{ "id": "52959589-b685-42d4-8d32-df4298f02ce5", "created_at": "2026-04-06T00:07:07.97833Z", "updated_at": "2026-04-10T03:36:11.227029Z", "deleted_at": null, "sha1_hash": "53b986c433bee187c7f07cd278d7a9b21f7c5a94", "title": "Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2991922, "plain_text": "Response When Minutes Matter: Falcon Complete Disrupts\r\nWIZARD SPIDER eCrime Operators\r\nBy Falcon Complete Team\r\nArchived: 2026-04-05 16:16:14 UTC\r\nIn this blog, we describe a string of recent incidents in which the CrowdStrike Falcon® Complete™ team\r\nobserved a financially motivated eCrime operator (likely WIZARD SPIDER) use compromised external remote\r\nservices (Microsoft Remote Desktop Protocol, or RDP) along with Cobalt Strike in an unsuccessful attempt to\r\ndeploy ransomware. This activity indicates a notable increase in the adversary’s tactics to include RDP brute\r\nforcing along with their more traditional modus operandi for initial access via phishing or leveraging their partner\r\nnetworks of access brokers. We will provide a brief overview of the observed tactics, techniques and procedures\r\n(TTPs) in these cases along with an outline of the Falcon Complete team’s approach to quickly detect and contain\r\nthe interactive attacker before the threat actor was able to complete actions on objective.\r\nCampaign TTPs Overview\r\nIn recent weeks, the Falcon Complete team has conducted several response operations to incidents involving\r\ncompromised RDP credentials as an initial infection vector. This was followed by execution of reconnaissance\r\ncommands, installation of Cobalt Strike and additional tooling. CrowdStrike Intelligence assesses that the threat\r\nactor responsible for this activity is likely WIZARD SPIDER due to the following overlapping TTPs with\r\nWIZARD SPIDER activity clusters:\r\nCobalt Strike stager DLLs executed from the victim's Music directory\r\nNetwork indicators identified via hunting for related samples and infrastructure exhibiting attributes of\r\nWIZARD SPIDER infrastructure\r\nUsing nltest and net Windows utilities to conduct reconnaissance activity\r\nThis assessment carries low confidence.\r\nFigure 1. Activity cluster patterns mapped to MITRE ATT\u0026CK® (Click to enlarge)\r\nWIZARD SPIDER is a criminal group behind the core development and distribution of a sophisticated arsenal of\r\ncriminal tools, including the Trickbot, BazarLoader, Conti and Ryuk malware variants. This adversary has used big\r\ngame hunting (BGH) tactics to great effect against a diverse set of targets across multiple sectors and geographies.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 1 of 8\n\nThe typical activity patterns observed by the Falcon Complete team in recent intrusions include an initial attack\r\nvector via compromised external remote services — commonly, exposed RDP. This suggests a notable increase in\r\nthis tactic. It is unclear whether the increased focus on external remote services is a shift away from phishing and\r\nusing access brokers, or whether this is simply an addition to the adversary’s overall modus operandi. Adversaries\r\noften obtain credentials in multiple ways, whether by brute forcing an externally exposed service, purchasing them\r\non underground markets or conducting credential harvesting operations. Once the actor has established a foothold\r\nwithin an environment, they will proceed with reconnaissance activities to enumerate accounts and systems that\r\nmay represent high-value targets. Multiple reconnaissance commands were observed — in particular, nltest\r\nappears to be a hallmark of this activity. Shown in Figure 2, the adversary first enumerated the trusted domains in\r\nthe environment, and then a list of domain controllers. Their goal was likely to move laterally to one of these\r\nsystems.\r\nFigure 2. Example reconnaissance commands\r\nThe threat actor then installed additional tooling for post-exploitation activities. This typically included Cobalt\r\nStrike for command and control, where the stager DLLs were written to the user's Music directory. BloodHound\r\nor Adfind were pulled down from an external resource for additional account enumeration in preparation for\r\nlateral movement. This secondary reconnaissance is handled by a BAT file written to the same Music directory.\r\nFigure 3. Process tree graph (Click to enlarge)\r\nFigure 3 presents many of the common patterns related to the observed activity cluster as seen in the Falcon\r\nconsole. This process tree graph view indicates the initial process injection under the explorer.exe process via\r\nrundll32.exe , along with the initial reconnaissance commands such as nltest under the conhost.exe\r\nprocess.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 2 of 8\n\nFalcon Complete Detection and Response\r\nInitial Detection and Triage\r\nThe Falcon Complete team has observed multiple related incidents over the past several weeks that share common\r\nTTPs, as noted above. Below, we present a case study of these contextual indicators observed during a specific\r\nincident. The response process began when the Falcon Complete team received a high-severity machine learning\r\n(ML) detection for a suspicious process injection via rundll32.exe . Further investigation indicated that this\r\nprocess injection was related to the threat actor abusing Microsoft Office Visual Basic for Applications (VBA)\r\nmacros in an uncommon way.\r\nFigure 4. Process tree with Microsoft Excel copy/paste (Click to enlarge)\r\nThis shellcode was a typical stager that functioned as a downloader to fetch a Cobalt Strike payload from the\r\nattacker-controlled command and control (C2). These resources were written to the C:\\Users\\Public\\Music\r\ndirectory.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 3 of 8\n\nFigure 5. Detection showing Cobalt Strike stage location (Click to enlarge)\r\nAdversaries utilizing Microsoft Office documents weaponized with VBA macros is nothing new, but the activity\r\ndescribed above differs significantly from phishing campaigns leveraging macro documents to achieve initial\r\naccess. Instead, the document was being used to execute code after initial access had been achieved on a system\r\nvia a compromised account. We have observed multiple instances of files written that were named either \"New\r\nMicrosoft Word Document.docx\" or \"New Microsoft Excel Worksheet.xlsx,\" which are the default naming\r\nschemes for new document templates in Windows. Next, a macro executes a shellcode payload via the\r\nrundll32.exe process, which is a Cobalt Strike stager, but the macro’s shellcode is never written to disk. This is\r\nlikely an evasion technique attempting to bypass host-based security controls to execute shellcode. What appears\r\nto be happening is the threat actors are copying and pasting the malicious macro directly into a blank document\r\ntemplate over the RDP session. The advantage of this approach is that the macros are not written to disk and are\r\nonly executed in memory. This activity was then followed by similar reconnaissance commands observed in\r\nFigure 2 above.\r\nContainment and Investigation\r\nAt this point, we were confident that an adversary was interactive and had compromised the victim host. We\r\nobserved them attempting to perform reconnaissance in preparation for privilege escalation and lateral movement.\r\nThe next steps were to contain and identify the full scope of the incident. Our analysts have the capability to\r\nnetwork-contain a host to prevent the lateral spread of the adversary within the environment. This immediately\r\ndenies the adversary remote access by only allowing the host to communicate with the CrowdStrike Security\r\nCloud.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 4 of 8\n\nFigure 6. Containment (Click to enlarge)\r\nThe next objective of the investigation was to properly scope the intrusion by identifying the affected systems/user\r\naccounts and host/network indicators of compromise. We can pivot into our endpoint activity monitoring (EAM)\r\napplication, which provides endpoint telemetry so we can gain further context and determine the origin of the\r\nintrusion.\r\nFigure 7. EAM query for type 10 logons (RDP) (Click to enlarge)\r\nThe goal here was determining the user account that the threat actor compromised and leveraged for remote\r\naccess. In Figure 7, a simple query for type 10 logons can determine this account. This query also gives us the\r\nRemote IP, which is the source host of the RDP logon. This information could also be gleaned from a Falcon\r\nReal Time Response (RTR) session on the host to query the security event logs via PowerShell, such as the\r\nfollowing snippet:\r\nFigure 8. Alternative method for event logs\r\nThe EAM application can also be used to search for residual host artifacts that the adversary may have left behind\r\non the system. From the initial detection triage, we can then pivot from data points such as the injected process,\r\ndirectory locations and specific file types of interest. A basic query is shown in Figure 9 to identify the artifacts of\r\ninterest that remain on disk.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 5 of 8\n\nFigure 9. EAM query for host artifacts (Click to enlarge)\r\nBased on observations from previous intrusions, we knew that a batch file may be present in the same directory as\r\nthe Cobalt Strike stager. As noted before, this batch file is responsible for conducting further reconnaissance with\r\nAdfind to explore the Active Directory environment. As shown in Figure 9, the EAM query also captured the\r\ncommand rundll32.exe test.dll, Lemon . This command is responsible and is used for process injection via\r\nrundll32.exe . Previously, the Falcon Complete team has observed similar patterns regarding one-word export\r\nfunctions such as \"Lemon\" in this case, and \"Lime\" in similar instances. These one-word export functions likely\r\nsuggest a possible common naming convention for exports, related to Cobalt Strike DLLs across the intrusions\r\nobserved. Investigators can use this indicator to pivot or enrich related data sets of potentially linked activity\r\nclusters. Next, the team performed dynamic malware analysis on the Cobalt Strike stager sample. We discovered\r\nthat the binary’s code was configured to reach out to the domain serviapd\u003c.\u003ecom for C2. At this point in the\r\ninvestigation, we had determined both the system and user scopes, identified host artifacts and extracted network\r\nindicators of compromise (IOCs) from the malware. Armed with this information, the Falcon Complete team\r\ncould now begin removing the actor's malware from the affected systems.\r\nRemediation\r\nThe Falcon Complete team directly performs many of the critical remediation actions for our customers via Falcon\r\nRTR. A typical remediation can be broken into three distinct steps:\r\n1. Killing the malicious processes (e.g., injected rundll, explorer, conhost)\r\n2. Locating and removing the persistence mechanism (e.g., compromised accounts, services)\r\n3. Removing disk artifacts (e.g., binaries and directories)\r\nIn this case, we have rated this remediation as “Easy,” based on the velocity and total effort required for proper\r\nrecovery. Due to the rapid response time to contain and evict the adversary, there was not an extensive list of\r\nclean-up actions to be taken. STEP 1. Finding and Killing the Malicious Process Falcon did a lot of the work\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 6 of 8\n\nfor us here and had already terminated the injected processes. The running process was reviewed to ensure no\r\ninjected threads were still executing malicious code. We have provided more details for finding injected process in\r\nprevious blogs:\r\nAutomating Remote Remediation of TrickBot: Part 1\r\nDuck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3\r\nSTEP 2. Removing Persistence The adversary did not have time (or didn’t bother) to establish persistence\r\nbeyond the compromised account credentials leveraged in the RDP session. We worked with the client to reset\r\nthese accounts and harden remote services to avoid further exploitation. Our recommendations for best practices\r\ninclude:\r\nUsing multifactor authentication (MFA) for remote access services\r\nDisabling RDP or any services that are not required\r\nUsing non-standard ports if required\r\nDeploying technical controls such as Web Application Firewall (WAF) in front of remote services\r\nSTEP 3. Removing Remaining Artifacts Using Falcon RTR, we removed all adversary tooling and file system\r\nresidue present in the C:\\Users\\Public\\Music directory. The steps outlined above are the general process for\r\nsuccessfully remediating a host for the artifacts of this intrusion set.\r\nThe Efficiency of Falcon Complete\r\nThe Falcon Complete team identified an interactive adversary that had compromised an external remote service\r\nand gained illicit access to a managed host in our client’s environment. This threat actor attempted to download\r\nand execute additional tooling in a likely attempt to stage ransomware. The team quickly contained, scoped and\r\nremediated this threat with the Falcon RTR capability without requiring any reboots, reimages or other disruption\r\nto the client’s business operations. The following figure highlights the significant milestones during our detection\r\nand response efforts.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 7 of 8\n\nThis activity was attributed to the financially motivated adversary tracked as WIZARD SPIDER. The Falcon\r\nComplete team has observed multiple similar TTPs in several recent intrusions that indicate a general tactical\r\nincrease or preference for compromising external remote services (such as RDP) as an initial infection vector. It is\r\nunclear but possible that this activity is simply in addition to this actor’s “normal” email phishing operations. We\r\nalso noted an interesting usage of a technique leveraging Microsoft Office macros following initial access. It is\r\nlikely that eCrime actors will continue to use this technique going forward. The Falcon Complete team will\r\ncontinue to track this threat and monitor our clients’ environments for any notable developments.\r\nAdditional Resources\r\nRead more blogs from the Falcon Complete team: Falcon Complete Disrupts Malvertising Campaign\r\nTargeting AnyDesk, Response When Minutes Matter: Rising Up Against Ransomware and Falcon\r\nComplete Stops Microsoft Exchange Server Zero-Day Exploits.\r\nLearn more by visiting the Falcon Complete product webpage.\r\nRead a white paper: CrowdStrike Falcon® Complete: Instant Cybersecurity Maturity for Organizations of\r\nAll Sizes.\r\nSource: https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/" ], "report_names": [ "how-falcon-complete-disrupts-ecrime-operators-wizard-spider" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434027, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53b986c433bee187c7f07cd278d7a9b21f7c5a94.pdf", "text": "https://archive.orkl.eu/53b986c433bee187c7f07cd278d7a9b21f7c5a94.txt", "img": "https://archive.orkl.eu/53b986c433bee187c7f07cd278d7a9b21f7c5a94.jpg" } }