{
	"id": "2da6238b-c4c6-4248-8f67-0ab06201135f",
	"created_at": "2026-04-06T00:17:21.455382Z",
	"updated_at": "2026-04-10T03:22:13.048108Z",
	"deleted_at": null,
	"sha1_hash": "b20035e1bb9cab96df9bbd59b19991b0d4b221c2",
	"title": "Intelligence Insights: December 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71996,
	"plain_text": "Intelligence Insights: December 2021\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 14:38:04 UTC\r\n⬆ = trending up from previous month\r\n⬇= trending down from previous month\r\n➡ = no change in rank from previous month\r\n*Denotes a tie\r\nObservations on trending threats\r\nQbot continued to climb the ranks on the back of TR phishing campaigns leveraging SquirrelWaffle. Both\r\nTR and SquirrelWaffle cracked our top 10 for the first time this month. If you’re wondering why the payload\r\n(Qbot) is more prevalent than the initial access (TR), there are a few explanations. One is that there are multiple\r\ncampaigns leading to Qbot. While TR is prolific, it is not the only source of the Qbot we see. Another reason that\r\nwe sometimes see more later-stage activity rather than initial access is that it’s an artifact of onboarding customers\r\nduring incident response. In many cases, our visibility into an environment begins in the middle of the attack\r\nchain—when the command and control bots (i.e., Qbot) are actively running but the ephemeral initial access has\r\nalready run its course.\r\nWhile it didn’t make our top 10, we saw more detections* for BazarBackdoor than we’ve previously seen in\r\nany single month. Phishing campaigns delivered BazarBackdoor every Tuesday and Wednesday for the first three\r\nweeks of November. Despite this pattern in the timing, we observed variations in the phishing affiliate delivering\r\nthe payload. For example, one affiliate that we had historically tied to Bazar recently began delivering Emotet as\r\nwell. See the section“Guess who’s back…” below for details.\r\n*This increase applies both to the number of customer environments and the number of individual detections.\r\nConspicuously absent from this list is Yellow Cockatoo, which previously topped our charts. After a meteoric\r\nrise in late summer and early fall, Yellow Cockatoo was the most prevalent threat we saw in Red Canary\r\ncustomers in September. This prolific pest perpetuated its preponderance throughout most of October, then\r\nvanished suddenly. This observation is consistent with the timeline of reporting from a researcher, going by the\r\nhandle “SquiblyDoo,” who closely monitors Yellow Cockatoo activity. Squiblydoo’s research trail appears to have\r\ngone cold after posting a blog in mid-October with updates on changes in Yellow Cockatoo’s TTPs. Red Canary\r\ncontinues to monitor for signs of new activity and will update our coverage if—and when—anything changes.\r\nGuess who’s back, back again… Emotet’s back, tell a friend…\r\nMonths after a coordinated effort disrupted their infrastructure and operations, Emotet has returned and they’re\r\nchanging things up. For the first time this month, we saw Emotet delivered via AppX bundles, suggesting that\r\nhttps://redcanary.com/blog/intelligence-insights-december-2021\r\nPage 1 of 3\n\ncertain operators may be experimenting with ways to evade common defenses.\r\nIn November 2021, Red Canary observed Emotet delivered via AppX, a type of installer bundle used\r\nto distribute common Windows applications. In these cases, victims interacted with a website spoofed to\r\nresemble an installer for Adobe PDF software, where they downloaded an AppX bundle containing an\r\nEmotet file.\r\nEmotet activity in November also involved previously known delivery mechanisms. Much of the other\r\nEmotet activity we saw resembled variations on Emotet campaigns of the past. In these cases, documents\r\nsent as attachments via email contained PowerShell code written to download Emotet payloads, which used\r\nthe export Control_RunDLL for execution. Though we did not observe this activity firsthand, in mid\r\nNovember, security researchers observed Trickbot malware infections deploying Emotet payloads.\r\nThis evolving tradecraft complicates efforts to track and attribute activity. In the case of the AppX\r\nbundles, Emotet appeared to use the same resources that were used by BazarBackdoor for deployment\r\nearlier in November. Since Red Canary observed the same activity and resources used by both families, we\r\ndecided to track the AppX bundle deployment activity cluster under a separate name: Ultramarine Wren.\r\nAs Emotet evolves and we observe its use in different activity clusters, we continue to track changes in behavior\r\nand corresponding ways to detect that behavior.\r\nDetection opportunity: Rundll32 execution with a unique function\r\nprocess_ name == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_contains == Control_RunDLL\r\n\u0026\u0026\r\ncommand_line_ does_ not_ contain == shell32\r\nRecent increase in websell activity likely stems from exploitation of ADSelfService\r\nPlus RCE vulnerability\r\nOver November, Red Canary observed an increase in detections involving webshells. Further analysis suggests\r\nthat many of these were likely the result of the exploitation of CVE -2021-40539, a vulnerability in\r\nADSelfService Plus. ADSelfService Plus is a common password management and single sign-on (SSO) solution.\r\nExploitation of this vulnerability can enable a range of nefarious follow-on activity, and multiple operators are\r\nreportedly using this exploit in the wild. We are tracking behaviors related to known compromises and recommend\r\nthat customers using ADSelfServicePlus apply the patch issued by ManageEngine.\r\nResearchers at Synactiv outlined in-the-wild use of tradecraft involving this vulnerability that allowed Red\r\nCanary to identify a specific behavior consistently related to this attack chain. We saw operators use the Java\r\nutility keytool.exe to move a recently installed webshell from an initial directory to a new location.\r\nDetection opportunity: Keytool.exe spawning Windows shell parent process\r\nhttps://redcanary.com/blog/intelligence-insights-december-2021\r\nPage 2 of 3\n\nparent_process_name== keytool.exe\r\n\u0026\u0026\r\nprocess_name ==( cmd.exe || powershell.exe )\r\nFailure to securely configure ADSelfService Plus can provide an adversary who exploits this vulnerability\r\nwith immediate domain admin access. Administrators can configure ADSelfService Plus in a variety of ways,\r\ngiving varied levels of permissions to Active Directory users, ranging from local SYSTEM to full Domain Admin.\r\nIn turn, if an adversary were to exploit CVE-2021-40539, they would be given that level of permission and access\r\nto the Active Directory. To properly secure ADSelfService Plus and protect Active Directory accounts, we strongly\r\nrecommend that customers refrain from running ADSelfService Plus with an elevated permissions account, such\r\nas Domain Admin. Instead, customers should use an unprivileged Active Directory account configured according\r\nto guidance from ManageEngine.\r\nBased on our observations and public reporting from CISA, Microsoft, and Palo Alto’s Unit 42, it is clear that\r\npost-exploitation activity varies across intrusions. We continue to track activity related to this threat and expand\r\nour detection coverage to account for new variations.\r\nDetection opportunity: Excel spawning WMIC\r\nparent_process_name == excel.exe\r\nprocess_name == wmic.exe\r\nDetection opportunity: MSHTA execution without HTA file\r\nprocess name == mshta.exe\r\ncommand_line_does_not_contain == .hta\r\nAs always, the assessments in this report represent our best thinking based on our current visibility. To this end,\r\nwe welcome the receipt of conflicting or contradictory information on these threats and acknowledge that our\r\nassessments are subject to change over time as we incorporate new information. To submit additional information\r\nfor consideration, please contact intel@redcanary.com.\r\nSource: https://redcanary.com/blog/intelligence-insights-december-2021\r\nhttps://redcanary.com/blog/intelligence-insights-december-2021\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/intelligence-insights-december-2021"
	],
	"report_names": [
		"intelligence-insights-december-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b20035e1bb9cab96df9bbd59b19991b0d4b221c2.pdf",
		"text": "https://archive.orkl.eu/b20035e1bb9cab96df9bbd59b19991b0d4b221c2.txt",
		"img": "https://archive.orkl.eu/b20035e1bb9cab96df9bbd59b19991b0d4b221c2.jpg"
	}
}