{
	"id": "126b15b4-89de-4d78-ae67-9aa533d53268",
	"created_at": "2026-04-06T00:15:49.201384Z",
	"updated_at": "2026-04-10T03:29:39.908385Z",
	"deleted_at": null,
	"sha1_hash": "baf3b5161a5ecf87950144af8e9996437f940b1b",
	"title": "ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 406548,
	"plain_text": "ALPHV Ransomware Affiliate Targets Vulnerable Backup\r\nInstallations to Gain Initial Access | Mandiant\r\nBy Mandiant\r\nPublished: 2023-04-03 · Archived: 2026-04-05 19:49:10 UTC\r\nWritten by: Jason Deyalsingh, Nick Smith, Eduardo Mattos, Tyler McLellan\r\nMandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466,\r\ntarget publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and\r\nCVE-2021-27878, for initial access to victim environments. A commercial Internet scanning service identified\r\nover 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which\r\nmay still be unpatched and vulnerable. Previous ALPHV intrusions investigated by Mandiant primarily originated\r\nfrom stolen credentials suggesting a shift to opportunistic targeting of known vulnerabilities. This blog post covers\r\nthe UNC4466 attack lifecycle, indicators, and detection opportunities.\r\nALPHV emerged in November 2021 as a ransomware-as-a-service that some researchers have claimed is the\r\nsuccessor to BLACKMATTER and DARKSIDE ransomware. While some ransomware operators enacted rules to\r\navoid impacting critical infrastructure and health entities, ALPHV has continued to target these sensitive\r\nindustries.\r\nTimeline\r\nIn March 2021, Veritas published an advisory reporting three critical vulnerabilities in Veritas Backup Exec\r\n16.x, 20.x and 21.x.\r\nOn September 23, 2022, a METASPLOIT module was released which exploits these vulnerabilities and\r\ncreates a session which the threat actor can use to interact with the victim system.\r\nOn October 22, 2022, Mandiant first observed exploitation of the Veritas vulnerabilities in the wild.\r\nAttack Phases\r\nInitial Compromise and Establish Foothold\r\nIn late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec\r\nversion 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the\r\nMetasploit persistence module was invoked to maintain persistent access to the system for the remainder of this\r\nintrusion.\r\nInternal Reconnaissance\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 1 of 7\n\nAfter gaining access to the Veritas Backup Exec server, UNC4466 used Internet Explorer, the browser installed by\r\ndefault on older Windows systems, to download Famatech’s Advanced IP Scanner from its website,\r\nhxxps://download.advanced-ip-scanner[.]com. This tool is capable of scanning individual IP addresses or IP\r\naddress ranges for open ports, and returns hostnames, operating system and hardware manufacturer information.\r\nUNC4466 also made use of ADRecon to gather network, account, and host information in the victim’s\r\nenvironment. When executed by a privileged domain account, ADRecon generates several reports about the\r\nActive Directory environment, including the Trusts, Sites, Subnets, password policies, user and computer account\r\nlistings. These reports can be generated in a variety of formats, including CSV, XML, JSON, and HTML.\r\nIngress Tool Transfer\r\nUNC4466 made heavy use of the Background Intelligent Transfer Service (BITS) to download additional tools\r\nsuch as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.\r\nCommand and Control\r\nUNC4466 leveraged SOCKS5 tunneling to communicate with compromised systems in the victim network. This\r\ntechnique is typically used to evade network defenses or other preventative network controls. Two separate tools\r\nwere deployed to execute this technique, LIGOLO and REVSOCKS.\r\nEscalate Privileges\r\nThe threat actor utilized multiple credential access tools, including Mimikatz, LaZagne and Nanodump to gather\r\nclear-text credentials and credential material.\r\nIn November 2022, UNC4466 utilized the MIMIKATZ Security Support Provider injection module\r\n(`MISC::MemSSP`). This module collects credentials in clear text as they are used, by manipulating the Local\r\nSecurity Authority Server Service (LSASS) on victim systems. This module creates a file named\r\n`C:\\Windows\\System32\\mimilsa.log`.\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 2 of 7\n\n[Nanodump] was also used to dump LSASS memory. Like the examples shown on Helpsystems' GitHub page, the\r\noutput file specified was a file in the `C:\\Windows\\Temp` directory.\r\nDefense Evasion\r\nDuring operations, UNC4466 takes steps to evade detection. Apart from clearing event logs, UNC4466 also used\r\nthe built in Set-MpPrefernce cmdlet to disable Microsoft Defender’s real-time monitoring capability.\r\npowershell.exe Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue\r\nCommand and Control\r\nUNC4466 made use of BITS transfers (using the Start-BitsTransfer PowerShell cmdlet) to download various\r\nresources to the staging directory `c:\\ProgramData`. Using this technique, SOCKS5 tunneling tools, REVSOCKS\r\nand LIGOLO were downloaded from their official GitHub repositories.\r\nComplete Mission\r\nUNC4466 deploys the Rust-based ALPHV ransomware. In Late 2022, UNC4466 added immediate tasks to the\r\ndefault domain policy. These tasks were configured to perform actions which disabled security software,\r\ndownloaded the ALPHV encryptor, then execute it.\r\nExposure\r\nAs of this blog post's date, one commercial Internet scanning service reported over 8500 IP addresses which\r\nadvertise the \"Symantec/Veritas Backup Exec ndmp\" service on the default port 10000, as well as port 9000 and\r\nport 10001. While this search result does not directly identify vulnerable systems, as the application versions were\r\nnot identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by\r\nattackers.\r\nDetection Opportunities\r\nDefenders should place priority on monitoring internet-exposed Veritas Backup Exec Windows installations, for\r\nversions before 21.2. Mandiant observed the exploitation of Veritas Backup Exec can leave a noticeable imprint\r\non the Backup Exec log files. Where feasible, these log files should be forwarded to a SIEM or similar technology\r\nwhich enables detection and alerting when certain events are recorded.\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 3 of 7\n\nIn addition to any available network connection logging, Veritas Backup Exec logs will record evidence of\r\nconnections to remote systems.\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] + ndmpd.cpp (nnn):\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] | Session 1 started\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] - sslOpen() : Opening SSL for: 0x00000\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] - sslOpen(): certinfo = 0x00000; sslConn = 0x00000\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpcomm] - ndmpRun: Control connection accepted : connection establis\r\nThese connections should be triaged for any unknown IP addresses. Additionally, these logs can also record the\r\nexecution of suspicious pre and post backup job commands.\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] - SetPreCommandEnvironment: Could not obtain the BE Job ID\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] - Could not obtain the BE Job Name to pass to the command C:\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpsrvr] - At least one of the Pre / Post Command environment variabl\r\n[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\\ndmpcomm] - ndmp_readit: Caught message on closed connection. Socket 0\r\nUNC4466\r\nDS0015 - Application log\r\nBackup Exec logs\r\nConnections to unknown IP addresses\r\nSuspicious pre or post job commands being set (SetPreCommandEnvironment/\r\nSetPostCommandEnvironment). E.g: C:\\Windows\\System32\\cmd.exe /c\r\n\"C:\\Windows\\Temp\\UNKNOWN_EXEC.exe”\r\nWindows Event Logs\r\nSuspicious BITS transfers with the source argument targeting unknown hosts and GitHub\r\nrepositories.\r\nPre-ransomware activity: deletion of volume shadow copies\r\nDS0017 – Command\r\nDisabling AMSI: use of Set-MpPreference PowerShell cmdlet\r\nIngress tool transfer: Use of Start-BitsTransfer PowerShell cmdlet\r\nDS0022 – File\r\nNew Executables created in staging directories: C:\\ProgramData, C:\\Windows\\Temp,\r\nC:\\Windows\\Tasks\r\nDS0024 – Windows Registry\r\nModification of Registry run keys\r\nOutlook\r\nMandiant recommends implementing secure access controls, segmenting networks, enabling multi-factor\r\nauthentication, and regularly testing and evaluating backup strategies to limit the impact of a ransomware attack.\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 4 of 7\n\nAdditionally, organizations should inventory externally facing services and reduce the attack surface available to\r\nattackers.\r\nAcknowledgements\r\nWith special thanks to Nick Richard for technical review.\r\nMITRE ATT\u0026CK\r\nMandiant has observed UNC4466 use the following techniques:\r\nIndicators of Compromise\r\nda202cc4b3679fdb47003d603a93c90d MIMIKATZ\r\n5fe66b2835511f9d4d3703b6c639b866 NANODUMP\r\n1f437347917f0a4ced71fb7df53b1a05 LIGOLO\r\nb41dc7bef82ef384bc884973f3d0e8ca REVSOCKS\r\nc590a84b8c72cf18f35ae166f815c9df Sysinternals PSEXEC\r\n24b0f58f014bd259b57f346fb5aed2ea WINSW\r\ne31270e4a6f215f45abad65916da9db4 REVSOCKS\r\n4fdabe571b66ceec3448939bfb3ffcd1 Advanced Port Scanner\r\n68d3bf2c363144ec6874ab360fdda00a LAZAGNE\r\nee6e0cb1b3b7601696e9a05ce66e7f37 ALPHV\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 5 of 7\n\nf66e1d717b54b95cf32154b770e10ba4 METASPLOIT\r\n17424a22f01b7b996810ba1274f7b8e9 METASPLOIT\r\n45[.]61[.]138[.]109  \r\n185[.]141[.]62[.]123  \r\n5[.]199[.]169[.]209  \r\n45[.]61[.]138[.]109:45815  \r\n45[.]61[.]138[.]109:43937  \r\n45[.]61[.]138[.]109:36931  \r\n5[.]199[.]169[.]209:31600  \r\n45[.]61[.]138[.]109:41703  \r\n185[.]99[.]135[.]115:39839  \r\n185[.]99[.]135[.]115:41773  \r\n45[.]61[.]138[.]109:33971  \r\n185[.]141[.]62[.]123:50810  \r\n185[.]99[.]135[.]115:49196  \r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 6 of 7\n\nhxxp://185[.]141[.]62[.]123:10228/update[.]exe  \r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nhttps://www.mandiant.com/resources/blog/alphv-ransomware-backup\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/alphv-ransomware-backup"
	],
	"report_names": [
		"alphv-ransomware-backup"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434549,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/baf3b5161a5ecf87950144af8e9996437f940b1b.pdf",
		"text": "https://archive.orkl.eu/baf3b5161a5ecf87950144af8e9996437f940b1b.txt",
		"img": "https://archive.orkl.eu/baf3b5161a5ecf87950144af8e9996437f940b1b.jpg"
	}
}