{ "id": "51e7fa9b-c84b-4aa1-ac42-2fa8a3e52a96", "created_at": "2026-04-06T00:15:08.062275Z", "updated_at": "2026-04-10T03:36:11.235794Z", "deleted_at": null, "sha1_hash": "4f5ccab91488058437e866f94dbbc310ca1b9f33", "title": "Exposing initial access broker with ties to Conti", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54693, "plain_text": "Exposing initial access broker with ties to Conti\r\nBy Vlad Stolyarov\r\nPublished: 2022-03-17 · Archived: 2026-04-05 18:05:56 UTC\r\nB\r\nBenoit Sevens\r\nThreat Analysis Group\r\nIn early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to\r\nas EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's\r\nactivity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber\r\ncrime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).\r\nInitial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups\r\nspecialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the\r\nhighest bid.\r\nEXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data\r\nexfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC\r\nLILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted\r\norganizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT,\r\ncybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and\r\nindustries, with less specific focus.\r\nWe have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally\r\nassociated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a\r\ntargeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer,\r\nTransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.\r\nSpoofing Organizations and Identities\r\nEXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the\r\ngroup:\r\nOne notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a\r\ntargeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an\r\nexisting organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.\r\nhttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nPage 1 of 4\n\nInitially, the group would create entirely fake personas posing as employees of a real company. That would\r\nsometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a\r\npublic service to create an AI-generated human face. In November 2021, the group began to impersonate real\r\ncompany employees by copying their personal data from social media and business databases such as\r\nRocketReach and CrunchBase.\r\nOne of the fake social media profiles created by EXOTIC LILY\r\nUsing spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business\r\nproposal, such as seeking to outsource a software development project or an information security service.\r\nExample of an EXOTIC LILY phishing email impersonating as an employee of a legitimate company\r\nAttackers would sometimes engage in further communication with the target by attempting to schedule a meeting\r\nto discuss the project's design or requirements.\r\nAt the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow,\r\nTransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the\r\ntarget, allowing the final email to originate from the email address of a legitimate file-sharing service and not the\r\nattacker’s email, which presents additional detection challenges.\r\nAttacker uses a file-sharing service email notification feature to send BazarLoader ISO payload\r\nHuman-Operated Phishing at Scale\r\nFurther evidence suggests an operator’s responsibilities might include:\r\ncustomizing the initial “business proposal” templates when first reaching out to a targeted organization;\r\nhandling further communications in order to gain affinity and trust;\r\nuploading malware (acquired from another group) to a file-sharing service prior to sharing it with the\r\ntarget.\r\nA breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job,\r\nwith very little activity during the weekends. Distribution of the actor’s working hours suggest they might be\r\nworking from a Central or an Eastern Europe timezone.\r\nBreakdown of actor’s communication activity. Deeper color indicates more activity.\r\nMalware and Attribution\r\nAlthough the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts.\r\nThese samples have some indicators that suggest they were custom-built to be used by the group. For example,\r\nmetadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and\r\n“Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such\r\nas the command line arguments were unique for samples distributed by EXOTIC LILY.\r\nhttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nPage 2 of 4\n\nIn March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more\r\nadvanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be\r\nrecognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed\r\nBUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name,\r\nwhich are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported\r\n“tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis,\r\nBUMBLEBEE was observed to fetch Cobalt Strike payloads.This malware can be found using this VirusTotal\r\nquery.\r\nEXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by\r\nAbnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other\r\nmembers of the security community) have also indicated overlaps between domains involved in the delivery chain\r\nof an exploit and infrastructure used for BazarLoader and Trickbot distribution.\r\nWe believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike\r\nprofile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions\r\nof a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and\r\nDEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate\r\nas a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that\r\ninclude deployment of Conti and Diavol ransomware, which are performed by a different set of actors.\r\nImproving User Protection\r\nAs part of our efforts to combat serious threat actors, we use results of our research to improve the safety and\r\nsecurity of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding\r\nadditional warnings for emails originating from website contact forms, better identification of spoofing, and\r\nadjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime\r\nInvestigation Group to share relevant details and indicators with law enforcement.\r\nTAG is committed to sharing our findings as a way of raising awareness with the security community, and with\r\ncompanies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope\r\nthat improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead\r\nto stronger user protections across industry.\r\nIndicators of Compromise (IOCs)\r\nRecent domains used in email campaigns:\r\nconlfex[.]com\r\navrobio[.]co\r\nelemblo[.]com\r\nphxmfg[.]co\r\nmodernmeadow[.]co\r\nlsoplexis[.]com\r\ncraneveyor[.]us\r\nhttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nPage 3 of 4\n\nfaustel[.]us\r\nlagauge[.]us\r\nmissionbio[.]us\r\nrichllndmetals[.]com\r\nkvnational[.]us\r\nprmflltration[.]com\r\nbrightlnsight[.]co\r\nbelcolnd[.]com\r\nawsblopharma[.]com\r\namevida[.]us\r\nrevergy[.]us\r\nal-ghurair[.]us\r\nopontia[.]us\r\nBazarLoader ISO samples:\r\n5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\r\n9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\r\nc896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\r\nRecent BUMBLEBEE ISO samples:\r\n9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\r\n6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\r\n201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\r\n1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\r\n01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\r\nRecent BUMBLEBEE C2:\r\n23.81.246[.]187:443\r\nSource: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nhttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "report_names": [ "exposing-initial-access-broker-ties-conti" ], "threat_actors": [ { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434508, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f5ccab91488058437e866f94dbbc310ca1b9f33.pdf", "text": "https://archive.orkl.eu/4f5ccab91488058437e866f94dbbc310ca1b9f33.txt", "img": "https://archive.orkl.eu/4f5ccab91488058437e866f94dbbc310ca1b9f33.jpg" } }