{
	"id": "f509a1ec-bbf1-4df1-92e5-21f8e0f94897",
	"created_at": "2026-04-06T00:13:57.967205Z",
	"updated_at": "2026-04-10T03:34:41.443954Z",
	"deleted_at": null,
	"sha1_hash": "7abbcbfde61d19a01dbb25c3bbdddffafbf03428",
	"title": "Rhysida: Evading Detection, One Service at a Time",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49227,
	"plain_text": "Rhysida: Evading Detection, One Service at a Time\r\nArchived: 2026-04-05 20:07:04 UTC\r\nDuring a recent engagement, At-Bay Security analysts observed artifacts showing a threat actor operating under\r\nthe Rhysida ransomware brand attempting to hide their network activity prior to ransomware deployment.\r\nBased on these observations, actionable steps organizations can take to protect themselves include:\r\nEducate users on how to identify social engineering tactics such as search engine optimization (SEO)\r\nPoisoning which may falsely elevate malicious URLs in search engine results.\r\nDetections built around the disabling of, or tampering with security controls and services, including\r\nchanges or modifications to security settings (e.g. Windows Defender).\r\nEnforce Multi-Factor Authentication for all remote connections.\r\nLeverage a managed version of Endpoint Detection and Response (EDR) so that alerts are identified and\r\nactioned in real-time.\r\nAbout Rhysida Ransomware\r\nRhysida Ransomware, first detected in May 2023, has impacted hundreds of victim networks across the globe,\r\nwith a particular focus on sectors such as healthcare, government, education and manufacturing.\r\nThis group operates on a double extortion model, exfiltrating data and encrypting networks prior to asking for a\r\nfinancial demand. Rhysida is also known to use a variety of methods to infiltrate systems including the\r\nexploitation of external remote services (e.g. VPNs) and phishing.\r\nKey Findings\r\nIn a case observed by At-Bay, a user at an organization fell victim to a tactic known as Search Engine\r\nOptimization (SEO) poisoning and downloaded a trojanized version of Putty.exe which helped Rhysida gain\r\naccess and persistence into the network. Once inside, the actor moved laterally through the network using Remote\r\nDesktop Protocol (RDP). During the threat actor’s time in the system, forensics identified the use of the tool\r\nAdvanced Port Scanner for network enumeration and exfiltration via azcopy commands, successfully transferring\r\nover a hundred thousand files into a threat actor-controlled Azure storage. After exfiltration, but prior to\r\nransomware deployment, the threat actor was observed clearing security logs across numerous systems, the details\r\nof which will be discussed in the next sections. \r\nRhysida Evasion Techniques\r\nAt-Bay Security reviewed access to a client environment after encryption with Rhysida ransomware (.rhysida).\r\nInvestigation identified that the threat actor was diligent in clearing logs and other techniques to hide their tactics,\r\ntechniques and procedures. However, investigators identified that a script meant to clear logs during the intrusion\r\nfailed to complete the process, giving At-Bay analysts visibility into how the script worked.\r\nhttps://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nPage 1 of 5\n\nThis article will break down each section of this code to reveal insights into threat actor obfuscation.\r\nIn the Beginning\r\nThe discovered script starts with the declaration of variables which can and will likely be changed per\r\nenvironment.\r\nHere we start with the threat actor hard-coding an SMB IP address, which can be a share that already exists or that\r\nthe threat actor sets prior to the execution. They also define a password later used to reset the ‘Administrator’\r\naccount, as well as change the text shown to a user prior to logging in.\r\nShow code snippet\r\nEvasion\r\nServices\r\nIn the next section of the script, the threat actor coded the name of services potentially running on a host that\r\ncould hamper their exfiltration or encryption efforts.\r\nThe Function ‘s’ defines a list of services names and if they are present on the host it will attempt to set these\r\nservices to disabled and stop them. Most services will attempt to auto restart if they crash or are closed, this is\r\nwhat the disabling part of the script is trying to address. After the services have been set to be disabled, they then\r\nattempt to stop those processes.\r\nShow code snippet\r\nProcesses\r\nThe next step attempts to identify and stop already running processes. This list targets both base server\r\napplications as well as AV processes, Backup processes, Remote Management processes, ERP Applications and\r\nAdministration tooling. Using Windows Management Instrumentation Command-Line (WMIC) the TA will look\r\nfor running processes with specific names and terminate the process using the “delete” function. Following that\r\nthe threat actor uses powershell to terminate specific processes if they are currently running.\r\nAfter the threat actor shuts down these services and processes they move on to active changes within the system.\r\nShow code snippet\r\nConfiguration Changes\r\nIn the next section of code, the threat actor sets an exception in Windows Defender to allow execution of any .exe\r\nfile. After that the threat actor sets the extension ‘.Readme’ to be a text file which will aid in the compromised user\r\nbeing able to easily open any file with a ‘.Readme’ extension such as the ransom note. The last part of this section\r\ncopies the computer name from the environment variable to a variable named ‘$name’, to be used later in the\r\nscript.\r\nhttps://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nPage 2 of 5\n\nShow code snippet\r\nWakey-Wakey Eggs and Bakey\r\nThe threat actor uses the ARP table of the computer to compile a list of MAC addresses the computer knows about\r\nand crafts a Wake-On-Lan magic packet to those systems in an attempt to bring any of those systems that might\r\nhave been offline back online, aiding in lateral movement inside an organization.\r\nShow code snippet\r\nEnable Remote Access\r\nThe threat actor enables RDP within the windows registry and within the windows firewall enables any rule\r\nassociated with the ‘Remote Desktop’ group.\r\nShow code snippet\r\nLocal Account Modification\r\nHere in this section, the threat actor gathers a list of all local accounts on a windows system. With this list of users\r\nit builds new passwords for the accounts, which is the first 13 characters of a MD5 hash. The hash is created by\r\ncombining the username with the word ‘zero’.\r\nShow code snippet\r\nElevation\r\nHere in this section the local built-in ‘Administrator’ has its password set to the password set at the beginning of\r\nthe script named ‘$LOCAL_ADMIN_PASS’. It will then make sure the local ‘Administrator’ account is part of\r\nthe local security group ‘Administrators’ ensuring the account has administrative privileges on the host. The threat\r\nactor also adds the same account to the local ‘Remote Desktop Users’ security group, in combination with the\r\nprevious edits to the remote desktop setting the threat actor should now have remote access to this host using the\r\nlocal ‘Administrator’ account.\r\nShow code snippet\r\nNo Way Back\r\nIn this section of the script, the threat actor takes steps to inhibit restoration of this host after the encryption event.\r\nThe threat actor removes any Windows backups, or any shadow copies and restore points which might exist on the\r\nsystem.\r\nShow code snippet\r\nHere the threat actor attempts to remove the feature ‘Windows Defender’ from the host.\r\nShow code snippet\r\nhttps://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nPage 3 of 5\n\nEvade, Evade, Evade\r\nNext, the function ‘Uninstall-App’ attempts to remove protections on installed applications and perform an\r\nuninstall by either utilizing msiexec or cmd.exe.\r\nShow code snippet\r\nBlocking Restoration\r\nThis part of the script changes the boot policies for a Windows host and turns off recovery options if the host has\r\nissues during boot. This poses a hindrance to any restoration options presented to the user at boot time. Next, the\r\nscript enables Windows remote management and turns on the ability to execute Powershell commands on this host\r\nfrom a remote system.\r\nShow code snippet\r\nCheck-in and Welcome Message\r\nThe script will then check to see if Windows Defender is still present. If the process is running, a text file named\r\nthe computer name will be written to the share identified in variables at the beginning of the script and write ‘NO’\r\nconversely if Windows Defender is not currently running it does the same but writes ‘OK’ to the text file. Next the\r\nscript will modify the text displayed to an end user prior to logging on to the computer, with the content of the\r\nvariables set at the beginning of the script.\r\nShow code snippet\r\nStealth Check\r\nNow, the script clears all files located in C:\\Windows\\Temp. Next for every user profile on the system it will\r\nremove any files in the per user temp directory. After removing these temporary files, the script then will clear\r\nEvent Logs for the Security, Application and System events. It will remove any Powershell commands which\r\nmight be present in the Powershell Console History log. Inserted here amongst the evidence tampering techniques\r\nis another removal instruction for uninstalling Trend-Micro. It then clears the Powershell window and removes the\r\nhistory typed within.\r\nShow code snippet\r\nFile List, Achieved\r\nThe last of the recovered script we have here enumerates the file paths for all drives, providing the threat actor\r\nwith insight into the data contained across the network.\r\nShow code snippet\r\nConclusion \u0026 Mitigation Tactics\r\nhttps://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nPage 4 of 5\n\nThis article highlights the lengths ransomware groups such as Rhysida will go to to hide their tracks while in a\r\nnetwork. It is vital for organizations to use multi-layered security controls to prevent threat actors from accessing\r\nthe network and to detect and eject them should one make it past first-line defenses.\r\nPractical suggestions to prevent ransomware attacks such as Rhysida include:\r\n1. Enforce Multi-Factor Authentication for remote services such as Virtual Private Networks (VPN) or\r\nRemote Desktop Protocol (RDP).\r\n2. Maintain a regular schedule for patching to ensure critical systems are running the latest versions of\r\ncommercial software.\r\n3. Educate and inform users on how to identify suspicious emails or web search results prompting them to\r\ndownload software. Software should only be obtained from the official company domain.\r\n4. Utilize Managed Detection and Response service to help identify and stop threat actor activity.\r\nAt-Bay policyholders have access to meetings with Cyber Advisors through the Stance Advisory Services in their\r\npolicy. At-Bay’s expert Cyber Advisors can assist with advanced assessments, security training, and provide\r\npersonalized recommendations for your organization. At-Bay also offers 24×7 monitoring and remediation\r\nthrough Stance Managed Detection and Response services.\r\nSource: https://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nhttps://www.at-bay.com/threat-research/rhysida-evading-detection/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.at-bay.com/threat-research/rhysida-evading-detection/"
	],
	"report_names": [
		"rhysida-evading-detection"
	],
	"threat_actors": [
		{
			"id": "11c69e3d-a740-4a70-abd3-158ac0375452",
			"created_at": "2023-01-06T13:46:39.29608Z",
			"updated_at": "2026-04-10T02:00:03.27813Z",
			"deleted_at": null,
			"main_name": "Common Raven",
			"aliases": [
				"NXSMS",
				"DESKTOP-GROUP",
				"OPERA1ER"
			],
			"source_name": "MISPGALAXY:Common Raven",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0",
			"created_at": "2023-02-18T02:04:24.365926Z",
			"updated_at": "2026-04-10T02:00:04.792271Z",
			"deleted_at": null,
			"main_name": "OPERA1ER",
			"aliases": [
				"Common Raven",
				"DESKTOP-GROUP",
				"NXSMS",
				"Operation Nervone"
			],
			"source_name": "ETDA:OPERA1ER",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Agentemis",
				"BitRAT",
				"BlackNET RAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Kasidet",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"Ngrok",
				"Origin Logger",
				"PsExec",
				"RDPWrap",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revealer Keylogger",
				"Socmer",
				"VenomRAT",
				"ZPAQ",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434437,
	"ts_updated_at": 1775792081,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7abbcbfde61d19a01dbb25c3bbdddffafbf03428.pdf",
		"text": "https://archive.orkl.eu/7abbcbfde61d19a01dbb25c3bbdddffafbf03428.txt",
		"img": "https://archive.orkl.eu/7abbcbfde61d19a01dbb25c3bbdddffafbf03428.jpg"
	}
}