{
	"id": "f59d0212-79db-420d-9af3-422f292cec14",
	"created_at": "2026-04-06T00:22:27.381422Z",
	"updated_at": "2026-04-10T13:11:18.579741Z",
	"deleted_at": null,
	"sha1_hash": "84b9e0d94d1f552219f1a7a86a5728539a2e82c4",
	"title": "Microsoft Exchange servers hacked to deploy Cuba ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3380443,
	"plain_text": "Microsoft Exchange servers hacked to deploy Cuba ransomware\r\nBy Bill Toulas\r\nPublished: 2022-02-24 · Archived: 2026-04-05 16:20:16 UTC\r\nThe Cuba ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate\r\nnetworks and encrypt devices.\r\nCybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLDDRAW.\r\nHowever, the ransomware is more commonly known as Cuba, which is how BleepingComputer will reference them\r\nthroughout this article.\r\nCuba is a ransomware operation that launched at the end of 2019, and while they started slow, they began to pick up speed\r\nin 2020 and 2021. This increase in activity led to the FBI issuing a Cuba ransomware advisory in December 2021, warning\r\nthat the gang breached 49 critical infrastructure organizations in the U.S.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIn a new report by Mandiant, researchers show that the Cuba operation primarily targets the United States, followed by\r\nCanada.\r\nCuba ransomware victims heat map\r\nSource: Mandiant\r\nMixing commodity and custom malware\r\nThe Cuba ransomware gang was seen leveraging Microsoft Exchange vulnerabilities to deploy web shells, RATs, and\r\nbackdoors to establish their foothold on the target network since August 2021.\r\n\"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon,\r\nas another access point leveraged by UNC2596 likely as early as August 2021,\" explains Mandiant in a new report.\r\nThe planted backdoors include Cobalt Strike or the NetSupport Manager remote access tool, but the group also uses their\r\nown ‘Bughatch’, ‘Wedgecut’, and ‘eck.exe”, and Burntcigar’ tools.\r\nWedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the\r\nActive Directory through PowerShell.\r\nBughatch is a downloader that fetches PowerShell scripts and files from the C\u0026C server. To evade detection, it loads in\r\nmemory from a remote URL.\r\nBurntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is\r\nincluded with the tool for a “bring your own vulnerable driver” attack.\r\nFinally, there’s a memory-only dropper that fetches the above payloads and loads them, called Termite. However, this tool\r\nhas been observed in campaigns of multiple threat groups, so it’s not used exclusively by the Cuba threat actors.\r\nThe threat actors escalate privileges using stolen account credentials sourced through the readily available Mimikatz and\r\nWicker tools.\r\nThen they perform network reconnaissance with Wedgecut, and next, they move laterally with RDP, SMB, PsExec, and\r\nCobalt Strike.\r\nThe subsequent deployment is Bughatch loaded by Termite, followed by Burntcigar, which lays the ground for data\r\nexfiltration and file encryption by deactivating security tools.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nPage 3 of 5\n\nThe Cuba gang doesn’t use any cloud services for the exfiltration step but instead sends everything onto their own private\r\ninfrastructure.\r\nCuba ransomware note to victims\r\nSource: Mandiant\r\nAn evolving operation\r\nBack in May 2021, Cuba ransomware partnered with the spam operators of the Hancitor malware to gain access to corporate\r\nnetworks through DocuSign phishing emails.\r\nSince then, Cuba has evolved its operations to target public-facing services vulnerabilities, such as the Microsoft Exchange\r\nProxyShell and ProxyLogon vulnerabilities.\r\nThis shift makes the attacks more potent but also easier to thwart, as security updates that plug the exploited issues have\r\nbeen available for many months now.\r\nThe Cuba operation will likely turn its attention to other vulnerabilities once there are no more valuable targets running\r\nunpatched Microsoft Exchange servers.\r\nThis means that applying the available security updates as soon as the software vendors release them is key in maintaining a\r\nrobust security stance against even the most sophisticated threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/"
	],
	"report_names": [
		"microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware"
	],
	"threat_actors": [
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84b9e0d94d1f552219f1a7a86a5728539a2e82c4.pdf",
		"text": "https://archive.orkl.eu/84b9e0d94d1f552219f1a7a86a5728539a2e82c4.txt",
		"img": "https://archive.orkl.eu/84b9e0d94d1f552219f1a7a86a5728539a2e82c4.jpg"
	}
}