistence section below.\r\nFigure: Metasploit loader starting cmd.exe and creating u1.bat\r\nFigure: PROCESS_ALL_ACCESS granted when Metasploit loader accessed cmd.exe\r\nLess than eight minutes after the second Metasploit loader process was created, Confluence was exploited a third\r\ntime and another Metasploit loader was delivered from the same IP address as the first two, this time with the\r\nrandomized filename ZqYeqEZtohD.exe.\r\nFigure: Three commands from Confluence exploits delivering three Metasploit loaders\r\nPersistence\r\nNew User Accounts Created\r\nLess than one second after the Metasploit loader accessed the lsass process, a batch file named u1.bat was created\r\nin the Confluence folder C:\\Program Files\\Atlassian\\Confluence\\u1.bat. This file creation time was retrieved from\r\na live memory snapshot of the infected system. The purpose of the u1.bat file was to create a new user account\r\nnamed “noname” with the password “Slepoy_123”, then use WMIC to find an administrators group, use net.exe\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 8 of 49\n\n(which calls net1.exe) to add the user to the admin group, then use WMIC to set the user’s password to never\r\nexpire.\r\nFigure: Contents of the u1.bat file used to create a new user account and make it a local admin\r\nSysmon recorded the execution of the commands in this batch file. The local group name that matched SID ‘S-1-\r\n5-32-544’ was the default local “Administrators” group.\r\nThe Security event log recorded the user creation, enabling, modification, and password set events for user\r\n“noname” in event ID 4720, 4722, 4738, and 4724. Although it wasn’t observed during this intrusion, event ID\r\n4741, which records the creation of computer accounts, is also essential, as threat actors can interactively use a\r\ncomputer account to log on and execute commands in the same manner that a user account can be utilized.\r\nAnyDesk Service\r\nWithin minutes of the new user account creation, the threat actor was observed dropping an AnyDesk binary into\r\nthe Confluence installation directory (C:\\Program Files\\Atlassian\\Confluence) from the HAHLGiDDb.exe\r\nprocess. Interestingly, the second Metasploit loader process also downloaded and saved AnyDesk.exe to the same\r\nfolder a few minutes later. This suggests that these actions were part of an automation script.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 9 of 49\n\nThis initial AnyDesk binary was then executed via the command line, also spawned from the HAHLGiDDb.exe\r\nprocess, to install AnyDesk on the system as a service in the ProgramData directory:\r\nSysmon logs captured the creation of the newly installed AnyDesk service\r\nInstallation triggered several Sysmon ‘FileCreate’ events as well when dropping new configuration files in the\r\n‘C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\‘ directory\r\nFiles Created:\r\nuser.conf\r\nad.trace\r\nsystem.conf\r\nservice.conf\r\nAfter the installation was completed, several more commands were run to finish the setup, including a command\r\nline to start the service immediately:\r\nCommandLine: anydesk.exe --start-service\r\nThe AnyDesk documentation shows how command line arguments can be used to set up unattended access.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 10 of 49\n\nAn argument to set the unattended access password for AnyDesk, as well as an echo command to provide the\r\npassword “P@ssword1” to the AnyDesk password prompt:\r\nFigure: AnyDesk Command line to set unattended access password\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 11 of 49\n\nFigure: Command line echo to send password “P@ssword1” to AnyDesk unattended password prompt.\r\nFinally – as a part of the observed tradecraft, the threat actor ran a command to get the AnyDesk ID of the newly\r\ninstalled system (to be able to reconnect later):\r\nANYDESK.EXE --GET-ID\r\nThis sequence of events to set the AnyDesk unattended password occurred three times during the intrusion. The\r\nfirst two occurrences were just two minutes apart on day one, and the last time was on day three. The same\r\npassword was set each time.\r\nSpider.dll\r\nOn the third day of the intrusion, the threat actor, using an AnyDesk session, transferred a folder named\r\n“Attacker” from their host to the Desktop folder of a user on the Confluence server. A subfolder named “share”\r\ninside the “Attacker” folder contained two DLL files named “spider.dll” and “spider_32.dll”. Many other files\r\nwere also in this folder.\r\nThe process that created the DLLs was explorer.exe. Reverse-engineering this DLL revealed its purpose. It\r\ncontains a hard-coded username “Crackenn” and a hard-coded password “*aaa111Cracke” which are passed to the\r\nNetUserAdd Windows API function to add a local user account, then it adds the newly-created user account to the\r\nAdministrators local group and the Remote Desktop Users local group. This username, password, and\r\nfunctionality match a report published by SentinelOne about an intrusion that led to BlackBasta ransomware.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 12 of 49\n\nFigure: DllMain function of spider.dll\r\nNote that no evidence was found in the security logs indicating that a user named “Crackenn” was created,\r\nauthenticated, or used to run any programs during this incident, nor was there any evidence of spider.dll being\r\nexecuted using rundll32 or regsvr32.\r\nPrivilege Escalation\r\nInitial Exploit\r\nUpon initial access, the threat actor already had obtained NETWORK SERVICE level access as the Confluence\r\nweb server (Tomcat) exploited was running under this more limited privilege:\r\nMetasploit ‘getsystem’\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 13 of 49\n\nIt appears in this case, the threat actor either attempted to getsystem using all methods, or at the very least\r\nattempted several methods that were observed in the logs.\r\nWith this initial limited privilege, the threat actor attempted two methods to escalate access. The first of which\r\nobserved in the logs was the ‘ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2’ method- or Named Pipe\r\nImpersonation (DLL Dropper Variant). This elevation method was observed (as documented in the execution\r\nsection) with the creation of a DLL/Named Pipe under the same name\r\nDLL Dropped: nbjlop.dll\r\nNamed Pipe: \\nbjlop\r\nSource code confirms that this module will use the ‘cpServiceName’ field to create the DLL and the Named Pipe\r\nfields:\r\nThis did not work, as the requirements for this to succeed is the initial shell must already be running under\r\nAdministrator rights.\r\nThe second method observed in the logs was the Token Duplication method. From the documents, this method\r\nonly requires the SeDebugPrivilege privilege (which the NETWORK SERVICE account does have), and iterates\r\nthrough all services to find one running under SYSTEM, then attempts to use reflective DLL Injection to run the\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 14 of 49\n\nelevator.dll in the memory of that service. We can see this activity in the logs with several SYSMON process\r\naccess events, which stop at the first service accessed running under SYSTEM (lsass.exe):\r\nThis also appears to have failed, despite having the correct permissions. According to Rapid7’s documentation –\r\nthis method only currently works on x86 systems.\r\nThe final method observed, which worked, was the Named Pipe Impersonation (RPCSS Variant); this was\r\nobserved with the creation of a second named pipe:\r\nFrom Rapid7’s documentation:\r\nThis technique will open a named pipe on the target, connects to and then impersonates itself. Due to how LSASS\r\nfunctions if the Meterpreter process is running as NT AUTHORITY\\NETWORK SERVICE, this can yield the\r\nnecessary privileges to open the RPCSS process which itself contains handles to NT AUTHORITY\\SYSTEM\r\ntokens. Using the access to the RPCSS process, one of these tokens is selected and duplicated.\r\nShortly after the creation of this named pipe, the Metasploit payload (HAHLGiDDb.exe) was observed creating\r\ntwo cmd.exe sub-processes running under the SYSTEM privilege indicating successful escalation was obtained.\r\nOn day three of the intrusion, the threat actor used AnyDesk to drop Mimikatz and run it, as described later in the\r\nCredential Access section. Within 15 minutes of execution of Mimikatz, the threat actor was able to create a new\r\ninteractive AnyDesk session session running under an existing domain administrator level account, potentially\r\nobtained from the Mimikatz output providing the final escalation required.\r\nZerologon\r\nThe threat actor made an unsuccessful attempt to escalate privileges by exploiting the Zerologon vulnerability\r\n(CVE-2020-1472). They utilized a tool named zero.exe, directing it against several domain controllers. The\r\nobjective was to leverage the critical flaw in the Netlogon Remote Protocol to gain domain administrator\r\nprivileges. The executed commands, aimed to verify successful exploitation by running the whoami command in\r\nan elevated context. Despite these efforts against the domain controllers, the Zerologon exploitation attempt was\r\nunsuccessful.\r\nzero.exe [TARGET_DC_NETBIOS_NAME] [TARGET_DC_MACHINE_ACCOUNT$] administrator -c \"whoami\"\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 15 of 49\n\nSuricata alerts fired during these attempts. If a successful exploit occurs then a total of three ET EXPLOIT rules\r\nwill fire, in each instance only the first two of the three were recorded confirming failed exploit attempts.\r\nDefense Evasion\r\nThe Metasploit loader process then accessed several other processes that were already running, including\r\ntomcat9.exe, conhost.exe, mysqld.exe, java.exe, and finally svchost.exe, as evidenced by Sysmon event ID 10\r\nlogs. The granted access for each event was 0x1f3fff, which indicates that full access was granted to the process.\r\nThat access flag is used by many Sigma rules as an indication of suspicious process access preceding injection.\r\nFigure: Sysmon log: Metasploit loader accessing a svchost.exe process with full access 0x1f3fff\r\nNear the end of the intrusion, the threat actor executed Defender Control, an executable they had previously\r\ndownloaded to the Confluence server as “DC.exe”\r\nThis tool was used to stop Windows Defender Antivirus Service by setting the registry value to 1 at the following\r\nkey:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 16 of 49\n\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware\r\nFollowing their initial activities, the threat actor took steps to ensure Remote Desktop Protocol (RDP) access to\r\nthe compromised system. They began by querying the registry to identify the configured RDP port:\r\nreg query \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber\r\nSubsequently, they modified a key registry value to explicitly enable RDP connections by setting\r\nfDenyTSConnections to 0 :\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /\r\nTo guarantee network connectivity, the actor then adjusted Windows Firewall settings using netsh advfirewall\r\ncommands. This involved enabling the predefined “Remote Desktop” group of rules and adding a new specific\r\ninbound rule named “allow RDP” for TCP port 3389:\r\nnetsh advfirewall firewall set rule group=\"remote desktop\" new enable=yes\r\nnetsh advfirewall firewall add rule name=\"allow RDP\" dir=in protocol=TCP localport=3389 action=allow\r\nThese actions collectively aimed to establish reliable and unimpeded RDP access for the threat actor.\r\nCredential Access\r\nJust 30 seconds after the first Metasploit loader process started running, it created a remote thread in the Local\r\nSecurity Authority Subsystem (lsass.exe) process, detected in Sysmon event ID 8.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 17 of 49\n\nFigure: Sysmon Event ID 8: Remote Thread created in lsass.exe\r\nSeveral SIGMA rules detected this activity:\r\nPotential Shellcode Injection - proc_access_win_susp_potential_shellcode_injection.yml\r\nPotentially Suspicious GrantedAccess Flags On LSASS - proc_access_win_lsass_susp_access_flag.yml\r\nLSASS Access From Program In Potentially Suspicious Folder - proc_access_win_lsass_susp_source_proces\r\nAccess to Domain User Credentials\r\nOnce system privilege was obtained, AnyDesk was installed to obtain remote command and control. Upon\r\nconnecting to an AnyDesk session on day three of the intrusion, the threat actor was able to obtain interactive\r\naccess to a logged-on domain user account. Access to this user’s profile was used to drop additional tools into the\r\nDesktop folder and start the enumeration activity.\r\nThe threat actor used the AnyDesk session to drop mimikatz.exe (both 32-bit and 64-bit versions) and its\r\nassociated drivers and library files on the Confluence server, as the SYSTEM user:\r\nmimikatz.exe\r\nmimidrv.sys\r\nmimilove.exe\r\nmimilib.dll\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 18 of 49\n\nFigure: Sysmon FileCreate events showing Mimikatz files being created on the beachhead server\r\nAlong with these files, a simple batch script named !start.cmd which detects the OS architecture and runs the\r\nappropriate version of Mimikatz with command line arguments was also dropped.\r\nFigure: Contents of !start.cmd batch script\r\nJust 30 seconds after dropping these files, the threat actor used the batch script to execute the 64-bit version with\r\nthe following command line arguments:\r\n.\\mimikatz\\x64\\mimikatz.exe \"privilege::debug\" \"log .\\!logs\\Result.txt\" \"sekurlsa::logonPasswords\"\r\nThe mimikatz.exe process accessed the Local Security Authority Subsystem Service (lsass.exe) to access\r\ncredentials, and was granted access.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 19 of 49\n\nFigure: Process Access event ID 10 showing mimikatz.exe accessing lsass.exe\r\nThe access granted flags 0x1010 translates to:\r\nPROCESS_QUERY_LIMITED_INFORMATION (0x1000)\r\nPROCESS_VM_READ (0x0010)\r\nAbout 20 seconds after the 64-bit version of mimikatz.exe ran, the 32-bit version executed from the same folder,\r\nbecause the !start.cmd batch file runs both 64-bit and 32-bit versions when a 64-bit OS is detected. Then, about 24\r\nminutes later, the 64-bit version of mimikatz.exe was run again from a different user account (a local\r\nadministrator), followed by the 32-bit version 20 seconds later.\r\nIn all four executions of mimikatz, a Sysmon ProcessAccess event ID 10 was generated targeting lsass.exe with\r\nthe granted access flags 0x1010.\r\nEach time after running mimikatz, the threat actor used notepad.exe one or more times to view the contents of the\r\n“!logs\\Result.txt” file containing the credential hashes dumped by mimikatz.\r\nFigure: Notepad was used to view the Mimikatz output file after each execution\r\nFurther activity potentially related to credential access involved ProcessHacker, which was installed and run on a\r\nbackup server 12 minutes after Mimikatz execution, and again on a file server 15 minutes thereafter. Sysmon logs\r\n(event ID 10) showed ProcessHacker.exe accessing lsass.exe as SYSTEM and being granted 0x1010 access on\r\nboth occasions. Although this level of access is typical for tools attempting to dump credentials from LSASS, we\r\ndid not observe corresponding file creation events to confirm an LSASS dump via ProcessHacker.\r\nShortly after running Mimikatz, the threat actor ran a program named secretsdump.exe on the compromised\r\nConfluence server, providing NTLM hashes as authentication for user accounts. Most likely, the NTLM hashes\r\ncame from the output of Mimikatz.\r\nC:\\Windows\\system32\\cmd.exe secretsdump.exe -hashes :[HASH REDACTED] [USERNAME REDACTED]@[IP ADDRESS\r\nIn a timespan of less than two minutes, the threat actor ran secretsdump.exe eight times, using combinations of\r\ntwo different usernames, two different IP addresses, and two different hashes.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 20 of 49\n\nAnalysis of the secretsdump.exe file revealed it was a Python 2.7 script built into a Windows Portable Executable\r\nusing PyInstaller. Using pyinstxtractor and uncompyle6, the embedded Python script secretsdump[.]py was\r\nextracted, and found to be the secretsdump.py script from the Impacket suite of tools.\r\nFigure: Python script extracted from secretsdump.exe and decompiled\r\nAccording to the comments in the latest secretsdump[.]py file on GitHub, the purpose of the script is to dump\r\nhashes from a remote machine without executing an agent on the remote machine:\r\n# Description:\r\n# Performs various techniques to dump hashes from the\r\n# remote machine without executing any agent there.\r\n# For SAM and LSA Secrets (including cached creds)\r\n# we try to read as much as we can from the registry\r\n# and then we save the hives in the target system\r\n# (%SYSTEMROOT%\\\\Temp dir) and read the rest of the\r\n# data from there.\r\n# For NTDS.dit we either:\r\n# a. Get the domain users list and get its hashes\r\n# and Kerberos keys using [MS-DRDS] DRSGetNCChanges()\r\n# call, replicating just the attributes we need.\r\n# b. Extract NTDS.dit via vssadmin executed with the\r\n# smbexec approach.\r\n# It's copied on the temp dir and parsed remotely.\r\n#\r\n# The script initiates the services required for its working\r\n# if they are not available (e.g. Remote Registry, even if it is\r\n# disabled). After the work is done, things are restored to the\r\n# original state.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 21 of 49\n\nThe command-line arguments handled by the version of the secretsdump[.]py that was embedded in the\r\nsecretsdump.exe file are shown in the screenshot below. Even if the executable file had not so obviously been\r\nnamed secretsdump.exe, threat hunting or writing detections for the unique command line arguments used by\r\ncommon post-exploitation tools can be a powerful technique to detect malicious activity. The suite of tools in\r\nImpacket have been observed in many intrusions. Red Canary published a useful blog on detection of Impacket\r\ntools.\r\nAnother artifact produced by secretsdump.exe was a file named starting with “sessionresume_” followed by\r\nrandom characters, and no file extension:\r\nThis artifact filename pattern is found in the Impacket secretsdump[.]py source code, which shows that the\r\nfilename will always start with “sessionresume_” and end in 8 random ASCII letters:\r\nDiscovery\r\nSeveral discovery methods were observed in use throughout the attack chain to assist the threat actor in\r\nenumerating information about the environment. Many of the discovery commands were issued as a direct result\r\nof the initial Confluence exploit, originating from the Tomcat process itself.  These commands included running\r\nwhoami, as well as directory listings of the host running the Confluence application:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 22 of 49\n\nFigure: Web server sub-processes spawned from exploitation.\r\nAccount Discovery Using DIR, WHOAMI, and NET\r\nOn the second day of the intrusion, Confluence was exploited multiple times over a roughly twenty-minute period\r\nfrom the IP address 109.160.16.68. No link was found from this IP to the other activity detailed so far in the report\r\nleading us to assess this was likely a separate threat actor.The initial exploit attempts from this IP appeared\r\ndesigned to run the whoami command, likely to ascertain the Tomcat web server’s privileges. Interestingly, a\r\ntypographical error was noted (“cmd.exe /c whaomi”), hinting at the possibility of manual input, though the direct\r\nattribution of this specific activity to the primary threat actor is uncertain. This was followed by several commands\r\nused to perform directory listings under the ‘c:\\Users\\’ path to identify valid account names:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 23 of 49\n\nFigure: PCAP of Confluence Exploit using DIR command to list user directories\r\nFigure: Full listing of commands issued during a twenty-minute span of Discovery commands, including the\r\n“whaomi” typo\r\nDuring this process, the threat actor also used the net.exe command to list members of the local ‘Administrators’\r\ngroup, presumably to determine if any of the discovered users would be directly listed.\r\nThere were two other exploits of Confluence to run “whoami” also on day two, from these two IP addresses:\r\n185.228.19[.]244, and 185.220.101[.]185. Because there were no follow-up commands from either of these IP\r\naddresses beyond the initial “whoami”, it is not possible to tell whether this activity was discovery related to the\r\nsame threat actor or if it was random vulnerability scanning.\r\nNetScan\r\nOn the third day of the intrusion – the threat actor dropped netscan in a users Desktop folder on the beachhead\r\nwhile connected to an interactive session via AnyDesk. Shortly after the file was created, the threat actor then\r\ninitiated a scan of the local subnet, scanning ports:\r\n88/tcp (kerberos)\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 24 of 49\n\n137/tcp (nbns)\r\n445/tcp (smb)\r\n3389/tcp (rdp)\r\n6160/tcp (veeam agent)\r\nAdditionally, during this scan, netscan was configured to check SMB access (read/write) on any network shares\r\ndiscovered. This generated a Security log event 5145, with the tell-tale netscan file ‘delete[.]me’ being created,\r\nand tripped a DFIR Report Sigma rule ‘NetScan Share Enumeration Write Access Check’:\r\nThis process was repeated later in the same day by the threat actor once a ‘Domain Admin’ level account was\r\nacquired using a similar pattern (netscan being dropped to the desktop, same scanning profile and same targets).\r\nRPCDUMP (PrintNightmare Vulnerability Discovery)\r\nOn the third day of the intrusion, the threat actor attempted to enumerate RCP endpoints available on two IP\r\naddresses, both associated with Domain Controller systems, using a tool named rpcdump.exe, which is a\r\ncomponent of the impacket tool designed to map DCE/RPC endpoints compiled for Windows. In this particular\r\ncase, the rpcdump.exe was automated with a batch script, combined to look for specific output (as indicated by the\r\nfindstr /C:”MS-RPRN” /C:”MS-PAR” string) that could show if either of the two RPC endpoints is available on\r\nthe target systems:\r\nMS-RPRN – The Print System Remote Protocol\r\nMS-PAR – The Print System Asynchronous Remote Protocol\r\nFigure: CheckVuln.bat Script Contents\r\nBecause the systems targeted with this script were observed to be Domain Controllers, the threat actor was likely\r\nlooking for systems vulnerable to the PrintNightmare (CVE-2021-34527) vulnerability.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 25 of 49\n\nFigure: Process Tree Created when CheckVuln.bat was run\r\nAn analysis of the DCE/RPC Lookup response from the DC indicated that neither of these endpoints seemed to be\r\nactive among the 473 returned entries.\r\nFigure: DCE/RCP Endpoint Mapper Lookup Response from Domain Controller\r\nLateral Movement\r\nThe threat actor heavily used wmiexec to run commands remotely on a domain controller from the Confluence\r\nserver initially exploited. All the commands on the domain controller were child processes of wmiprvse.exe.\r\nWMIEXEC\r\nShortly after executing mimikatz and testing the credentials with secretsdump.exe, the threat actor dropped a\r\nsecondary tool (wmiexec.exe) from the Explorer process (from AnyDesk copy/paste session capability which\r\nsupports both file and text) – this is confirmed in the ad.trace file located in the user directory\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 26 of 49\n\n(c:\\users\\%USERNAME%\\AppData\\Roaming\\AnyDesk\\ad.trace). For each tool/file transfer event initiated via the\r\ncopy/paste functionality in AnyDesk, there are a set of corresponding logs that indicate a file transfer has been\r\ninitiated from the threat actor’s machine to the victim machine:\r\nThis corresponds with a sysmon ‘FileCreate’ event type for the creation of the wmiexec.exe tool:\r\nInitially, the threat actor issued two commands to test hashes using a Pass-the-Hash technique obtained against\r\ntwo domain controllers:\r\nAfter the threat actor obtained access to an account with domain administrator rights, the wmiexec.exe command\r\nwas slightly altered to create an interactive command prompt on the remote domain controller:\r\nC:\\Windows\\system32\\cmd.exe wmiexec.exe :NTLM_HASH domain_admind@dc_ip\r\nOn the domain controller – this interactive command prompt was used to issue several commands, which included\r\nlisting current user (whoami), and eventually adding a new user (NONAME) to the domain (and to several\r\nprivileged groups):\r\nC:\\WINDOWS\\SYSTEM32\\NET1 USER NONAME SLEPOY_123 /DOMAIN /ADD\r\nC:\\WINDOWS\\SYSTEM32\\NET1 GROUP \"DOMAIN ADMINS\" NONAME /DOMAIN /ADD\r\nC:\\WINDOWS\\SYSTEM32\\NET1 GROUP \"ENTERPRISE ADMINS\" NONAME /DOMAIN /ADD\r\nThese wmiexec commands were observed on the remote side (domain controller) as a type of redirection\r\ncommand to the local admin share. For example, when running the ‘whoami’ command, the command was\r\nredirected to a local file created in the ADMIN$ directory:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 27 of 49\n\nThere was a corresponding “FileCreate” event in the sysmon logs, which matched the redirect file name that was\r\ncreated (file name was the epoch timestamp for when the command was issued):\r\nOn the remote target side (domain controller) – several existing SIGMA rules detected this activity:\r\nproc_creation_win_wmiprvse_spawning_process.yml\r\nproc_creation_win_cmd_redirect.yml\r\nproc_creation_win_hktl_impacket_lateral_movement.yml\r\nproc_creation_win_susp_redirect_local_admin_share.yml\r\nCreate Share/Enable SMBv2\r\nFrom the beachhead – the threat actor uploaded a tool set that included several exploits as well as batch scripts to\r\nautomate running these tools:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 28 of 49\n\nIn order to make these tools accessible to other targets on the network, one of these batch scripts automated setting\r\nup an SMB share on the beachhead. This script created a local share (named ‘share’), set permissions to\r\nenable/ensure access, and rebooted the machine:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 29 of 49\n\nWindows Security Event ID 5142 can be used to identify the creation of new network shares:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 30 of 49\n\nShortly after the execution of the batch script, the threat actor was observed restarting the system to ensure all the\r\nchanges took effect:\r\nAdditionally, several SIGMA rules tripped when the batch script was run that can be useful in detecting this\r\nactivity:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 31 of 49\n\nproc_creation_win_net_share_unmount.yml (deletion of existing share)\r\nproc_creation_win_susp_file_permission_modifications.yml (creation of share)\r\nproc_creation_win_net_start_service.yml (Starting LanManServer and LanManWorkstation)\r\nRemote Desktop Protocol\r\nAfter the threat actor obtained a domain account with administrative privilege, they were observed using RDP to\r\nmove laterally to a file server as well as a backup server.\r\nOf note, in at least one instance, the threat actor used the discovery mapping conducted from the Netscan\r\ndiscovery tool to launch the RDP session. This is GUI feature offered in Netscan that allows the user to choose\r\noptions on a discovered host and launch any number of pre-configured commands:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 32 of 49\n\nThis can be observed on the beachhead side in process creation events – Security Event Logs (event ID 4688) or\r\nSysmon Event Logs (event ID 1) – when netscan.exe is observed spawning a sub-process of mstsc when the threat\r\nactor clicked the “Remote Desktop” option and launched a RDP session with the backup server:\r\nSIGMA rule to detect mstsc.exe being spawned by netscan.exe\r\nCommand and Control\r\nMetasploit and Meterpreter\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 33 of 49\n\nMetasploit was used to exploit the Confluence server and deliver a Meterpreter executable payload via curl, which\r\nwas then immediately executed. This was repeated three times during the intrusion. Each time, the executable\r\npayload was downloaded from IP address 91.191.209[.]46, and the Meterpreter payload connected to the same IP\r\naddress on port 12385. This IP address appears on many threat feeds including Open Threat Exchange associated\r\nwith vulnerability scanning and RDP scanning.\r\nThe client (Meterpreter running on the victim) started many of its connections to the server by sending a\r\nconsistent pattern of 27 bytes, exactly the same each time, then one byte that was different, then 4 bytes that were\r\nconsistent each time the client sent a packet to the server. This is illustrated in the screenshot below. The consistent\r\nbytes are outlined in a red box and the byte that was different each time is outlined in a blue box.\r\nFigure: Screenshot from Wireshark showing client communication (in red shading) and server replies (in blue\r\nshading) between the victim Confluence host and the Metasploit server 91.191.209[.]46 on port 12385\r\nThe network communication with the Metasploit server triggered the following Suricata signature from the\r\nEmerging Threats ruleset (sid 2025644):\r\nET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)\r\nThe Command and Control traffic to the Metasploit server used raw TCP sockets, not HTTP or other common\r\nprotocols. The connections did not last very long, only about 13 minutes between Confluence exploitation and\r\nclosing the Metasploit C2 connection, and the threat actor appeared to favor using Metasploit just to run an initial\r\nset of commands, and to deliver AnyDesk, then continued most of the intrusion activity over AnyDesk.\r\nAnyDesk\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 34 of 49\n\nAnyDesk software can be used with either Cloud servers, or “On-Prem” (self-hosted) servers. The threat actor\r\nhosted their own On-Prem AnyDesk server at IP address 45.227.254[.]124 (port 443), which was the same IP\r\naddress that exploited the Confluence vulnerability to run “whoami” 20 minutes before the Metasploit payload\r\nwas delivered using the same vulnerability.\r\nFigure: AnyDesk Certificate Exchange with Threat Actor’s AnyDesk server 45.227.254.124\r\nNeither Censys nor Shodan had any history of scan data for this IP address. Neither VirusTotal nor AlienVault\r\nOpen Threat Exchange had any reporting of threat activity associated with this IP. However, scan results from\r\nfofa.info showed that less than one month after the intrusion activity, this host was presenting a self-signed\r\ncertificate on port 3389 with certificate serial number 104770999709883145161872575332968665437 and\r\ncommon name “D-422”\r\nDuring the intrusion, the threat actor utilized AnyDesk’s Direct Connection feature to establish a connection to a\r\nthreat actor’s controlled server at IP address 45.227.254.124, bypassing AnyDesk’s relay servers. This direct\r\nconnection method suggests an attempt to evade detection by network security tools that might otherwise monitor\r\ntraffic routed through AnyDesk’s central infrastructure. Connecting directly to an external server under their\r\ncontrol allows the threat actor to exfiltrate data or control the compromised system more discreetly.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 35 of 49\n\nExfiltration\r\nIn an unusual turn for a ransomware incident, there was no extensive file exfiltration before the ransomware was\r\ndeployed to encrypt files. While some individual files might have been taken through AnyDesk, there were no\r\nlarge archives created, nor was there a significant data transfer to external IP addresses, as indicated by netflow\r\nrecords. A total of just under 70 MB was exchanged in both directions between the threat actor’s AnyDesk server\r\nand the compromised network, including all remote desktop screen images, as well as the ransomware and other\r\ntools sent to the affected systems.\r\nImpact\r\nOn the third day of the intrusion, about 62 hours after the initial exploit of the Confluence server, the threat actor\r\nused an AnyDesk session to drop a file named ELPACO-team.exe on the Confluence server, but did not\r\nimmediately execute it. Less than one minute later, the threat actor used RDP to connect from the Confluence\r\nserver to a backup server, using the “noname” user account that they had previously created using the “u1.bat”\r\nscript, and using the RDP session, they copied the ELPACO-team.exe file to the backup server in the folder\r\nD:\\Admin\\, then executed it on the backup server.\r\nDuring sandbox execution, we found that the ransomware binary executes with a graphical user interface as\r\ndepicted in the screenshots below:\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 36 of 49\n\nFigure: ELPACO-team ransomware GUI interface 1\r\nFigure: ELPACO-team ransomware GUI interface 2\r\nThe ELPACO-team.exe file was a self-extracting 7-zip SFX file, which expanded the following files, all in the\r\npath “C:\\Users\\noname\\AppData\\Local\\Temp\\5\\7ZipSfx.000\\”. The 7za.exe file was created and executed. The\r\n7za.exe file then created the rest of the files.\r\n7za.exe\r\nEverything.exe\r\nEverything32.dll\r\nDC.exe\r\nELPACO-team.exe\r\nENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 37 of 49\n\ngui35.exe\r\ngui40.exe\r\nxdel.exe\r\nThis pattern of file creation is consistent with a ransomware analysis blog published by Cyfirma in November\r\n2024. The blog describes ELPACO-team ransomware as a variant of Mimic ransomware.\r\nThe ELPACO-team.exe file in the 7ZipSfx.000 folder was executed, and it created a new folder:\r\nC:\\Users\\noname\\AppData\\Local\\F6A3737E-E3B0-8956-8261-0121C68105F3\\\r\nThen, it copied all the files listed above to the new folder, while also creating new files in that folder:\r\nsvhostss.exe\r\nEverything.ini\r\nEverything2.ini\r\nEverything32.dll\r\nEverything64.dll\r\nglobal_options.ini\r\nThe svhostss.exe file hash matched the hash of the ELPACO-team.exe file that was extracted to the\r\nC:\\Users\\noname\\AppData\\Local\\F6A3737E-E3B0-8956-8261-0121C68105F3\\ by 7za.exe, showing that it was\r\njust a renamed copy of the same file. A second version of the ransomware binary was also observed with a\r\ndifferent hash.\r\nFilename SHA256\r\nsvhostss.exe 0b83f2667abff814bb724808c404396e6ad417591165f1762a8e99ec108d4996\r\nELPACO-team.exe0b83f2667abff814bb724808c404396e6ad417591165f1762a8e99ec108d4996\r\n \r\nELPACO-team.exe\r\na710ed9e008326b981ff0fadb1c75d89deca2b52451d4677a8fd808b4ac0649b\r\nThe Everything64.dll file was extracted using the password “7595128543001923103”\r\nAfter extracting the files, the “svhostss.exe” file was executed as a child process of ELPACO-team.exe\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 38 of 49\n\nThe svhostss.exe process then executed itself as a child process several more times, about 45 seconds later, with\r\ncommand line arguments “-e u1” and “-e u2” and “-e watch -pid 5544 -!”\r\nPersistence was established by setting the value of the registry Windows Run key:\r\n“HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svhostss”\r\nto the path of the svhostss.exe file:\r\n“C:\\\\Users\\\\noname\\\\AppData\\\\Local\\\\F6A3737E-E3B0-8956-8261-0121C68105F3\\\\svhostss.exe\\”\r\nThe ransomware process created two files in the C:\\temp\\ folder on every system it ran on, one called\r\n“MIMIC_LOG.txt” and the other named “session.tmp”\r\nThe svhostss.exe ransomware process accessed other processes over 12000 times in less than 10 minutes. Most of\r\nthe process access events targeted lsass.exe (granted access 0x40) and svchost.exe (granted access 0x40 and\r\n0x121411)\r\nProcess access granted 0x40 means PROCESS_DUP_HANDLE which is required to call the DuplicateHandle\r\nWindows API.\r\nProcess access granted 0x121411 means the combination of:\r\nPROCESS_QUERY_INFORMATION\r\nPROCESS_VM_READ\r\nPROCESS_TERMINATE\r\nPROCESS_QUERY_LIMITED_INFORMATION\r\nSYNCHRONIZE\r\nREAD_CONTROL\r\nAnalysis of command-line activity reveals the threat actor’s use of specific PowerShell cmdlets for discovering\r\nand interacting with virtual machines. They initiated powershell.exe with the -ExecutionPolicy Bypass flag to\r\nexecute sequences such as Get-VM for VM enumeration, followed by Get-VHD to identify associated virtual disk\r\nfiles. The pipeline further extended to Get-DiskImage -ImagePath $_.Path and Dismount-DiskImage, suggesting a\r\nprocess of accessing and then unlinking VHD contents. Commands to halt virtual machine operations (Get-VM |\r\nStop-VM) were also noted.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 39 of 49\n\nFigure: Virtual machine discovery commands\r\nAfter encrypting, files were appended with the .ELPACO-team extension.\r\nFollowing execution on the backup server, the threat actor was observed opening and presumably checking the\r\nransom note, C:\\Decryption_INFO.txt, using Notepad.\r\n\"%WINDIR%\\system32\\NOTEPAD.EXE\" C:\\Decryption_INFO.txt\r\nThe threat actor then repeated this process on a key file server, including preliminary steps such as disabling\r\nsecurity tools with DefenderControl and installing Process Hacker before running the ELPACO-team.exe payload.\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 40 of 49\n\nWhile these two servers were the primary targets for ransomware execution and file encryption, further impact\r\nwas observed through limited SMB share scanning and which affected a domain controller. To cover their tracks,\r\nthe threat actor performed some file deletions on the beachhead host before ceasing their activity.\r\nTimeline\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 41 of 49\n\nDiamond Model\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 42 of 49\n\nIndicators\r\nNetwork\r\n45.227.254.124\r\n91.191.209.46\r\nFile\r\nelpaco-team.exe\r\nbe8f00c11010e4e6078d383026833c07\r\n32f9259285bb3425b67633d73bc74b93859f40a7\r\na710ed9e008326b981ff0fadb1c75d89deca2b52451d4677a8fd808b4ac0649b\r\nlogs_delete.cmd\r\n35893c46af1af2089498b062379c039f\r\n238424b26da6e53738aa28a46ba007a195ad608c\r\n36d3b20e9380aaaac9151280b4ac3e047a0871efbb158f04344946ff67176a48\r\nrunassystem.exe\r\n3f7d6e5a541aad1a52beb823f1576f6a\r\n69519da0edeb9ad6ed739982a05b638d3fee20fb\r\n085ad59bb8d32981ea590a7884da55d4b0a3f5e89a9632530c0c8ef2f379e471\r\ndefendercontrol.exe\r\n0a50081a6cd37aea0945c91de91c5d97\r\n755309c6d9fa4cd13b6c867cde01cc1e0d415d00\r\n6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b\r\ndefendercontrol.ini\r\nc9bc430ea5bd0289cf3a6acdb69efac4\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 43 of 49\n\n79d3fbde198ffa575904998b92285e3815a860c2\r\n6e5a6629b5ec2eea276fe93553d31f3d23885b214db0a4c2c9201f65180d767f\r\nfast.ex_\r\n127fe6658efb06e77b674fdb9db7d6d5\r\n4790bde7c2d233c07165caaab0f5b7d69a60c950\r\nd5746d9f3284dadf60180f7f7332a08895c609520e0c2327918f259d182cbaf6\r\nns v.2.exe\r\n597de376b1f80c06d501415dd973dcec\r\n629c9649ced38fd815124221b80c9d9c59a85e74\r\nf47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\r\nprocesshacker-2.39-setup.exe\r\n54daad58cce5003bee58b28a4f465f49\r\n162b08b0b11827cc024e6b2eed5887ec86339baa\r\n28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063\r\n!start.cmd\r\n92fd70f19771360bd820091025107382\r\ndda90a452cc1540657606e5d40d304b1e58da751\r\n6b93e585479a3c5b9a8edbe2b11a8371cb028e8b196acb1c16a425e8d8530cd7\r\nhahlgiddb.exe\r\n77ef2cad0de20482a6bb6cfcdc5d94d1\r\nf46fa1fbab35f0d697ea896e81c4504de0487e57\r\nabbe5619e1d7a08f807b57d0949a7f97108a546a415778f25ed35f31ee2cd2f5\r\nsecretsdump.exe\r\n96ec8798bba011d5be952e0e6398795d\r\naf7c73c47c62d70c546b62c8e1cc707841ec10e3\r\nc3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37\r\nu1.bat\r\n9a875116622272a7f0fb32ce6cc12040\r\n02c264691764f3c7ab9492dcb443e52b0ee66229\r\n15348e1401fe18b83e30a7e7f6b4de40b9981a0e133c22958324a89c188f2c49\r\nwmiexec.exe\r\n47e001253af2003985f15282cdc90a1c\r\n6ee6664df9bfb47d97090492b6cde68bf056a42a\r\n14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8\r\nypnppsft.exe\r\ne703ffdf065094f30b8b9c107a64736b\r\n7314f85595ab4496abe02c48b476f57cb6b96804\r\n9b1df0db16b3b73fe3549856fb4a74414faecffabee0d001865e05b93dda14ec\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 44 of 49\n\ncheckvuln.bat\r\n1b1e95ea1d26da394688f4c8883721d1\r\n9e22f5e394ffd8df94b1601fe73f2ae14df731ba\r\n2c656109db6d2059c41a50e623ceb5e656ff764c44b1e1dbf41131f0206f8238\r\ncreate share runasadministrator2.bat / step1-runasadmin.bat / create-share-runasadmin.bat\r\n96fc8c743f6ba38a69bf866b7fa9e4d1\r\n5bef86615c8bd715c794505127a6d5245bba9206\r\n51f2d5fba3d02cba1c99cf2dfd9968b98d0047f501b54b9531e7ad2719706e47\r\nlpe-exploit-runasuser.bat\r\n3e872ca0ac6261b85dd9524a8f3a83db\r\nb8551ef02737bc7801d2077d7d8aca168eb79b0d\r\nc7440e621d1c5e90ca4963a4b3b52d27bac05a44248ca88dd51510489d1171bb\r\nrce-exploit-runasuser.bat\r\n09ba9214257381231934a0115d7af8be\r\n89e3247d2940d78ab13f060761f0c79afa806f39\r\n22436fe549d791caa3007b567d28d51c8c75869519019c40564af4de53490fa2\r\nstep2-runasuser.bat\r\n6fbf6350c52d2f2e6f61530d05148562\r\n1217a97009eb86249e6c8010d3024f050f62c40d\r\n3e92ca5b4069eba89d9fcfd7885924282fdf6ca26d0ff8d0502973d9c9bc1fef\r\nrpcdump.exe\r\n91625f7f5d590534949ebe08cc728380\r\nbf1b0ab5a2c49bde5b5dbe828df3e69af5d724c2\r\n3c300726a6cdd8a39230f0775ea726c2d42838ac7ff53bfdd7c58d28df4182d5\r\nsharpprintnightmare.exe\r\n96a1e516cef1ff4791d8785886d56cce\r\n241f9d2495b0b437813d8cf31fe4e4de8be203ec\r\n9875d1947b8d18974c938721c273d9322fc9af36be96e0ec696daac2929bb802\r\nsharpprintnightmare_nf3.exe\r\nee8d08b380bf3d3fe9961a0ab428549f\r\n8900b1ef864eb390bf99b801d78a0b8dbd5d90b6\r\nff547a7803cd989f9f09a22323ec3f7079266b9a20a07f2c6f353547318ff172\r\nspn.exe\r\n44c031e3c922e711f7e3784f6d90b10f\r\n5f13d476e9fabdf2ac6f805a98d62f3027c473c2\r\n9e18fcc595d4e158ac7aa9250e45145445b31018b35d6ed91239da2b931b5c37\r\nspn_nf3.exe\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 45 of 49\n\n53e2e8ce119e2561bb6065b1a42f1085\r\nd01f72d0a4609be76a83ac76a760485d29be854b\r\ne5f985b5a1f4f351616516553295e1224a02219825c35e3c64b55ecdc8a0d699\r\nspider.dll\r\n30a6cd2673ef5b2cb18f142780a5b4a3\r\n1e0ec6994400413c7899cd5c59bdbd6397dea7b5\r\n90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018\r\nspider_32.dll\r\nf635d1c916a7c56678f08d1d998e7ce4\r\n35ff55bcf493e1b936dc6e978a981ee2a75543a1\r\n4f4864a1d5f19a3c5552d80483526f3413497835549dce8c61fef116b666fa09\r\nnetscan.exe\r\ne7aa5608c81ba4fcd8d166501b90fc06\r\n5c714fda5b78726541301672a44eaf886728f88c\r\n5748bfb17e662fb6d197886a69df47f1071052c3381eb1c609a2bc5dba8c2992\r\nnetscan.exe\r\na75de4c4fd88d94642ad30310c641252\r\nf7e11585ee968ad256be5a2e4c43a73c07034759\r\n6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d\r\nDetections\r\nNetwork\r\nSID 2026033: ET WEB_SPECIFIC_APPS Apache Struts java.lang inbound OGNL injection remote code executio\r\nSID 2025644: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)\r\nSID 2027762: ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nSID 2025701: ET POLICY SMB2 NT Create AndX Request For an Executable File\r\nSID 2025705: ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nSID 2027204: ET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nSID 2025699: ET POLICY SMB Executable File Transfer\r\nSID 2050543: ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M2\r\nSID 2851878: ETPRO MALWARE Cobalt Strike Stager Payload\r\nSID 2035480: ET HUNTING PE EXE Download over raw TCP\r\nSID 2844488: ETPRO HUNTING Suspicious Offset PE EXE or DLL Download on Non-Standard Ports\r\nSID 2025644: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)\r\nSID 2030870: ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challe\r\nSID 2035258: ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challe\r\nSigma\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 46 of 49\n\nSearch rules on detection.fyi or sigmasearchengine.com\r\n5cb299fc-5fb1-4d07-b989-0644c68b6043 : Suspicious File Download From IP Via Curl.EXE\r\n1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db : CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Ch\r\n0eb46774-f1ab-4a74-8238-1155855f2263 : Disable Windows Defender Functionalities Via Registry Keys\r\n6e2a900a-ced9-4e4a-a9c2-13e706f9518a : HackTool - Potential Remote Credential Dumping Activity Via C\r\n10c14723-61c7-4c75-92ca-9af245723ad2 : HackTool - Potential Impacket Lateral Movement Activity\r\n962fe167-e48d-4fd6-9974-11e5b9a5d6d1 : LSASS Access From Non System Account\r\n06d71506-7beb-4f22-8888-e2e5e2ca7fd8 : Mimikatz Use\r\n4627c6ae-6899-46e2-aa0c-6ebcb1becd19 : HackTool - Impacket Tools Execution\r\n8202070f-edeb-4d31-a010-a26c72ac5600 : Suspicious Process By Web Server Process\r\nca387a8e-1c84-4da3-9993-028b45342d30 : PUA - SoftPerfect Netscan Execution\r\nDFIR Public Rules Repo:\r\n03f4ca17-de95-428d-a75a-4ee78b047256 : HackTool - Impacket File Indicators\r\nDFIR Private Rules:\r\n62095f03-ba2a-45d7-bce9-204dcb574c0c : Detect Suspicious Curl Download and Execution\r\nd8bbf664-f1f0-4eed-adec-118d7d116e2b : Potential Impacket Usage via Command Line\r\nYara\r\nRules from https://yarahq.github.io/ and https://github.com/elastic/protections-artifacts/\r\nBINARYALERT_Hacktool_Windows_Mimikatz_Files\r\nDITEKSHEN_INDICATOR_KB_CERT_C2Cbbd946Bc3Fdb944D522931D61D51A\r\nDITEKSHEN_INDICATOR_TOOL_EXP_Sharpprintnightmare\r\nDITEKSHEN_INDICATOR_TOOL_PET_Defendercontrol\r\nELASTIC_Windows_Ransomware_Phobos_11Ea7Be5\r\nELASTIC_Windows_Trojan_Metasploit_91Bc5D7D\r\nELASTIC_Windows_Trojan_Metasploit_A91A6571\r\nImpacket_Keyword\r\nImpacket_Lateral_Movement\r\nImpacket_Tools_Generic_1\r\nImpacket_Tools_rpcdump\r\nImpacket_Tools_secretsdump\r\nImpacket_Tools_wmiexec\r\nMimikatz_Memory_Rule_1\r\nSEKOIA_Ransomware_Win_Eking_Rich_Header\r\nSIGNATURE_BASE_Impacket_Keyword\r\nSIGNATURE_BASE_Impacket_Lateral_Movement\r\nSIGNATURE_BASE_Impacket_Tools_Generic_1\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 47 of 49\n\nSIGNATURE_BASE_Impacket_Tools_Rpcdump\r\nSIGNATURE_BASE_Impacket_Tools_Secretsdump\r\nSIGNATURE_BASE_Impacket_Tools_Wmiexec\r\nSIGNATURE_BASE_Mimikatz_Memory_Rule_1\r\nSIGNATURE_BASE_Wiltedtulip_Tools_Clrlg\r\nWiltedTulip_Tools_clrlg\r\nMITRE ATT\u0026CK\r\nApplication Layer Protocol - T1071\r\nCreate Account - T1136\r\nCreate Process with Token - T1134.002\r\nData Encrypted for Impact - T1486\r\nDisable or Modify System Firewall - T1562.004\r\nDisable or Modify Tools - T1562.001\r\nExploitation for Privilege Escalation - T1068\r\nExploit Public-Facing Application - T1190\r\nIngress Tool Transfer - T1105\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 48 of 49\n\nLocal Account - T1136.001\r\nLSASS Memory - T1003.001\r\nModify Registry - T1112\r\nNTDS - T1003.003\r\nPowerShell - T1059.001\r\nProcess Discovery - T1057\r\nQuery Registry - T1012\r\nRemote Access Software - T1219\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nSystem Network Configuration Discovery - T1016\r\nWindows Command Shell - T1059.003\r\nWindows Management Instrumentation - T1047\r\nWindows Service - T1543.003\r\nInternal case #TB30043 #PR35928\r\nSource: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nhttps://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators\r\nPage 49 of 49",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators"
	],
	"report_names": [
		"#indicators"
	],
	"threat_actors": [],
	"ts_created_at": 1775791273,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2714442444754db767799b8702e99df7327c5556.pdf",
		"text": "https://archive.orkl.eu/2714442444754db767799b8702e99df7327c5556.txt",
		"img": "https://archive.orkl.eu/2714442444754db767799b8702e99df7327c5556.jpg"
	}
}