{
	"id": "8d05008a-100e-4a0e-83fe-ad408b058c53",
	"created_at": "2026-04-06T00:20:06.626036Z",
	"updated_at": "2026-04-10T03:21:47.512521Z",
	"deleted_at": null,
	"sha1_hash": "467eda985eca04a56723eeeb863ba19784948497",
	"title": "Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 356339,
	"plain_text": "Hunting Mice In Tunnels II - Fake CAPTCHAs and Ransomware\r\nArchived: 2026-04-05 17:45:26 UTC\r\nExecutive Summary\r\nLate last year, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor\r\nwithin a client's environment. We previously published our initial analysis that included some of the activity and tools used\r\nby the threat actor. In this article, we detail additional findings based on our continued study of telemetry and artifacts\r\nrelated to this breach.\r\nThe two outstanding issues were essentially the start and end of the breach. We had found and analyzed the downloader,\r\nsome of this threat actor’s tactics, techniques, and procedures (TTPs), and their follow-up tools. However, a full\r\nunderstanding of an incident requires knowing how the threat actors got in (commonly referred to as the “initial access\r\nvector”) and what they were ultimately trying to accomplish (exfiltrate data, deploy ransomware, sell access, etc.)\r\nOur findings determined that initial access was part of the large wave of “fake captcha” scams that we released an advisory\r\nfor. Beazley Security learned that law enforcement informed the targeted organization about a threat actor’s activity log\r\nfound on a seized server linked to a new ransomware group. This article will provide more details on our investigation, and\r\nwe also hope to convey the value of our collaborative, inter-team efforts. Information from one angle of the investigation\r\noften provided clues and guidance for other teams investigating different leads in the case and vice versa.\r\nBeazley Security Labs would like to thank Ralph Bailey, Kelsey O'Connell, and Troy Walters from Beazley Security MDR\r\nfor their investigative efforts used to describe the timeline of events in this blog post, along with their support in pulling\r\nsuspicious binaries dropped as part of this attack.\r\nInitial Access: Fake CAPTCHA Scam\r\nThe previous article already discusses a number of the TTPs observed during the breach. In this article, we focus more on\r\nthe initial access vector and the malware implant used to perform the most invasive actions. A condensed version of the kill\r\nchain focusing on these elements is presented below:\r\nKill Chain\r\nFigure 1: Threat Campaign Kill Chain\r\nInitial Access – Captcha Spam\r\nOur MXDR team did an excellent job laying out the timeline and process tree of events. They traced everything back to a\r\nPowerShell script, which downloaded a file named active.exe and saved it as asdin2oe.exe :\r\nC:\\windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe -WindowStyle Hidden -Command \"$b=[Text.Encoding]::Utf8.GetString([Convert]:\r\nIn the process tree, we saw a parent process of “explorer.exe”, not a traditionally suspicious parent process. When we see\r\nmalicious PowerShell processes, defenders normally expect them to come from typical, malicious sources such as:\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 1 of 8\n\nMalicious executables\r\nExploited and/or compromised processes\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 2 of 8\n\nCompromised logins\r\nThe parent process for this script was simply explorer.exe , indicating that user themselves ran it. At this point, a member\r\nof our team remembered a previously reported spam campaign involving a captcha lure that tried to convince victims into\r\ncopying and pasting PowerShell scripts directly into the Windows system Run window. A good article of the attack was\r\npublished by Cybernews.\r\nWe reached out to the client and confirmed that the target user had indeed seen and followed through on a spam captcha\r\nmessage, similar to one from the Cybernews article. This solved the initial access mystery. Additionally, for months after\r\nthis particular incident, many more examples of this captcha method were observed and reported by our DFIR team and\r\nmore generally across the industry, prompting us to release an advisory.\r\nStage Two Malware Payload: Supper Implant\r\nThe other loose end to tie up was that we wanted a more complete understanding of the malware that attempted the bulk of\r\nthe threat actors’ pivoting and credential theft activities.\r\nOnce the threat actors had initial access, they downloaded a whole suite of executables and files to the computer. We saw at\r\nleast four similarly named folders containing various software libraries and media files. We observed one of the processes\r\ninstalling CrossTec, a third-party remote administration tool. Interestingly, most of these files and programs were not used\r\nduring the breach. The one exception was the Dormouse installer detailed in our previous blog post, including the second-stage payload it downloaded and installed, which we will describe here.\r\nThis second-stage payload is a heavily obfuscated DLL that has extensive anti-analysis and anti-debug functionality built\r\ninto it. At one point during dynamic analysis, the following string was decoded to memory:\r\n{\"iptarget\": \"%d.%d.%d.%d\", \"domain\": \"%s\", \"pcname\": \"%s\", \"runas\": %d, \"typef\": %d, \"veros\": %d}\r\nThis was an excellent indicator to try pivoting searches from, which eventually led us to this tweet from a malware analyst\r\nnamed @Simo. It appears that this particular piece of malware has been seen before, and antivirus companies have dubbed it\r\n“Supper.” We downloaded these other samples and read through the little bit of public reporting to confirm and verify they\r\nmatch the behaviors seen in our sample.\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 3 of 8\n\nSupper is a very small implant with minimal functionality. Its main purpose is to provide threat actors with command line\r\naccess to a victim (enabling “hands on keyboard” activity). When analyzed in a sandbox, it can be observed dropping a\r\ntemporary file with a hardcoded file name:\r\nFigure 2: Hardcoded filename\r\nThis filename is easily changed, so while it might not be useful as a detection, searching for it in repositories like VirusTotal\r\ncan provide a rough outline of the campaign using this version of the Supper implant. In this case, searching on this filename\r\nreturned thirteen other samples seen in use from September through December (the samples we discovered are included in\r\nthe IOC section).\r\nAnother important finding when looking through our sample was a set of three hardcoded callback IPs:\r\nFigure 3: Hardcoded C2\r\nAlthough threat actors can easily transition away from the IP addresses found in this sample (like the filename mentioned\r\nabove), investigating threat actor infrastructure can often uncover more tooling or additional linked infrastructure related to\r\nthis specific campaign. Below is a search result of one of those IPs in VirusTotal, showing nine similarly named executables\r\nthat communicate with it:\r\nFigure 4: Highly similar samples, likely from the same campaign\r\nThese results are meaningful in that all the “communicating files” for this IP are similarly named and have “first seen”\r\ntimestamps close together. Working off the reasonable assumption that these samples are from the same campaign, we can\r\nthen look at the submission country and get a rough idea of the campaign scope. In this case, it included potential targets in\r\nIndia, Canada, Germany, Netherlands, France, and the US.\r\nAs previously mentioned, the main function of this malware appears to be to provide the threat actors with a foothold on the\r\nsystem. It will connect back to the threat actor and enable them to run commands directly via cmd.exe or accept a DLL file\r\nand run it via runDLL. Here is a call tree for CreateProcess that graphs out that functionality:\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 4 of 8\n\nFigure 5: CreateProcessA Call Graph\r\nA competent threat actor will not need much more than this, as evidenced by the attempted commands in our previous blog\r\npost demonstrating them extracting the SAM hive. Any further tooling, pivoting, or follow-up activity can then be uploaded\r\nand executed via Supper.\r\nEndgame: Interlock Ransomware\r\nThankfully in our case, our MXDR solution detected the activity and enabled our MDR team to respond and contain the\r\nattempt attack. Only one bit of useful information was left out: what were the threat actors trying to do? Normal\r\ncybercriminal operations would never stop at just one machine. They would have pivoted to as many machines as possible,\r\nand then likely sell access, exfiltrate data for extortion, or deploy ransomware. When we searched around for the indicators\r\nwe had, no information on end result came up. So, we temporarily put a pin in this and continued to monitor for potentially\r\nsimilarly activity.\r\nBeazley Security learned from law enforcement that a threat actor’s activity log found on a seized server is linked to a new\r\nransomware group. This allowed our team to confirm the activity was associated with the emerging ransomware group,\r\nInterlock.\r\nIndicators of Compromise (IoCs)\r\nIndicator\r\n216.245.184.170 212.104.133.72 216.245.184.170\r\nd2347abbaa00ff3796ed285469d219ee 15f179a8a459e8e402d146a9c3f4b24b 34b06b0c3a648b0cdb56eaf6287416bf 588a70b0564692e8f1baf00d592aedff\r\nConclusion\r\nCybercriminals continue to maximize financial gain. If an attack vector is simple but effective, it will quickly be\r\noperationalized and widely abused. This is illustrated by the fake CAPTCHA scam technique, which emerged last year and\r\ncontinues to lead to Incident Response cases handled by Beazley Security, including several this month. This method\r\nremains so successful that threat actors are evolving the technique.\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 5 of 8\n\nSources\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 6 of 8\n\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 7 of 8\n\nSource: https://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nhttps://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.beazley.security/articles/hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware"
	],
	"report_names": [
		"hunting-mice-in-tunnels-ii-fake-captchas-and-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/467eda985eca04a56723eeeb863ba19784948497.pdf",
		"text": "https://archive.orkl.eu/467eda985eca04a56723eeeb863ba19784948497.txt",
		"img": "https://archive.orkl.eu/467eda985eca04a56723eeeb863ba19784948497.jpg"
	}
}