{
	"id": "3eebd3d7-1922-43aa-a248-0308d964e38d",
	"created_at": "2026-04-06T00:16:07.982168Z",
	"updated_at": "2026-04-10T13:13:03.923187Z",
	"deleted_at": null,
	"sha1_hash": "81dfd562951a531555cb5e236269a1a181f04e61",
	"title": "Disgruntled ransomware affiliate leaks the Conti gang's technical manuals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 279102,
	"plain_text": "Disgruntled ransomware affiliate leaks the Conti gang's technical\r\nmanuals\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 17:16:01 UTC\r\nA disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used\r\nby the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked\r\ncompany and then exfiltrate its data before encrypting files.\r\nLeaked on an underground cybercrime forum named XSS earlier today, the files were shared by an individual who\r\nappears to have had an issue with the low amount of money the Conti gang was paying them to breach corporate\r\nnetworks.\r\nhttps://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/\r\nPage 1 of 3\n\nIn messages spammed across the forum, the individual shared screenshots of IP addresses where the Conti gang\r\nhosts Cobalt Strike command-and-control servers, which Conti affiliate members use to access hacked company\r\nnetworks.\r\nhttps://twitter.com/pancak3lullz/status/1423324601346629635\r\nIn addition, the individual also published a RAR archive named \"Мануали для работяг и софт.rar,\" which\r\nroughly translates to \"Manuals for hard workers and software.rar.\"\r\nThis archive contains 37 text files with instructions on how to use various hacking tools and even legitimate\r\nsoftware during a network intrusion.\r\nFor example, the leaked manuals contain guides on how to:\r\nconfigure the Rclone software with a MEGA account for data exfiltration\r\nconfigure the AnyDesk software as a persistence and remote access solution into a victim's network [a\r\nknown Conti tactic]\r\nconfigure and use the Cobalt Strike agent\r\nuse the NetScan tool to scan internal networks\r\ninstall the Metasploit pen-testing framework on a virtual private server (VPS)\r\nconnect to hacked networks via RDP using a Ngrok secure tunnel\r\nelevate and gain admin rights inside a company's hacked network\r\ntake over domain controllers\r\ndump passwords from Active Directories (NTDS dumping)\r\nperform SMB brute-force attacks\r\nbrute-force routers, NAS devices, and security cameras\r\nuse the ZeroLogon exploit\r\nperform a Kerberoasting attack\r\nhttps://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/\r\nPage 2 of 3\n\ndisable Windows Defender protections\r\ndelete shadow volume copies\r\nhow affiliates can configure their own operating systems to use the Tor anonymity network, and more\r\nLeaks from Ransomware-as-a-Service (RaaS) operations are extremely rare; however, the data shared today isn't\r\nanything that security researchers would describe as groundbreaking.\r\nThe leaked files contain guides for basic offensive tactics and techniques that the Conti and other ransomware\r\ngangs have used during previous intrusions for years.\r\nHowever, the leak will help some security firms put together stronger defensive playbooks that they can\r\nrecommend to their customers in order to improve their ability to detect Conti intrusions—now knowing exactly\r\nwhat operations Conti affiliates might execute.\r\nSource: https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/\r\nhttps://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/"
	],
	"report_names": [
		"disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434567,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81dfd562951a531555cb5e236269a1a181f04e61.pdf",
		"text": "https://archive.orkl.eu/81dfd562951a531555cb5e236269a1a181f04e61.txt",
		"img": "https://archive.orkl.eu/81dfd562951a531555cb5e236269a1a181f04e61.jpg"
	}
}