{ "id": "76947642-e329-4400-a295-13bbe90affb8", "created_at": "2026-04-06T00:09:08.246399Z", "updated_at": "2026-04-10T03:25:35.802095Z", "deleted_at": null, "sha1_hash": "5273d6f22057b317bbb2f9cb2cb5745347cec562", "title": "Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 674497, "plain_text": "Attack Graph Response to US CERT AA22-152A: Karakurt Data\r\nExtortion Group\r\nBy AttackIQ Adversary Research Team\r\nPublished: 2022-06-03 · Archived: 2026-04-05 14:03:22 UTC\r\nEarlier this week we published a blog post on the release of a new AttackIQ assessment addressing the ingress of\r\ntools and malware associated with the Karakurt Data Extortion Group recently highlighted by US-CERT Alert\r\nAA22-152A. Today we are following up with the release of an in-depth attack graph that fully emulates their\r\ntactics, techniques, and procedures.  \r\nKarakurt is a financially motivated adversary focused on data extortion that have already affected more than 40\r\norganizations across multiple industries and regions. Based on available intelligence, we have observed that the\r\nadversary is primarily focused on data theft for subsequent extortion, and not on traditional ransomware\r\nencryption or destructive attacks. \r\nValidating your security program performance against this type of attack is paramount in reducing risk. By using\r\nthis new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to: \r\n1. Evaluate security control performance against common persistence, discovery, and data exfiltration\r\ntechniques.\r\n2. Assess security posture for the techniques used by an actor focused on data theft and the extortion of\r\nvictims with threats to publicly release data. \r\n3. Continuously validate detection and prevention pipelines against actor activity that may have variable\r\ninitial access methods but a common hands-on keyboard approach. \r\nAttack Graph Emulation of Karakurt Techniques \r\nThe Karakurt threat actors are cybercriminals who typically gain access to victim networks from various initial\r\naccess brokers using stolen credentials or through the exploitation of common vulnerabilities like Log4Shell or\r\nZerologon. Our attack graph emulation starts after that initial access has already been achieved. \r\nOnce inside their target of opportunity, they focus on establishing persistence via Cobalt Strike and establishing a\r\nnetwork connection with their command and control infrastructure. \r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 1 of 7\n\nIngress Tool Transfer (T1105): Download and save samples of the actor’s phishing documents and Cobalt Strike\r\nmalware. \r\nApplication Layer Protocol (T1071) and Fallback Channels (T1008): Emulate command and control\r\nconnectivity with failover options for HTTPS, HTTP, and DNS protocols. \r\nWindows Service (T1543.003), Registry Run Keys (T1547.001), and Windows Management\r\nInstrumentation (T1047): Cobalt Strike has a plethora of persistence options; our attack graph will try a subset of\r\nthese methods to find a successful foothold. \r\nNow that persistence has been established, Karakurt focuses on gathering additional credentials that can be\r\nleveraged to move laterally to other systems or access remote external servers. \r\nAccount Discovery (T1087): Use living off the land commands like “net user” to obtain a list of additional\r\naccounts known to the infected host. \r\nOS Credential Dumping (T1003): Karakurt has been observed using Mimikatz to dump passwords and hashes\r\nfor Windows accounts. \r\nArmed with their new credentials the actor is going to start the discovery phase of their attack to find connectable\r\nhosts, files and folders of interest, which will guide their lateral movement using native operating system\r\nfunctionality like Remote Desktop. \r\nSystem Network Connections Discovery (T1049): Continue to leverage living off the land commands like\r\n“netstat” and “net use” to find other systems remotely connected to the initial foothold host. \r\nFile and Directory Discovery (T1083): Karakurt will be looking at the local host and remote shares to find\r\nsensitive files that can be stolen and held as ransom. Generating file and directory lists to identify data files to\r\nspeed up their assessment. \r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 2 of 7\n\nRemote Desktop Protocol (T1021.001): Combining the dumped credentials and the discovered remote hosts, the\r\nactor will attempt to move laterally to another host and repeat their discovery process until they have collected\r\nenough data to exfiltrate. \r\nOnce their discovery and lateral movement actions are completed, it’s time for Karakurt to begin staging the stolen\r\ndata and exfiltrate it to actor owned external resources. They will attempt to use cloud providers or SFTP for bulk\r\nexfiltration. If all else fails, they can fall back to Cobalt Strike for data exfiltration over HTTP. \r\nLocal Data Staging (T1074.001): This actor prefers to conduct bulk exfiltration operations, so collecting and\r\nstaging data in a single place assists with this  method. \r\nExfiltration to Cloud Storage (T1567.002): Karakurt has been observed downloading and using command-line\r\ntool, Rclone,  to exfiltrate files to ‘Mega.io’ or other cloud providers. \r\nExfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002): Additionally, the actor has been\r\nobserved bringing FileZilla into the environment to  exfiltrate data over SFTP. \r\nExfiltration Over C2 Channel (T1041) and Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): If\r\nthe bulk exfiltration attempts are thwarted, the actors have the option of using their Cobalt Strike backdoor to\r\nexfiltrate over an HTTP connection. \r\nOpportunities for Extending the Attack Graph \r\nIn addition to what’s already covered in the attack graph, there are two additional techniques employed by this\r\nthreat actor that are also part of the AttackIQ platform. Security teams can easily extend this Attack Graph with a\r\nsimple clone operation followed by the addition of these scenarios, or they can create new assessments if their\r\nenvironments meet the scenario requirements: \r\n1. Dump Active Directory Databases (T1003.003): One high value objective for cyber threat actors is to\r\nobtain a copy of the Active Directory database so that it may be attacked offline. Karakurt has been\r\nobserved dumping the NTDS.dit database from a domain controller once administrative access has been\r\nachieved. This scenario must be executed on a domain controller asset.\r\n2. Exfiltrate Files over SFTP (T1048.002):  Attackers, including Karakurt, commonly use covert data\r\nexfiltration methods to avoid detection. Adding this SFTP exfiltration scenario is recommended to assist in\r\ndetection and prevention of this technique. This scenario requires an accessible server that supports Secure\r\nShell and the valid credentials to access the remote resource. \r\nDetection and Mitigation Opportunities \r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 3 of 7\n\nWith so many different techniques being utilized by threat actors, it can be difficult to know which to prioritize for\r\nprevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated\r\nin our scenarios before moving on to the remaining techniques.\r\n1. Ingress Tool Transfer (T1105)\r\nStopping or identifying when the threat actor is bringing down their toolset after the initial compromise will help\r\nprevent follow-up actions those tools facilitate. Once a malicious actor has compromised an endpoint, they may\r\nattempt to transfer tools or malware onto the device using applications like PowerShell, certutil, Bitsadmin, and\r\nCurl. \r\n1a. Detection Process \r\nThe following Sigma rules can help identify when suspicious file downloads are being conducted: \r\nPowerShell Example:  \r\nProcess Name == (Cmd.exe OR Powershell.exe)\r\nCommand Line CONTAINS ((“IWR” OR “Invoke-WebRequest\") AND “DownloadData” AND “Hidden”)\r\ncertutil Example:  \r\nProcess Name == Certutil.exe\r\nCommand Line Contains (“-urlcache” AND “-f” AND “http”)\r\nBitsadmin Example:  \r\nProcess Name == Bitsadmin.exe\r\nCommand Line CONTAINS (“/transfer” AND “http”)\r\nCurl Example:  \r\nProcess Name == Curl.exe\r\nCommand Line CONTAINS (“http” AND “-o”)\r\n1b. Mitigation Policies \r\nMITRE recommends the following mitigations: \r\nM1031\r\n2. Windows Service (T1543.003), Registry Run Keys (T1547.001), and Windows Management\r\nInstrumentation (T1047):\r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 4 of 7\n\nPersistence is a key inflection point in an actor’s attack lifecycle. Concerned about their potential loss of access,\r\nthey are going to take steps to ensure they will remain on the infected host after reboots or partial remediation\r\nefforts. Disrupting their ability to maintain their foothold will help prevent their immediate return. \r\n2a. Detection Process \r\nThe following rules can help identify when those persistence mechanisms are being set. \r\nService Creation:\r\nProcess Name == (Cmd.exe OR Powershell.exe)\r\nCommand Line CONTAINS (‘sc’ AND ‘create’ AND ‘start= “auto”’)\r\nRegistry Run Keys:\r\nProcess Name == powershell.exe\r\nCommand Line CONTAINS (\"Set-ItemProperty\" AND (“HKLM” OR “HKCU”) AND “Software\\Microsoft\\Windows\\Cur\r\nProcess Name == (“cmd.exe” OR “powershell.exe”)\r\nCommand Line CONTAINS “reg.exe” AND \"add\" AND (“HKLM” OR “HKCU”) AND “Software\\Microsoft\\Windows\\Cur\r\nWindows Management Instrumentation: \r\nSource == \"WinEventLog:Microsoft-Windows-WMI-Activity/Operational\"\r\nEventCode == (“5859” OR (\"5861\" AND (\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"Co\r\nProvider != \"SCM Event Provider\"\r\nQuery != \"select * from MSFT_SCMEventLogEvent\"\r\nUser != \"S-1-5-32-544\"\r\nPossibleCause != \"Permanent”\r\n2b. Mitigation Policies \r\nEnsure that Group Policy enforces only authorized users or administrators are able to use tools such as cmd.exe ,\r\npowershell.exe, sc.exe and reg.exe. Limiting these administrative tools to only authorized personnel will greatly\r\nlimit the chance of these attacks being carried out on lower privileged users.  \r\nMITRE recommends the following mitigations for T1543.003: \r\nM1047 \r\nM1040 \r\nM1045 \r\nM1028 \r\nM1018\r\n3. OS Credential Dumping (T1003)\r\nActors like Karakurt will almost always require additional usernames and passwords beyond those they started\r\nwith in order to move laterally to other hosts and to find additional sensitive data. Mimikatz is an open-source tool\r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 5 of 7\n\nwith regular version updates that evade many antivirus solutions. Focusing on the command line arguments and\r\nsubsequent behavior is a solid foundation to limit the actor’s ability to spread. \r\n3a. Detection Process \r\nProcess Name == powershell.exe\r\nCommand Line CONTAINS ((“DownloadString” OR “DownloadFile”) AND “http” AND “.ps1” AND (“IEX” OR “Invo\r\n3b. Mitigation Policies \r\nMITRE recommends the following mitigations for T1003: \r\nM1015 \r\nM1040 \r\nM1043 \r\nM1041 \r\nM1028 \r\nM1027 \r\nM1026 \r\nM1025 \r\nM1017\r\n4. Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)\r\nThe last possible prevention opportunity for this intrusion is when they attempt to exfiltrate collected victim data.\r\nPreventing an actor from establishing those connections to untrusted sites or identifying when legitimate services\r\nare being abused is crucial to stopping a data breach. A determined actor like Karakurt is not going to give up\r\nwhen one avenue fails; they will be persistent and leverage their exfil fallback options. Therefore it is key to be\r\naggressive in responding when these alerts are triggered. \r\n4a. Detection Process \r\nDetecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to\r\nidentify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be\r\ndetected or prevented depending on security policies for the security control. Historical NetFlow data logging can\r\nalso bubble up hosts that are experience uncommon peaks in outgoing traffic. \r\n4b. Mitigation Policies \r\nMITRE recommends the following mitigations for T1048.003: \r\nM1057 \r\nM1037 \r\nM1031 \r\nM1030 \r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 6 of 7\n\nConclusion\r\nIn summary, this attack graph will evaluate security and incident response processes and support the improvement\r\nof your security control posture against an actor with focused operations to find and exfiltrate sensitive data. With\r\ndata generated from continuous testing and use of this attack graph, you can focus your teams on achieving key\r\nsecurity outcomes, adjust your security controls, and work to elevate your total security program effectiveness\r\nagainst a known and dangerous threat. \r\nAttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ\r\nSecurity Optimization Platform, including through our co-managed security service, AttackIQ Vanguard. \r\nSource: https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nhttps://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/" ], "report_names": [ "attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5273d6f22057b317bbb2f9cb2cb5745347cec562.pdf", "text": "https://archive.orkl.eu/5273d6f22057b317bbb2f9cb2cb5745347cec562.txt", "img": "https://archive.orkl.eu/5273d6f22057b317bbb2f9cb2cb5745347cec562.jpg" } }