{
	"id": "22a85869-4dc4-4122-aee8-945817bd6173",
	"created_at": "2026-04-06T00:21:29.503376Z",
	"updated_at": "2026-04-10T03:32:24.848691Z",
	"deleted_at": null,
	"sha1_hash": "6c54b2bc97f2e44d1d262aab165d9050f1cb5107",
	"title": "Microsoft Exchange servers hacked to deploy Hive ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2950506,
	"plain_text": "Microsoft Exchange servers hacked to deploy Hive ransomware\r\nBy Bill Toulas\r\nPublished: 2022-04-20 · Archived: 2026-04-05 13:04:58 UTC\r\nA Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to\r\ndeploy various backdoors, including Cobalt Strike beacon.\r\nFrom there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data,\r\nultimately deploying the file-encrypting payload.\r\nThe details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one\r\nof its customers.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA widely abused initial access\r\nProxyShell is a set of three vulnerabilities in the Microsoft Exchange Server that allow remote code execution without\r\nauthentication on vulnerable deployments. The flaws have been used by multiple threat actors, including ransomware like\r\nConti, BlackByte, Babuk, Cuba, and LockFile, after exploits became available.\r\nThe flaws are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, and their severity rating ranges from\r\n7.2 (high) to 9.8 (critical).\r\nThe security vulnerabilities are considered fully patched as of May 2021, but extensive technical details about them were\r\nonly made available in August 2021, and soon after that, malicious exploitation started [1, 2].\r\nThe fact that Hive's affiliate was successful in exploiting ProxyShell in a recent attack shows that there is still room for\r\ntargeting vulnerable servers.\r\nFrom access to encryption\r\nFollowing the exploitation of ProxyShell, the hackers planted four web shells in an accessible Exchange directory, and\r\nexecuted PowerShell code with high privileges to download Cobalt Strike stagers.\r\nThe web shells used in this particular attack were sourced from a public Git repository and were merely renamed to evade\r\ndetection during potential manual inspections.\r\nRandomly-named web shells (Varonis)\r\nFrom there, the intruders used Mimikatz, a credentials stealer, to snatch the password of a domain admin account and\r\nperform lateral movement, accessing more assets in the network.\r\nLaunching a new command prompt on the affected system (Varonis)\r\nNext, the threat actors performed extensive file search operations to locate the most valuable data to pressure the victim into\r\npaying a larger ransom.\r\nVaronis analysts have seen remnants of dropped network scanners, IP address lists, device and directory enumerations,\r\nRDPs to backup servers, scans for SQL databases, and more.\r\nOne notable case of network scanning software abuse was \"SoftPerfect\", a lightweight tool that the threat actor used for\r\nenumerating live hosts by pinging them and saving the results on a text file.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nPage 3 of 5\n\nFinally, and after all files had been exfiltrated, a ransomware payload named \"Windows.exe\" was dropped and executed on\r\nmultiple devices.\r\nBefore encrypting the organization's files, the Golang payload deleted shadow copies, disabled Windows Defender, cleared\r\nWindows event logs, killed file-binding processes, and stopped the Security Accounts Manager to incapacitate alerts.\r\nCommands executed by the final payload (Varonis)\r\nHive evolution\r\nHive has gone a long way since it was first observed in the wild back in June 2021, having a successful start that prompted\r\nthe FBI to release a dedicated report on its tactics and indicators of compromise.\r\nIn October 2021, the Hive gang added Linux and FreeBSD variants, and in December it became one of the most active\r\nransomware operations in attack frequency.\r\nLast month, researchers at Sentinel Labs reported on a new payload-hiding obfuscation method employed by Hive, which\r\nindicates active development.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/"
	],
	"report_names": [
		"microsoft-exchange-servers-hacked-to-deploy-hive-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775791944,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c54b2bc97f2e44d1d262aab165d9050f1cb5107.pdf",
		"text": "https://archive.orkl.eu/6c54b2bc97f2e44d1d262aab165d9050f1cb5107.txt",
		"img": "https://archive.orkl.eu/6c54b2bc97f2e44d1d262aab165d9050f1cb5107.jpg"
	}
}