{ "id": "dc2cb81b-089d-4a45-a99e-a946ea03f3bd", "created_at": "2026-04-06T00:11:37.955002Z", "updated_at": "2026-04-10T03:31:49.906835Z", "deleted_at": null, "sha1_hash": "7982f254f8aca6399775584a96b7906781428bcd", "title": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 912076, "plain_text": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion\r\nCampaign Targeting Telco and BPO Companies\r\nBy Tim Parisi\r\nArchived: 2026-04-05 20:17:03 UTC\r\nCrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and\r\nbusiness process outsourcing (BPO) companies and outlines how organizations can defend and secure their\r\nenvironments.\r\nCrowdStrike Services has performed multiple investigations into an intrusion campaign targeting\r\ntelecommunications and business process outsourcing (BPO) companies.\r\nThe end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in\r\ntwo investigations, perform SIM swapping activity.\r\nInitial access is varied: Social engineering using phone calls and text messages to impersonate IT personnel, and\r\neither directing victims to a credential harvesting site or directing victims to run commercial remote monitoring\r\nand management (RMM) tools.\r\nThese campaigns are extremely persistent and brazen. Once the adversary is contained or operations are\r\ndisrupted, they immediately move to target other organizations within the telecom and BPO sectors.\r\nOrganizations should focus on identity-based security through authentication restrictions and secure multifactor\r\nauthentication (MFA) configurations to most effectively disrupt this campaign.\r\nCrowdStrike Intelligence has attributed this campaign with low confidence to the SCATTERED SPIDER\r\neCrime adversary.\r\nSince June 2022, CrowdStrike Services, CrowdStrike Falcon OverWatch™ and CrowdStrike Intelligence teams have\r\nobserved an increase in the targeting of Telco and BPO industries. These investigations appear to be tied to a\r\nfinancially-motivated campaign with links to an adversary CrowdStrike tracks as SCATTERED SPIDER. This blog\r\nwill discuss the ongoing campaign in greater detail, highlighting the various techniques used by the adversary to gain\r\nand maintain access, and evade detection and response, as well as what organizations should be aware of to best defend\r\nand respond to this campaign.\r\nBackground\r\nIn this attack campaign, the adversary demonstrates persistence in trying to gain access to victim environments and\r\nperforms constant, and typically daily, activity within the target environment once access is gained. It is imperative for\r\norganizations to swiftly implement containment and mitigation actions if this adversary is in the environment. In\r\nmultiple investigations, CrowdStrike observed the adversary become even more active, setting up additional\r\npersistence mechanisms, i.e. VPN access and/or multiple RMM tools, if mitigation measures are slowly implemented.\r\nAnd in multiple instances, the adversary reverted some of the mitigation measures by re-enabling accounts previously\r\ndisabled by the victim organization.\r\nAlso of note, as CrowdStrike assisted one organization through the investigation and to a successful containment\r\nphase, the adversary moved onto other organizations in the same vertical. CrowdStrike was subsequently engaged to\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 1 of 13\n\nsupport the new victim organizations battling against the same campaign, as evidenced by overlapping indicators of\r\ncompromise (IOCs) and techniques.\r\nIn all observed intrusions, the adversary attempted to leverage access to mobile carrier networks from a Telco or BPO\r\nenvironment, and in two investigations, SIM swapping was performed by the adversary.\r\nBelow is a summary timeline outlining a sampling of intrusions CrowdStrike Services responded to along with\r\ncorresponding findings.\r\nFigure 1. Sampling of relevant investigation summaries performed by CrowdStrike Services since June 2022 (click to\r\nenlarge)\r\nInitial Access and Privilege Escalation\r\nIn most of the investigations CrowdStrike performed, initial access was achieved through social engineering, where the\r\nadversary leveraged phone calls, SMS and/or Telegram to impersonate IT staff. The adversary instructed victim users\r\nto either navigate to a credential-harvesting website containing the company logo and enter their credentials, or\r\ndownload a RMM tool that would allow the adversary to remotely connect and control their system. If MFA was\r\nenabled, the adversary would either engage the victim directly by convincing them to share their one-time password\r\n(OTP), or indirectly by leveraging MFA push-notification fatigue. This is when an adversary continuously prompts\r\nMFA to the victim user until they accept the MFA push challenge.\r\nIn another investigation, the adversary leveraged compromised credentials from a victim user and authenticated to the\r\norganization’s Azure tenant. Using this access, the adversary instantiated Azure VMs to conduct credential theft\r\nactivity and lateral movement to on-premises systems.\r\nIn a third tactic observed in another investigation, the adversary leveraged CVE-2021-35464 to exploit a ForgeRock\r\nOpenAM application server, which front-ends web applications and remote access solutions in many organizations (a\r\npatch for this CVE was released in October 2021). In this example, the adversary showcased their knowledge of AWS.\r\nLeveraging AWS Instance Roles to assume or elevate privileges from the Apache Tomcat user, the adversary would\r\nrequest and assume permissions of an instance role using a compromised AWS token. As shown in Figure 2, the\r\nadversary used elevated privileges to execute the open-source LINpeas privilege escalation utility.\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 2 of 13\n\nFigure 2. Adversary curl command leveraging an AWS Instance Role for privilege escalation, running the LinPEAS\r\nprivilege escalation tool\r\nPersistence and Remote Access Tactics\r\nCrowdStrike incident responders observed that in many cases, the adversary gained access to the organization’s MFA\r\nconsole to add their own devices (as an additional device per user) as trusted MFA devices. The devices would be\r\nassigned to compromised users for whom they had captured credentials. This technique, performed by taking\r\nadvantage of user self-enrollment policies with the MFA provider, allowed the adversary to maintain a deeper and less\r\nobvious level of persistence instead of simply installing a remote access trojan to maintain access.\r\nIn almost all investigations, the adversary used a wide variety of RMM tools to maintain persistent access such as the\r\nlist below:\r\nAnyDesk\r\nBeAnywhere\r\nDomotz\r\nDWservice\r\nFixme.it\r\nFleetdeck.io\r\nItarian Endpoint Manager\r\nLevel.io\r\nLogmein\r\nManageEngine\r\nN-Able\r\nPulseway\r\nRport\r\nRsocx\r\nScreenConnect\r\nSSH RevShell and RDP Tunnelling via SSH\r\nTeamviewer\r\nTrendMicro Basecamp\r\nSorillus\r\nZeroTier\r\nBecause these tools are not nefarious or malicious in nature, they do not typically generate alerts and are not typically\r\nblocked by endpoint detection and response (EDR) technology. However, the combination of Falcon EDR telemetry\r\nwith human analysis from OverWatch and incident responders painted a clear picture of the adversary’s actions. During\r\nactive hands-on-keyboard activity at most the intrusions CrowdStrike Services responded to, the adversary would often\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 3 of 13\n\ndeploy multiple RMM tools and would quickly deploy another one if the organization blocked the previously used\r\nutilities.\r\nAnother tactic seen throughout multiple investigations is the adversary following a generic DESKTOP-\u003c7 alphanumeric\r\ncharacters\u003e naming pattern when using their own systems to connect to victim organization VPNs. And when\r\ncreating systems in the victim organization’s virtual desktop infrastructure, the adversary followed a pattern mimicking\r\nthe victim organization’s naming conventions.\r\nThe adversary has also targeted VMware ESXi hypervisors. In one investigation, the adversary installed the open-source rsocx reverse proxy tool and Level remote monitoring and management tool (RMM) on an ESXi appliance. In\r\nanother investigation, the adversary executed the open-source port scanner tool RustScan from a Docker container\r\nrunning on an ESXi appliance. We have released the CrowdStrike Services ESXi Triage Collection and Containment\r\nQuick Reference Guide, which includes best practices to secure ESXi instances.\r\nThroughout all investigations, the adversary used a variety of ISP and VPN providers to access victim Google\r\nWorkspace environments, AzureAD and on-premises infrastructure. Many IP addresses originating from these ISPs\r\nwere observed throughout the multiple investigations performed by CrowdStrike Services. Two of the most common\r\nISPs CrowdStrike observed the adversary operating from were M247 and Digital Ocean. In each investigation,\r\nCrowdStrike leveraged Obsidian, a CrowdStrike Store partner, to implement custom ISP detections and restrictions in\r\nO365, AzureAD, Google Workspace and other software-as-a-service (SaaS) environments to quickly respond to, and\r\nfurther secure victim environments.\r\nReconnaissance and Lateral Movement\r\nThe adversary operates across Windows, Linux, Google Workspace, AzureAD, M365 and AWS environments. They\r\nhave also accessed SharePoint and OneDrive environments for reconnaissance information, specifically searching for\r\nVPN information, MFA enrollment information, “how to” guides, help desk instructions and new hire guides.\r\nIn one investigation, the adversary accessed Azure Active Directory and performed bulk downloads of group members\r\nand users. By doing so, they were able to identify privileged users, along with the email addresses and AD attributes of\r\nall users within the victim tenant. Additional techniques employed by the adversary during this investigation included\r\ndomain replication, lateral movement via Windows Management Instrumentation (WMI) using Impacket, SSH\r\ntunneling and various remote access tools. In some investigations, the adversary downloaded tools using victim\r\norganization systems from sites such as file\u003c.\u003eio, GitHub, and paste\u003c.\u003eee. The site transfer\u003c.\u003esh was used by the\r\nadversary to perform data exfiltration of reconnaissance information.\r\nIn another investigation, an open source tool called aws_consoler was used by the adversary to create temporary\r\nfederated credentials for non-existent users issued by identity and access management (IAM) users. Federated\r\nCredentials help obfuscate which AWS credential is compromised and enables the adversary to pivot from the AWS\r\nCLI to console sessions without the need for MFA.\r\nMitigations and Containment Measures\r\nIn all investigations performed by CrowdStrike incident responders, the faster the organization implemented swift and\r\nbold security measures, the faster the adversary activity ceased. These containment and mitigation measures focused on\r\nsecure identity and MFA controls and configurations, as highlighted below.\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 4 of 13\n\nCrowdStrike Falcon Identity Threat Protection\r\nCrowdStrike Services leveraged Falcon Identity Threat Protection (ITP) in all related investigations as one of\r\nthe primary detection and mitigation vehicles.\r\nEnable Falcon ITP rules to enforce restrictions on where privileged accounts can authenticate to and from (e.g.,\r\nspecific system to system only, blocking all RDP access, etc.)\r\nEnforce MFA challenges for privileged account authentication across all access methods (e.g., PowerShell,\r\nRDP, etc.)\r\nMonitor for ITP alerts regarding anomalous use of accounts, stale account usage, custom detection rules,\r\nDCsync and other domain replication activity.\r\nIdentify compromised and at-risk accounts and credentials via custom rules and queries.\r\nMaintain good Active Directory hygiene monitoring and review any newly created accounts, modified groups\r\nor re-enabled accounts.\r\nLeverage the Protected Users Security Group in Active Directory to guard against NTLM used for privileged\r\naccounts.\r\nReal-time alerting for known compromised credential detection.\r\nCrowdStrike Falcon Insight XDR and Obsidian\r\nCrowdStrike incident responders leveraged CrowdStrike Store partner Obsidian to implement custom ISP\r\ndetections and restrictions in O365, AzureAD, Google Workspace and other SaaS environments from where the\r\nadversary was sourcing their activity.\r\nConfigure alerts and blocks of unauthorized and/or anomalous RMM tools via custom indicators of attack\r\n(IOAs) as the adversary used a wide variety of RMM tools in each investigation.\r\nCrowdStrike Falcon Complete and Falcon OverWatch\r\nEffectively defending against advanced attackers takes technology as well as the skilled judgment of seasoned\r\nincident handlers, working 24/7 in order to respond quickly and effectively. Organizations looking to get the\r\nmost value out of their CrowdStrike Falcon® platform investment should consider partnering with Falcon\r\nComplete1 to provide their award-winning MDR services. The Falcon Complete team provides management,\r\nmonitoring, and rapid response leveraging the Falcon platform, combining endpoint protection and identity\r\nprotection in one turnkey solution.\r\nMultifactor Authentication\r\nImplement MFA everywhere possible, especially for accounts that have access to third-party environments.\r\nDisable MFA simple push notifications in place of number-matching MFA where possible, or use One Time\r\nPasscodes with manual entry.\r\nAvoid unsupervised MFA self-enrollment or reset, and disallow any self-enrollment from external IP space.\r\nAllow only one trusted MFA device per user.\r\nImplement a global password reset and KRBTGT account reset twice per domain if compromise is suspected.\r\nAWS Token Pivoting\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 5 of 13\n\nEnsure IMDSv2 is enabled on all EC2 instances to the extent possible (many products unfortunately still do not\r\nsupport v2).\r\nEnable GuardDuty in all active regions (GuardDuty has detections for abuse of EC2 instance credentials outside\r\nof an EC2 instance).\r\nDeprecate static IAM user access keys in favor of IAM roles where possible.\r\nAzure\r\nEnforce Azure Conditional Access Policies (CAP):\r\nBlock legacy authentication\r\nRestrict logon by geographic region\r\nEnforce multifactor authentication for all users\r\nEnforce compliant devices\r\nNetwork Access Controls\r\nVPN host checking or other Network Access Control technology can limit the adversary’s ability to log in\r\nremotely from non-organizational hosts.\r\nGeneral Vigilance\r\nEnsure user accounts, especially those with access to sensitive company information and/or access to mobile\r\ncarrier networks, are assigned Principle of Least Privilege policies within all identity management applications\r\ne.g., Active Directory, Group Policy Objects, Identity Access Management, etc.\r\nDue diligence should be performed by internal security teams to ensure company insiders remain at a minimal\r\nrisk of purposely supporting the adversary.\r\nBe cognizant of endpoint security tool bypass attempts. In many of the investigations CrowdStrike performed,\r\nthe adversary attempted to bypass AV or EDR security tools on the endpoints.\r\nNotes\r\n1. CrowdStrike recently demonstrated the value of Falcon Complete in the first close-book MITRE ATT\u0026CK®\r\nEvaluations for Security Service Providers, achieving the highest detection coverage (99%) by conclusively\r\nreporting 75 of the 76 adversary techniques.\r\nIndicators of Compromise (IOCs)\r\nMany of the passwords, file names, ISPs and IOCs listed below have been observed across multiple investigations\r\ntracked in this campaign. Some of the passwords, file names and system-associated domains used by the adversary are\r\ninappropriate and xenophobic and have been omitted from this article.\r\nAlso of note is the campaign has used a minimal amount of command and control (C2) malware, and therefore there\r\nare few host-based IOCs. The theme of the tactics and techniques used has been identity-focused, where the adversary\r\nleverages compromised credentials to access SaaS applications, or perform remote access using the victim organization\r\nVPN or RMM tools to carry out their objectives.\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 6 of 13\n\nWhile the IP addresses listed below were seen in use by the adversary, stand-alone indicator IPs are considered low-fidelity. CrowdStrike is sharing the list below to provide information that may lead to actionable queries for security\r\nteams, however hits on these IP addresses may not indicate true positives. As with implementing any network traffic\r\nrestrictions, caution should be exercised if blocking any of the network-based IOCs.\r\nNetwork-Based IOCs\r\nIOC Background\r\n100.35.70.106 Adversary remote access\r\n119.93.5.239 Adversary remote access\r\n136.144.19.51 Adversary MFA registration\r\n136.144.43.81 Adversary remote access\r\n141.94.177.172 Adversary remote access\r\n142.93.229.86 Adversary remote access\r\n143.244.214.243 Adversary remote access\r\n144.76.136.153 IP associated with transfer.sh used for data exfil\r\n146.70.103.228 Adversary MFA registration\r\n146.70.107.71 Adversary remote access\r\n146.70.112.126 Adversary remote access\r\n146.70.127.42 Adversary MFA registration\r\n146.70.45.166 Adversary remote access\r\n146.70.45.182 Adversary remote access\r\n152.89.196.111 Adversary remote access\r\n159.223.213.174 Adversary remote access\r\n162.118.200.173 Adversary remote access\r\n169.150.203.51 Adversary remote access\r\n172.98.33.195 Adversary remote access\r\n173.239.204.129 Adversary MFA registration\r\n173.239.204.130 Adversary remote access\r\n173.239.204.131 Adversary MFA registration\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 7 of 13\n\n173.239.204.132 Adversary remote access\r\n173.239.204.133 Adversary remote access\r\n173.239.204.134 Adversary remote access\r\n18.206.107.24/29\r\nAdversary added CIDR range as an AWS security group\r\nto allow inbound traffic\r\n180.190.113.87 Failed adversary login\r\n185.120.144.101 Adversary remote access\r\n185.123.143.197 Adversary remote access\r\n185.123.143.201 Adversary remote access\r\n185.123.143.205 Adversary remote access\r\n185.123.143.217 Adversary remote access\r\n185.156.46.141 Adversary remote access\r\n185.181.102.18 Adversary remote access\r\n185.195.19.206 Adversary remote access\r\n185.195.19.207 Adversary remote access\r\n185.202.220.239 Adversary remote access\r\n185.202.220.65 Adversary remote access\r\n185.240.244.3 Registered authenticator app and adversary VPN logins\r\n185.243.218.41 Adversary remote access\r\n185.247.70.229 Adversary remote access\r\n185.45.15.217 Adversary remote access\r\n185.56.80.28 Adversary remote access\r\n188.166.101.65 Reverse SSH tunnel\r\n188.166.117.31 Adversary remote access\r\n188.214.129.7 Adversary remote access\r\n192.166.244.248 Adversary remote access\r\n193.27.13.184 Adversary remote access\r\n193.37.255.114 Adversary remote access\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 8 of 13\n\n194.37.96.188 Adversary remote access\r\n195.206.105.118 Adversary remote access\r\n195.206.107.147 Adversary remote access\r\n198.44.136.180 Azure MFA registration\r\n198.54.133.45 Adversary remote access\r\n198.54.133.52 Adversary remote access\r\n217.138.198.196 Adversary remote access\r\n217.138.222.94 Adversary remote access\r\n23.106.248.251 Adversary remote access\r\n2a01:4f8:200:1097::2 IPv6 associated with transfer.sh used for exfil\r\n31.222.238.70 Adversary remote access\r\n35.175.153.217 Adversary remote access\r\n37.19.200.142 Adversary remote access\r\n37.19.200.151 Adversary remote access\r\n37.19.200.155 Adversary remote access\r\n45.132.227.211 Adversary remote access\r\n45.132.227.213 Adversary remote access\r\n45.134.140.171\r\nAdversary IP used to download documents from victim\r\nSharePoint\r\n45.134.140.177 Adversary remote access\r\n45.86.200.81 Adversary remote access\r\n45.91.21.61 Adversary remote access\r\n5.182.37.59 Adversary remote access\r\n51.210.161.12 Adversary remote access\r\n51.89.138.221 Adversary MFA registration\r\n62.182.98.170 Adversary remote access\r\n64.190.113.28 Adversary remote access\r\n67.43.235.122 Adversary remote access\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 9 of 13\n\n68.235.43.20 Adversary remote access\r\n68.235.43.21 Adversary remote access\r\n68.235.43.38 Failed adversary login activity\r\n82.180.146.31 Failed adversary login activity\r\n83.97.20.88 Adversary remote access\r\n89.46.114.164 Failed adversary login activity\r\n89.46.114.66 Adversary remote access\r\n91.242.237.100 Adversary remote access\r\n93.115.7.238 Adversary remote access\r\n98.100.141.70 Adversary remote access\r\naws-cli/1.19.59 Python/3.9.2 Linux/5.10.0-kali5-\r\namd64 botocore/1.27.43\r\nUA associated with aws_consoler used by the adversary\r\nHost-Based IOCs\r\nIOC SHA256 Background\r\nchange.m31!!! N/A\r\nPassword\r\nused by\r\nadversary\r\nextensively\r\n\u003credacted\u003e.exe 3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f08\r\nPacked Fleet\r\nDeck binary\r\nIIatZ cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005\r\nBackconnect\r\nTCP malware\r\nused to read\r\nand execute\r\nshellcode\r\nfrom C2,\r\nexecuted via\r\nOpenAM\r\nexploit\r\ninsomnia.exe acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918\r\nAPI\r\ndebugging\r\nutility\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 10 of 13\n\nlinpeas.log N/A\r\nLINPeas\r\nLocal\r\nPrivilege\r\nEscalation\r\nEnumeration\r\ntool output\r\nlog\r\nlinpeas.sh N/A\r\nLINPeas\r\nLocal\r\nPrivilege\r\nEscalation\r\nEnumeration\r\ntool\r\nlockhuntersetup_3-\r\n4-3.exe\r\n982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e\r\nFile\r\nunlocking\r\ntool (for\r\ndeletion of\r\nlocked files)\r\nmp 443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58\r\n“Midgetpack”\r\npacked binary\r\nused to\r\nestablish\r\nconnections\r\nto\r\n67.43.235.122\r\non ports 4444\r\nand 8888\r\nmpbec 443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58\r\n“Midgetpack”\r\npacked binary\r\nused to\r\nestablish\r\nconnections\r\nto\r\n67.43.235.122\r\non ports 4444\r\nand 8888\r\nnaaNa.b64 53b7d5769d87ce6946efcba00805ddce65714a0d8045aeee532db4542c958b9f Backconnect\r\nTCP malware\r\nused to read\r\nand execute\r\nshellcode\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 11 of 13\n\nfrom C2,\r\nexecuted via\r\nOpenAM\r\nexploit\r\nok.exe 4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93\r\nBinary with\r\nsame name as\r\nother\r\nadversary\r\ntooling to\r\nprevent\r\nsystem from\r\nsleeping\r\nRmaDc cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005\r\nBackconnect\r\nTCP malware\r\nused to read\r\nand execute\r\nshellcode\r\nfrom C2\r\nrsocx.exe 648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9\r\nSOCKS5\r\nbind/reverse\r\nproxy\r\nAcknowledgements\r\nCrowdStrike would like to thank all of the dedicated employees on the CrowdStrike Intelligence, Endpoint Recovery\r\nServices, Falcon OverWatch and Incident Response teams for supporting all of the investigations in this campaign,\r\nspending countless late nights, weekends and intense “firefights” detecting and mitigating active hands-on-keyboard\r\nactivity.\r\nAdditional Resources\r\nRead about adversaries tracked by CrowdStrike in 2021 in the 2022 CrowdStrike Global Threat Report and in\r\nthe 2022 Falcon OverWatch™ Threat Hunting Report.\r\nLearn more about how CrowdStrike Services can help your organization prepare to defend against\r\nsophisticated threats, respond and recover from incidents with speed and precision, and fortify your\r\ncybersecurity practices.\r\nLearn how CrowdStrike Falcon® Identity Protection products reduce costs and risks across the enterprise by\r\nprotecting workforce identities.\r\nCheck out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat\r\nProtection in action.\r\nWatch this video to see how Falcon Identity Threat Protection detects and stops ransomware attacks.\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 12 of 13\n\nWatch an introductory video on the CrowdStrike Falcon® console and register for an on-demand demo of the\r\nmarket-leading CrowdStrike Falcon® platform in action.\r\nRequest a free CrowdStrike Intelligence threat briefing and learn how to stop adversaries targeting your\r\norganization.\r\nSource: https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" ], "report_names": [ "analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434297, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7982f254f8aca6399775584a96b7906781428bcd.pdf", "text": "https://archive.orkl.eu/7982f254f8aca6399775584a96b7906781428bcd.txt", "img": "https://archive.orkl.eu/7982f254f8aca6399775584a96b7906781428bcd.jpg" } }