{
	"id": "36ff1ed3-596b-4698-865c-685d3833ee5a",
	"created_at": "2026-04-06T00:16:41.633307Z",
	"updated_at": "2026-04-10T13:11:31.454992Z",
	"deleted_at": null,
	"sha1_hash": "aec5af92f43de57c3ba52bb95623a96b9bb6d5f5",
	"title": "Angry Conti ransomware affiliate leaks gang's attack playbook",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3943057,
	"plain_text": "Angry Conti ransomware affiliate leaks gang's attack playbook\r\nBy Lawrence Abrams\r\nPublished: 2021-08-05 · Archived: 2026-04-05 13:28:26 UTC\r\nA disgruntled Conti affiliate has leaked the gang's training material when conducting attacks, including information about\r\none of the ransomware's operators.\r\nThe Conti Ransomware operation is run as a ransomware-as-a-service (RaaS), where the core team manages the malware\r\nand Tor sites, while recruited affiliates perform network breaches and encrypt devices.\r\nAs part of this arrangement, the core team earns 20-30% of a ransom payment, while the affiliates earn the rest.\r\nhttps://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nToday, a security researcher shared a forum post created by an angry Conti affiliate who publicly leaked information about\r\nthe ransomware operation. This information includes the IP addresses for Cobalt Strike C2 servers and a 113 MB archive\r\ncontaining numerous tools and training material for conducting ransomware attacks.\r\nForum post from disgruntled affiliate\r\nThe affiliate said they posted the material as he was only paid $1,500 as part of an attack, while the rest of the team are\r\nmaking millions and promising big payouts after a victim pays a ransom.\r\n\"I merge you their ip-address of cobalt servers and type of training materials. 1500 $ yes, of course, they recruit suckers and\r\ndivide the money among themselves, and the boys are fed with what they will let them know when the victim pays,\" the\r\naffiliate posted to a popular Russian-speaking hacking forum.\r\nAttached to the above post are images of Cobalt Strike beacon configurations that contain the IP addresses for command and\r\ncontrol servers used by the ransomware gang.\r\nIn a tweet by security researcher Pancak3, it is advised that everyone block those IP addresses to prevent attacks from the\r\ngroup.\r\nIn a subsequent post, the affiliate shared an archive containing 111 MB of files, including hacking tools, manuals written in\r\nRussian, training material, and help documents that are allegedly provided to affiliates when performing Conti ransomware\r\nattacks.\r\nA security researcher shared a screenshot of this extracted folder with BleepingComputer. We were told it contains a manual\r\non deploying Cobalt Strike, mimikatz to dump NTLM hashes, and numerous other text files filled with various commands.\r\nhttps://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nPage 3 of 5\n\nLeaked Conti training materials\r\nAdvanced Intel's Vitali Kremez, who had already analyzed the archive, told BleepingCompter that the training material\r\nmatches active Conti cases.\r\n\"We can confirm based on our active cases. This playbook matches the active cases for Conti as we see right now,\" Kremez\r\ntold BleepingComputer in a conversation.\r\n\"By and large, it is the holy grail of the pentester operation behind the Conti ransomware \"pentester\" team from A-Z. The\r\nimplications are huge and allow new pentester ransomware operators to level up their pentester skills for ransomware step\r\nby step.\"\r\n\"The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous and experienced they\r\nare while targeting corporations worldwide.\"\r\n\"It also provides a plethora detection opportunities including the group focus on AnyDesk persistence and Atera security\r\nsoftware agent persistence to survive detections.\"\r\nThis leak illustrates the vulnerability of ransomware-as-a-service operations, as a singly unhappy affiliate could lead to the\r\nexposure of carefully cultivated information and resources used in attacks.\r\nRecently the United States government announced that its Rewards for Justice program is now accepting tips on foreign\r\nmalicious cyberactivity against U.S. critical infrastructure, with a potential $10 million reward for helpful information.\r\nAdditionally, rewards through this program may be done anonymously in cryptocurrency, which could incentivize low-paid\r\naffiliates to turn on other cybercriminals.\r\nUpdate 8/6/21: A source told BleepingComputer that Conti banned the pentester after learning he was poaching business\r\naway from their operation by promoting a different unidentified affiliate program.\r\nAfter being banned, the affiliate leaked Conti's training material and tools as revenge.\r\nhttps://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nhttps://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/"
	],
	"report_names": [
		"angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434601,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aec5af92f43de57c3ba52bb95623a96b9bb6d5f5.pdf",
		"text": "https://archive.orkl.eu/aec5af92f43de57c3ba52bb95623a96b9bb6d5f5.txt",
		"img": "https://archive.orkl.eu/aec5af92f43de57c3ba52bb95623a96b9bb6d5f5.jpg"
	}
}