{
	"id": "9c0d8c2c-165f-4cea-9ccb-e74b153476f9",
	"created_at": "2026-04-06T00:22:12.885739Z",
	"updated_at": "2026-04-10T03:27:04.752863Z",
	"deleted_at": null,
	"sha1_hash": "4333a002a7f59baa2ded9c48d89b35d98be52c3c",
	"title": "Conti Group Leaked!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1917453,
	"plain_text": "Conti Group Leaked!\r\nBy CyberArk Labs\r\nPublished: 2022-03-02 · Archived: 2026-04-06 00:04:31 UTC\r\nThe conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the\r\ncyber attacks conducted against Ukraine infrastructure — including evidence of destructive malware such as\r\nWhisperGate and HermeticWiper.\r\nWe’ve also seen certain ransomware groups gain increased media attention such as the Conti Ransomware Group\r\nthat is currently in the spotlight because of leaked information about the inner workings of the group including its\r\ncommon tactics, techniques and procedures (TTPs). As cybersecurity researchers, we believe insight gained from\r\nthese leaks is incredibly important to the cybersecurity community at large. Ongoing awareness and visibility into\r\nthe leaked tools while supporting the need for continued vigilance is critical during this time, and reinforced by\r\ngroups like the Cybersecurity and Infrastructure Agency (CISA) that recently issued a joint cybersecurity bulletin\r\nwith the FBI.\r\nWhat’s in the Leaked Files and Why it Matters\r\nIn the next section we will elaborate about the leaked content and why it’s important. The primary source is this\r\nsite: vx-underground.org\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 1 of 11\n\nFigure 1\r\nConti Chat Logs 2020.7z\r\nThis folder contained chats from June of 2020 until November of the same year.\r\nIt seems one user in particular frequently spams all the other users.\r\nFor example:\r\nFigure 2\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 2 of 11\n\nThis can also be a useful tool for us to investigate since we can see maybe even all the usernames in one place,\r\nallowing us to enumerate all the people in the Conti group.\r\nConti Internal Software Leak.7z\r\nThis folder contains 12 git repositories of allegedly internal software by Conti.\r\nUpon quick inspection of these repositories, most of the code appears to be open-source software that is used by\r\nthe Conti group. For instance, yii2 or Kohana is used as part of (what seems to be) the admin panel. The code is\r\nmostly written in PHP and is managed by Composer, with the exception of one repository of a tool written in Go.\r\nLogs and databases are not present in the dump, so no actual data is available aside from a peek into how the\r\nbackend of the operation may have looked at a certain point. Some of the tools are related to older versions, but\r\nthere’s no indication of whether the dump was from a long time ago or whether Conti just used older versions.\r\nA few of the config files contained in those repositories has local database usernames and passwords listed: (e.g.,\r\nadmin-master-deb4694b0e9110ffcf84a42f70874a6e152c0b32\\\\application\\\\config\\\\database.php):\r\n.../* developer_1 */ 'vb' =\u003e [ 'default' =\u003e [ 'type' =\u003e 'PostgreSQL',\r\nThere are a few public IP addresses present in some of the torrc config files, iptables script files or tinc script files.\r\nConti Pony Leak 2016.7z\r\nPony leaks 2016 contains a collection of credentials and certificates from multiple sources.\r\nIt looks like a collection that’s been stolen by the Pony credential stealing malware.\r\nIt includes email accounts and passwords from multiple organizations and mail services like gmail.com, mail.ru\r\nand yahoo.com. Usernames and passwords from FTP/ RDP and SSH services and credentials from different\r\nwebsites.\r\nConti Rocket Chat Leaks.7z\r\n“Conti Rocket Chat Leaks” contains a chat history of Conti members in which they discuss about targets and tips\r\nto perform attacks via Cobalt Strike.\r\nTechniques from the chat:\r\nActive Directory Enumeration\r\nSQL Databases Enumeration via sqlcmd.\r\nHow to gain access to Shadow Protect SPX (StorageCraft) backups.\r\nHow to create NTDS dumps vs vssadmin\r\nHow to open New RDP Port 1350\r\nList of Tools:\r\nCobalt Strike\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 3 of 11\n\nMetasploit\r\nPowerView\r\nShareFinder\r\nAnyDesk\r\nMimikatz\r\nConti Screenshots December 2021.7z\r\nIn some of the leaked screenshots, we can see the Conti groups’ Cobalt Strike panel in a Kali Linux distribution.\r\nFigure 3\r\nThe other screenshots contained another screenshot of the Cobalt-Strike panel and some related to\r\nCONTI.Recovery Chats.\r\nConti Toolkit Leak.7z\r\nThe Conti Toolkit Leak zip contains two main Folders.\r\nThe first is called TeamTNTTools which unsurprisingly contains tools used by the APT TeamTNT. Specifically, it\r\ncontains 2 zip files with the NGROK and SugarLogic tools. Both are tools that use shell/bash scripts to target\r\nvarious operating systems as well as AWS and Kubernetes\r\nThe other folder’s name is in Russian and loosely translates to “Manual for Hard Workers and Software.” This\r\nappear to be an updated version of the content that was leaked by a disgruntled Conti affiliate onto the XSS forum\r\nin August of 2021 and contains Conti’s training manual for their partners.\r\nConti Trickbot Forum Leak.7z\r\nOne of the leaked files is a dump of forum chats from the Trickbot forums, including correspondences in the\r\nforum from 2019 until 2021.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 4 of 11\n\nWhile most of the correspondences contain instructions for operators about how to laterally move across networks\r\nand how to use certain tools used by the Trickbot gang/group, we did find some interesting bits.\r\nFrom the different correspondences and toolset dumps we can learn a lot about the Trickbot and Conti gang’s\r\nTTPs. For instance in one of the correspondences a member shares his web shell of choice, “the lightest and most\r\ndurable webshell I use”\r\nFigure 4\r\nWe also found some evidence from early July 2021 that the group used exploits such as ZeroLogon.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 5 of 11\n\nFigure 5\r\nAs well as techniques such as Kerberoasting to carry out their attacks.\r\nFigure 6\r\nOn a different post, the group shares some code to dump MSSQL credentials.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 6 of 11\n\nFigure 7\r\nOn a different post from February 2021, a user in the forum shares his code for a PowerShell script to install a\r\nbackdoor on a victim’s machine, including installing Tor, SSH and setting up a firewall rule as well as a new user\r\naccount on the victim’s machine called “oldadministrator.”\r\nFigure 8\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 7 of 11\n\nFigure 9\r\nAlso, in a post they are sharing techniques to stop “everything” (short version for brevity reasons), in order to\r\nhave all applications/DBs closed before encrypting/locking a server.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 8 of 11\n\nFigure 10\r\nConti Trickbot Leaks.7z\r\nThere were more leaks of two Trickbot server-side components written in Erlang\r\nsupposedly by “Sergey Loguntsov” https://github.com/loguntsov aka Begemot.\r\nThe two components are trickbot-command-dispatcher-backend and trickbot-data-collector-backend dubbed lero and dero.\r\nConti Source Code Leak\r\nAdditionally, the Conti Locker source code was leaked, first as a password protected zip file but later it was leaked\r\nagain — this time without any password.\r\nThe zip contents include Conti Locker v2 source code as well as the source code for the decryptor.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 9 of 11\n\nTraining Material Leak\r\nAn older leak that also contained some older training materials of the Conti group contained 12 archive files with\r\ndifferent topics, such as:\r\nCracking\r\nMetasploit\r\nNetwork Pentesting\r\nCoblat Strike\r\nPowerShell for Pentesters\r\nWindows Red Teaming\r\nWMI Attacks (and Defenses)\r\nSQL Server\r\nActive Directory\r\nReverse Engineering\r\nFigure 11\r\nSome of the archives contain videos of online courses in Russian.\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 10 of 11\n\nFigure 12\r\nSummary\r\nTo improve defenders’ ability to protect against the next wave of targeted attacks and destructive malware,\r\ninformation sharing, and deeper analysis and insight into the use of particular TTPs is critical. In many ways, we\r\nbelieve what we are seeing today could potentially be the tip of the iceberg, which is why we can’t let up on our\r\nefforts to support ongoing awareness and hyper cybersecurity vigilance.\r\nFurther Reading\r\nConti taking over TrickBot operation\r\nhttps://www.scmagazine.com/brief/ransomware/trickbot-operation-usurped-by-conti-ransomware\r\nBleeping Computer article about the original Conti leak\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nTwitter account leaking Conti information\r\nhttps://twitter.com/ContiLeaks\r\nSource: https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nhttps://www.cyberark.com/resources/threat-research-blog/conti-group-leaked\r\nPage 11 of 11\n\n https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked  \nFigure 5   \nAs well as techniques such as Kerberoasting to carry out their attacks.\nFigure 6   \nOn a different post, the group shares some code to dump MSSQL credentials.\n  Page 6 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked"
	],
	"report_names": [
		"conti-group-leaked"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4333a002a7f59baa2ded9c48d89b35d98be52c3c.pdf",
		"text": "https://archive.orkl.eu/4333a002a7f59baa2ded9c48d89b35d98be52c3c.txt",
		"img": "https://archive.orkl.eu/4333a002a7f59baa2ded9c48d89b35d98be52c3c.jpg"
	}
}