{
	"id": "2dd2cdfe-0a46-4610-b8ca-3a36508bc97d",
	"created_at": "2026-04-06T00:06:35.820911Z",
	"updated_at": "2026-04-10T03:19:57.927988Z",
	"deleted_at": null,
	"sha1_hash": "bb1c832474b8961ed31728dc5ff6985e57c9db2b",
	"title": "BianLian Ransomware Expanding C2 Infrastructure and Operational Tempo - RH-ISAC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56360,
	"plain_text": "BianLian Ransomware Expanding C2 Infrastructure and\r\nOperational Tempo - RH-ISAC\r\nPublished: 2022-09-02 · Archived: 2026-04-05 17:31:21 UTC\r\nThe threat actors behind the BianLian Ransomware are rapidly expanding infrastructure, and it has been observed\r\ntargeting manufacturing organizations.\r\nContext\r\nOn September 1, 2022, researchers at the cybersecurity firm Redacted published a technical analysis of the\r\nBianLian ransomware. In the past month, BianLian has been observed being deployed against numerous sectors,\r\nincluding manufacturing, healthcare, and education. Throughout August, Redacted researchers reported observing\r\nBianLian threat actors rapidly expanding their command and control (C2) infrastructure and increasing their attack\r\nrate.\r\nTechnical Analysis\r\nBianLian is written in the Go programming language, likely to frustrate reverse engineering efforts by security\r\nresearchers and to make compromising multiple platforms easier for the threat actors deploying the ransomware.\r\nAccording to Redacted researchers, the threat actor appears technically sophisticated in compromising targeted\r\nnetworks, but is likely inexperienced at ransomware operations, based on the following behaviors observed during\r\nthe investigation:\r\nMistakenly sending data from one victim to another.\r\nPossessing a relatively stable backdoor toolkit but have an actively developing encryption tool with an\r\nevolving ransom note.\r\nLong delays in communications with victims.\r\nThrough the group’s own admission on their onion site, the business side of their infrastructure is\r\nunreliable.\r\nRedacted researchers also noted that the BianLian threat actors targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and SonicWall VPN devices to gain initial access into victim\r\nnetworks. The threat actors also employ Living off the Land (LOL) methodology to move laterally, adjusting\r\noperations based on defensive controls present on infected networks.\r\nMitigation Options\r\nResearchers with Redacted provided the following defensive measures:\r\nAn aggressive, prioritized patching regime.\r\nEmploy multi-factor authentication on every system that allows that as an option.\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 1 of 6\n\nVisibility into your network and endpoint devices to quickly identify breaches.\r\nSecure backups to allow return to business operations as soon as possible.\r\nA well-practiced incident response plan, so everyone involved knows their role.\r\nAn assessment of your “Crown Jewels” that can be used to both inform your security posture and decide\r\nahead of an incident what data you could afford to have leaked so you can avoid paying the ransom.\r\nIn addition to these strategic recommendations, there are multiple opportunities for behavioral detections in the\r\nattack chain leveraged by BianLian:\r\nDefense Evasion: Svchost not a child of services.exe\r\nBianLian called one of their LOL tools svchost, then launched it via a process other than\r\nservices.exe.\r\nDefense Evasion: Svchost executing from an unusual path\r\nBianLian called one of their LOL tools svchost.exe, then executed it from a non-standard path.\r\nDefense Evasion: Netsh to modify firewall rules\r\nBianLian leveraged netsh to add a firewall rule to open 3389 to Remote Desktop.\r\nReconnaissance: Ping -4 -n 1\r\nBianLian used single pings to perform network reconnaissance. This is a false-positive prone alert.\r\nLateral Movement: Winrm dropping a file via PowerShell\r\nThe binary wsmprovhost.exe is used to mediate the relationship between WinRM and PowerShell.\r\nAlerting on file modification by wsmprovhost.exe proved a reliable method to detect BianLian\r\ndropping malicious files.\r\nLateral Movement: Unknown Binary Established Connection on 3389\r\nIf leveraging an EDR that classifies binaries as known and unknown and ties network connections\r\nto binaries, looking for 3389 in use by unknown binaries can be extremely fruitful. This rule detects\r\nBianLian’s custom Go backdoor.\r\nCredential Access: Account manipulation via net.exe\r\n“Net user” is too loud to alert on in most environments, but we recommend alerting on a threshold\r\nof “net user” executions. Even a threshold as high as 10 events in 15 minutes would have detected\r\nBianLian in the attacks witnessed.\r\nExecution: Unknown binary launching PowerShell\r\nIf leveraging an EDR that classifies binaries as known and unknown, searching for unknown\r\nbinaries launching PowerShell will frequently detect use of the BianLian backdoor\r\nDefense Evasion: Reg.exe modifying safeboot keys\r\nBianLian added a remote access tool to safeboot keys in order to enable network access for their\r\nremote access tool in safeboot.\r\nIOCs\r\nRedacted researchers provided the following indicators of compromise:\r\nIndicator Type Notes\r\n104.207.155[.]133 IP Address Historical IP\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 2 of 6\n\n104.238.61[.]153 IP Address Historical IP\r\n146.70.44[.]248 IP Address Historical IP\r\n155.94.160[.]241 IP Address Historical IP\r\n167.88.15[.]98 IP Address Historical IP\r\n172.96.137[.]107 IP Address Historical IP\r\n188.166.81[.]141 IP Address Historical IP\r\n194.26.29[.]131 IP Address Historical IP\r\n194.5.212[.]205 IP Address Historical IP\r\n194.58.119.159 IP Address Historical IP\r\n198.252.108[.]34 IP Address Historical IP\r\n202.66.72[.]7 IP Address Historical IP\r\n208.123.119[.]145 IP Address Historical IP\r\n209.141.54[.]205 IP Address Historical IP\r\n23.227.198[.]243 IP Address Historical IP\r\n23.94.56[.]154 IP Address Historical IP\r\n43.155.116[.]250 IP Address Historical IP\r\n45.144.30[.]139 IP Address Historical IP\r\n45.92.156[.]105 IP Address Historical IP\r\n5.188.6[.]118 IP Address Historical IP\r\n5.230.67[.]2 IP Address Historical IP\r\n85.13.116[.]194 IP Address Historical IP\r\n85.13.117[.]219 IP Address Historical IP\r\n89.22.224[.]3 IP Address Historical IP\r\n104.225.129[.]86 IP Address Active IP\r\n104.238.223[.]10 IP Address Active IP\r\n104.238.223[.]3 IP Address Active IP\r\n109.248.6[.]207 IP Address Active IP\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 3 of 6\n\n13.49.57[.]110 IP Address Active IP\r\n144.208.127[.]119 IP Address Active IP\r\n146.0.79[.]9 IP Address Active IP\r\n157.245.80[.]66 IP Address Active IP\r\n16.162.137[.]220 IP Address Active IP\r\n165.22.87[.]199 IP Address Active IP\r\n172.93.96[.]61 IP Address Active IP\r\n172.93.96[.]62 IP Address Active IP\r\n18.130.242[.]71 IP Address Active IP\r\n185.108.129[.]242 IP Address Active IP\r\n185.225.69[.]173 IP Address Active IP\r\n185.56.80[.]28 IP Address Active IP\r\n185.62.58[.]151 IP Address Active IP\r\n185.69.53[.]38 IP Address Active IP\r\n192.145.38[.]242 IP Address Active IP\r\n192.161.48[.]43 IP Address Active IP\r\n192.169.6[.]232 IP Address Active IP\r\n37.235.54[.]81 IP Address Active IP\r\n45.9.150[.]132 IP Address Active IP\r\n5.2.79[.]138 IP Address Active IP\r\n51.68.190[.]20 IP Address Active IP\r\n54.173.59[.]51 IP Address Active IP\r\n62.84.112[.]68 IP Address Active IP\r\n64.52.80[.]120 IP Address Active IP\r\n66.135.0[.]42 IP Address Active IP\r\n83.136.180[.]12 IP Address Active IP\r\n85.13.117[.]213 IP Address Active IP\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 4 of 6\n\n85.13.117[.]218 IP Address Active IP\r\n91.199.209[.]20 IP Address Active IP\r\n95.179.137[.]20 IP Address Active IP\r\n1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43 SHA256 Encryptor\r\nb60be0b5c6e553e483a9ef9040a9314dd54335de7050fed691a07f299ccb8bc6 SHA256 Encryptor\r\ncbab4614a2cdd65eb619a4dd0b5e726f0a94483212945f110694098194f77095 SHA256 Encryptor\r\neaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 SHA256 Encryptor\r\n001f33dd5ec923afa836bb9e8049958decc152eeb6f6012b1cb635cff03be2a2 SHA256 Backdoor\r\n1a1177363be7319e7fb50ac84f69acb633fd51c58f7d2d73a1d5efb5c376f256 SHA256 Backdoor\r\n20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352 SHA256 Backdoor\r\n36281d02e28dd26a1db37ebe36941fc9eb1748868e96b544f227b3b59de51fea SHA256 Backdoor\r\n3bdcc81931687abac9e6ba4c80d4d596cebb470c80f56213aa29d3da43925537 SHA256 Backdoor\r\n50c86fb27bed1962903a5f9d155544e3fdb859ae19e967a10f0bf3a60bb8954f SHA256 Backdoor\r\n5d429e05cede806ecea2e99116cac09558fcc0011095201e66c2e65c42f80fcf SHA256 Backdoor\r\n64065c29b369881ee36314c0d15e442510027186fd9087aec0f63e22a5c6f24c SHA256 Backdoor\r\n6d7009df2fa033f7adc30793ebd5254ef47a803950e31f5c52fa3ead1197599f SHA256 Backdoor\r\n8084eddfdb157edf8b1c0cdf8bf4d4e4aaa332fc871c2892aa4113b5148ac63e SHA256 Backdoor\r\n8592862cd28bcc23cfbcf57c82569c0b74a70cd7ea70dbdee7421f3fafc7ecaf SHA256 Backdoor\r\n86a9b84c6258c99b3c3c5b94a2087bc76a533f6043829ded5d8559e88b97fb2f SHA256 Backdoor\r\n9b7a0117a27dc418fbf851afcd96c25c7ad995d7be7f3d8d888fa26a6e530221 SHA256 Backdoor\r\nbb2e9fd9d60f49f0fc2c46f8254e5617d4ec856f40256554087cda727a5f6019 SHA256 Backdoor\r\nc0fe7bfb0d1ffeb61fb9cafeeab79ffd1660ff3637798e315ff15d802a3c974e SHA256 Backdoor\r\nc7fe3fc6ffdfc31bc360afe7d5d6887c622e75cc91bc97523c8115b0e0158ad6 SHA256 Backdoor\r\ncd17afd9115b2d83e948a1bcabf508f42d0fe7edb56cc62f5cc467c938e45033 SHA256 Backdoor\r\nd602562ba7273695df9248a8590b510ccd49fefb97f5c75d485895abba13418d SHA256 Backdoor\r\nda7a959ae7ea237bb6cd913119a35baa43a68e375f892857f6d77eaa62aabbaf SHA256 Backdoor\r\ndda89e9e6c70ff814c65e1748a27b42517690acb12c65c3bbd60ae3ab41e7aca SHA256 Backdoor\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 5 of 6\n\nde31a4125eb74d0b7cbf2451b40fdb2d66d279a8b8fd42191660b196a9ac468f SHA256 Backdoor\r\nf7a3a8734c004682201b8873691d684985329be3fcdba965f268103a086ebaad SHA256 Backdoor\r\nMITRE TTPs\r\nRedacted researchers provided the following MITRE ATT\u0026CK tactics, techniques, and procedures:\r\nID Technique\r\nT1190 Initial Access: Exploit Public-Facing Application\r\nT1047 Execution: Windows Management Instrumentation\r\nT1059.001 Execution: Command and Scripting Interpreter: PowerShell\r\nT1098 Persistence: Account Manipulation\r\nT1078 Persistence: Valid Accounts\r\nT1562.001 Defense Evasion: Impair Defenses: Disable or Modify Tools\r\nT1526.004 Defense Evasion: Impair Defenses: Disable or Modify System Firewall\r\nT1036 Defense Evasion: Masquerading\r\nT1112 Defense Evasion: Modify Registry\r\nT1069 Discovery: Permission Groups Discovery\r\nT1018 Discovery: Remote System Discovery\r\nT1021.001 Lateral Movement: Remote Services: Remote Desktop Protocol\r\nT1021.005 Lateral Movement: Remote Services: VNC\r\nT1021.006 Lateral Movement: Remote Services: Windows Remote Management\r\nT1090 Command and Control: Proxy\r\nT1071.001 Command and Control: Application Layer Protocol: Web Protocol\r\nT1486 Impact: Data Encrypted for Impact\r\nSource: https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nhttps://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/"
	],
	"report_names": [
		"bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb1c832474b8961ed31728dc5ff6985e57c9db2b.pdf",
		"text": "https://archive.orkl.eu/bb1c832474b8961ed31728dc5ff6985e57c9db2b.txt",
		"img": "https://archive.orkl.eu/bb1c832474b8961ed31728dc5ff6985e57c9db2b.jpg"
	}
}