{
	"id": "f067760a-c848-424b-8113-9685cc42e90b",
	"created_at": "2026-04-06T00:09:46.109965Z",
	"updated_at": "2026-04-10T13:11:39.948963Z",
	"deleted_at": null,
	"sha1_hash": "43883202a9ff81119560a046c5e4ec6396093c9b",
	"title": "ProxyShell, QBot, and Conti ransomware combined in a series of cyber attacks - Truesec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61096,
	"plain_text": "ProxyShell, QBot, and Conti ransomware combined in a series of\r\ncyber attacks - Truesec\r\nBy siteadmin\r\nPublished: 2021-11-15 · Archived: 2026-04-05 19:04:08 UTC\r\nA Truesec investigation\r\nWe are investigating a series of cyber attacks that result in encryption with the Conti ransomware. This post\r\ndescribes some of the indicators that can be used to detect these attacks.\r\nAttack Overview\r\nFirst, unpatched Exchange servers are exploited using ProxyShell. Compromised servers are then used to spread\r\nphishing emails delivering Datoploader (aka Squirrelwaffle) and the QBot trojan. The threat actor here is likely an\r\naccess broker specializing in selling access to other cybercriminals.\r\nAttack Overview - Stage 1 - ProxyShell Exploit\r\nAttack Overview – Stage 1 – ProxyShell Exploit\r\nAccess to infected computers is then handed over to a different group, which then proceeds to launch Cobalt\r\nStrike beacons managed from a different infrastructure. This threat actor is likely an affiliate of the Conti gang (or\r\n“pentester” as they call it) whose job it is to escalate in the internal network.\r\nAttack Overview - Stage 2 - Access Handover\r\nAttack Overview – Stage 2 – Access Handover\r\nIn the final stage the Conti gang takes over, deletes backups, and ultimately deploys the Conti ransomware.\r\nAttack Overview - Stage 3 - Conti Ransomware\r\nAttack Overview – Stage 3 – Conti Ransomware\r\nProxyShell and Mass Phishing\r\nProxyShell is nothing new, but there are still systems that have not been patched in the past few months.\r\nWe have identified multiple cases of Exchange servers compromised with ProxyShell (chaining CVE-2021-\r\n34473, CVE-2021-34523, and CVE-2021-31207) in September and October.\r\nStarting from early November, the compromised Exchange servers have been used to launch phishing attacks.\r\nAlthough the content of the phishing emails looks very suspicious, this attack hijacks existing email threads and\r\nalso adjusts the language based on the language appearing in the email thread. This makes it more likely for a\r\nvictim to follow the instructions.\r\nhttps://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nPage 1 of 5\n\nAn example in English is shown below.\r\nExample of a phishing email in English\r\nExample of a phishing email in English\r\nThe following example is in Swedish, as the hijacked conversation was in Swedish.\r\nExample of a phishing email in Swedish\r\nExample of a phishing email in Swedish\r\nThe links in the emails vary a lot and cannot be used to consistently identify phishing emails as part of this\r\ncampaign.\r\nHowever, we have identified that the following MessageClass property seems to be consistently used in all\r\nphishing emails.\r\nMessageClass property in phishing email messages\r\nMessageClass property in phishing email messages\r\nWe can therefore search for MessageClass:IPM.Blabla in the following logs on the Exchange server to find\r\nlikely phishing emails being sent.\r\nExchange Message Tracking logs\r\nExchange Message Tracking logs\r\nDatoploader and QBot Infections\r\nThe links in the email direct the victims to websites serving malicious .ZIP files.\r\nThe .ZIP files contain macro-enabled Excel (.XLS) files, as shown below.\r\nMacro enabled Excel file\r\nMacro enabled Excel file\r\nAs in any other classic phishing attack, when opened, the XLS files present an image to the user, with instructions\r\nto enable macro execution.\r\nThe XLS macros are obfuscated by building each of the actual command characters from content of various cells\r\nin the document.\r\nObfuscated macro\r\nObfuscated macro\r\nWhen executed, the macros create the directory “C:Datop”, download three files to this directory, and run them\r\nusing regsvr32.exe.\r\nDeobfuscated macro\r\nDeobfuscated macro\r\nhttps://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nPage 2 of 5\n\nExecution using regsvr32.exe\r\nExecution using regsvr32.exe\r\nPersistence\r\nSo far we have identified two ways that the malware made itself persistent. An autorun registry key launching\r\nregsvr32.exe to execute a DLL, and a scheduled task launching PowerShell which in turn starts regsvr32.exe in\r\nthe same way.\r\nPersistence - Registry Autorun Key\r\nPersistence – Registry Autorun Key\r\nPersistence - Scheduled Task\r\nPersistence – Scheduled Task\r\nCobalt Strike\r\nWithin minutes (sometimes hours) from the Datoploader / QBot infection, the threat actor launched Cobalt Strike.\r\nThis seems to be a plugin built into Qbot.\r\nQBot debug messages\r\nQBot debug messages\r\nEnumeration and Lateral Movement\r\nShortly after the Cobalt Strike execution, the threat actor starts manually interacting with the compromised\r\nnetwork, first by enumerating and escalating within Active Directory, and later by deploying Cobalt Strike on\r\nadditionally compromised servers. Escalation to domain admin is quickly achieved.\r\nAs an additional backdoor into some of the compromised systems, the threat actor creates a local account named\r\n‘Crackenn’.\r\nThe threat actor uses the following command to enumerate workstations in the domain:\r\n$so = New-Object System.DirectoryServices.DirectorySearcher; $so.filter = \"(\u0026(samAccountType=80530636\r\nAdditionally, the following command is used to retrieve all computers within the domain.\r\nimport-module activedirectory; Get-ADComputer -Filter * -Properties * | Sort OperatingSystem | Select\r\nOnce high privileges are obtained, the threat actor uses both Cobalt Strike beacons and Remote Desktop (RDP)\r\nconnections to identify sensitive business data to exfiltrate.\r\nThe last stage of the attack is the deployment of the Conti ransomware.\r\nhttps://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nPage 3 of 5\n\nWhat To Do if You Received the Phishing Emails\r\nIf users in your organization have received emails like the ones described in this article, ensure that a thorough\r\nanalysis is performed on the accounts and computers of the individuals receiving the emails.\r\nAt the very least, check the indicators of compromise below. Consider, however, that files and domains used in\r\nthese campaigns constantly change. A consistent indicator so far has been the presence of the directory “C:Datop”\r\non computers infected with Datoploader from the phishing attack.\r\nKeep in mind that if you find indicators of compromise, it is not sufficient to clean/reinstall the system. It is likely\r\nthat the compromised system was used to spread to additional computers in the network. Perform a thorough\r\ninvestigation or ask for help if you don’t have in-house incident response capabilities.\r\nIndicators of Compromise\r\nMessageClass in phishing email messages\r\nMessageClass:IPM.Blabla\r\nDirectory for Datoploader\r\nC:Datop\r\nZIP files delivering Datoploader\r\nbda187d62d5e48c3dee06ee11397e2456457d0b3c766dc6b453abb32f1d49196 (minimaaliquid-2738715.zip)\r\nb2b4f9f38cee7243679afce0348ac7217abb73285fe69b15950c114964c9f131 (omnisvelit-2738715 (1).zip)\r\na1b79c1dff2c7e1175611f6d1d45f05a2cee74e3d2ee45b913f73e30f8a9a66e (omnisvelit-2738715.zip)\r\ncb59bf0e135fc620aeddd8334b537150b7057f06375fe2f86ca91e722f7006f3 (uteligendi-2387259 (1).zip)\r\nd4dd05bd12e85fca9bfd823e093b16ec8eac9fb65db9e61015788f7fe688f920 (uteligendi-2387259.zip)\r\n6a20d87b61401bc7985aed6d951efee66388a9d522e0e15aed6f5d846953dbf9 (content-1824738050.xls)\r\n95847fc69ddc4736d817430ffb49f8c41eb8bc5a03fa40e7081748f28f95f1c2 (content-1848283165.xls)\r\nb298f3497cf739a73350e8007220083f9e37a13e12390c5624b0075ea880e9db (content-1845165288.xls)\r\n236338b58b929694a29321802754e6e5a37fffd88798b7ef5d768bc5adcde93b (content-1861748987.xls)\r\n705a292bb67b7a344d32937ca8cf86a1a10f9b25689fdf2df1401ffb4bdfd40d (content-1860852480.xls)\r\nURLs in macros\r\nhxxps[:]//decinformatica[.]com/AsqpQT6a2fl/t.html\r\nhxxps[:]//novamiron[.]com.ar/SpV029NncEoH/t.html\r\nhxxps[:]//mooca.imprimeja[.]com.br/uqJeyCxO9/t.html\r\nhxxps[:]//taketuitions.com/dTEOdMByori/j.html\r\nhxxps[:]//constructorachg.cl/eFSLb6eV/j.html\r\nhxxps[:]//oel.tg/MSOFjh0EXRR8/j.html\r\nhttps://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nPage 4 of 5\n\nAccount created by threat actor\r\nCrackenn\r\nCobalt Strike servers\r\n51.89.227.111\r\n89.238.185.9\r\n185.253.96.124\r\n45.141.84.223\r\nFiles used during escalation\r\nccccOUT.csv (Output of AD enum)\r\nadfind.ps1 (Script to import activedirectory module and run Get-ADComputer with -Properties *)\r\n84CE00208FE4E2B46B26E4C9E058DF5341E90DA1FB1C0DBCBF207DB87F3DD991 (adfind.ps1)\r\nhv22.ps1 (Powershell function that scans the environment for forests and returns a list of Hyper-V Hosts\r\nwithin all domains of those forests)\r\nB37DFF29C62659E90034740F2BCA514F09C8EC3E507B8E0807933EE427875ACA (hv22.ps1)\r\nppp.ps1 (Script to perform scanning activities)\r\npc.csv (Referenced in ppp.ps1)\r\na1.txt (Referenced in ppp.ps1)\r\nSource: https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nhttps://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks"
	],
	"report_names": [
		"proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43883202a9ff81119560a046c5e4ec6396093c9b.pdf",
		"text": "https://archive.orkl.eu/43883202a9ff81119560a046c5e4ec6396093c9b.txt",
		"img": "https://archive.orkl.eu/43883202a9ff81119560a046c5e4ec6396093c9b.jpg"
	}
}