{
	"id": "121dac2c-9013-4c16-9e50-4a293df8456f",
	"created_at": "2026-04-06T01:30:30.88805Z",
	"updated_at": "2026-04-10T03:28:28.168366Z",
	"deleted_at": null,
	"sha1_hash": "cf960dc061b463f2400f1e30603ded544e01649b",
	"title": "Using Hindsight to Close a Cuba Cold Case",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97586,
	"plain_text": "Using Hindsight to Close a Cuba Cold Case\r\nBy GuidePoint Security\r\nPublished: 2022-02-08 · Archived: 2026-04-06 00:30:18 UTC\r\nPublished Feb 8, 2022\r\nIntroduction\r\nIn September 2021, we released a blog outlining a “Ransomware Near Miss” that began with the exploitation of\r\nProxyShell before deploying Cobalt Strike and a unique RAT for post-exploitation efforts. Luckily, we were able\r\nto prevent ransomware from being deployed within the environment during that incident. Fast forward to February\r\n2022, the GuidePoint Security DFIR team found ourselves in familiar territory, but this time Cuba ransomware\r\nwas deployed throughout the environment, resulting in devastating damage to an organization’s IT systems.\r\nAt the time we published the “Ransomware Near Miss” blog, we did not have concrete evidence to firmly link the\r\nattack to a specific ransomware family or group. In fact, based on the tools deployed during that incident, we\r\nsuspected possible links to the Conti group. However, as more intelligence has developed, we believe there are\r\nstrong indications that the “Ransomware Near Miss” can be attributed to the Cuba Ransomware Group.\r\nLet’s take a look.\r\nA Recent Cuba Attack and the Links to the “Ransomware Near Miss”\r\nIn early February, GuidePoint’s DFIR team was engaged by a client to respond to a confirmed Cuba ransomware\r\nattack. The initial intrusion pointed to a misconfiguration on a public-facing server that allowed for the attackers\r\nto infiltrate the environment, move laterally, and deploy the ransomware throughout the environment. The .cuba\r\nfile extension and references within the ransom note were explicit indications of which group we were dealing\r\nwith.\r\nThe first interesting discovery was the use of DefenderControl.exe – a utility created by Sordum – that\r\npermanently disables Windows Defender on Windows systems. This was the first time the DFIR team had seen\r\nthe use of this GUI-based defense evasion utility being used by a ransomware threat actor, as opposed to\r\nPowerShell scripts or other defense evasion utilities. \r\nAlso early in the investigation, a malicious batch script, shar.bat , was discovered on multiple systems in the\r\nenvironment. Upon further review, this batch script served a single purpose: to grant full permissions to a series of\r\nattached drives (both local and remote) for the Everyone group and then delete itself from the system.\r\nhttps://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nPage 1 of 5\n\nFigure 1: Contents of shar.bat\r\nAs the ransomware investigation continued, GuidePoint intelligence analysts began researching and correlating\r\nadditional indicators of compromise (IOCs) associated with Cuba ransomware and the group’s tactics, techniques,\r\nand procedures (TTPs). As we analyzed our internal and external data sets, pivoting on shar.bat , we found two\r\npieces of open-source intelligence (OSINT) that pointed to some familiar IOCs. This is where things began to get\r\ninteresting, and we started flashing back to the “Ransomware Near Miss.”\r\nThe first OSINT source we found was a VirusTotal Collection for Cuba Ransomware that we discovered while\r\nreviewing shar.bat ’s VirusTotal entry. One additional IOC within the collection immediately stood out as\r\ninteresting, Agent32.bin , and was especially interesting because it was one of the novel tools we saw used in the\r\nSeptember 2021 “Ransomware Near Miss.” Pivoting on Cuba intelligence further, we found the November 2021\r\nFBI Flash Alert for Cuba Ransomware. The IOCs section from this report also named komar.ps1 and\r\nAgent32.bin , as well as their corresponding SHA256 hashes, as known indicators for the Cuba group.\r\nKomar.ps1 is the malicious PowerShell downloader associated with Agent32.bin and was also observed in the\r\n“Near Miss.”\r\nAt this point, we retroactively assessed with high confidence that attribution for the “Ransomware Near Miss”\r\nbelonged to the Cuba Ransomware Group (UNC2596). \r\nSo What About Those Links to Conti Tools?\r\nDuring the “Ransomware Near Miss” blog we originally made some connections to some of the defense evasion\r\nand exfiltration tools used in the incident that were observed as part of the Conti Affiliate Leak. During analysis,\r\nwe were hesitant to attribute the attack to the Conti group based only on the observation of tools that were now\r\npublicly available due to the leak. Hindsight being what it is, we now see the double-edged sword of threat actor\r\ntool leaks. The original leak was reported early in August 2021, and by September 2021 these tools were being\r\nhttps://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nPage 2 of 5\n\nused by the Cuba group to perform defense evasion and data exfiltration as a precursor to ransomware\r\ndeployment. To the Cuba group’s benefit, we were unable to attribute the attack to them during the initial\r\ninvestigation due to obfuscation by tools reuse.  \r\nRecommendations\r\nThe cyber threat landscape continues to feature common themes that we have observed for years.\r\nMisconfigurations and lack of alerting capabilities are still one of the most prevalent gaps in cyber defense\r\nprograms across all industries. Consider pursuing these recommendations to help reduce the likelihood of a\r\nransomware attack in your environment:\r\nMonitor your attack surface, including public-facing infrastructure, for misconfigurations or undesirable\r\nconfigurations that may lead to unauthorized access into the environment.\r\nConsider multi-factor authentication and additional logging to identify anomalous access on these\r\nsystems.\r\nEnsure that EDR and other behavioral detection mechanisms are enabled and being actively reviewed\r\nin the environment.\r\nActively pursue threat intelligence capabilities and integrations within your cyber defense function.\r\nMaturing threat intelligence capabilities helps blue teamers stay up to date with threat actor IOCs\r\nand TTPs\r\nEnsure that you are administratively prepared for a ransomware event by pursuing tabletop exercises\r\nand developing playbooks for effective response.\r\nConclusion\r\nOver the past few years, ransomware groups have proven how quickly and effectively they can pivot and change\r\ntactics at will. There is no exception for the Cuba ransomware group. They have demonstrated a willingness to\r\nutilize third-party tools, regardless of their origin, as a strategy for the lowest effort and highest return. This\r\nstrategy has afforded them the opportunity to fly under the radar in some circumstances where custom tooling\r\nmight have outed them more quickly. \r\nRansomware groups continue to undoubtedly be one of the biggest threats in the cyber world; however, as this\r\nblog shows, we continue to pursue connecting the dots, sometimes retroactively, and develop threat intelligence to\r\ndiscover, attribute, slow, and hopefully stop more ransomware attacks. Our goal is to use threat intelligence to\r\naccomplish these goals and give the blue team the ability to make threat actors’ lives harder for a change.\r\nIndicators of Compromise\r\nIndicator Type Description\r\nc:\\windows\\temp\\komar.ps1 Filename\r\nMalicious PowerShell Script –\r\nDownloader for Agent32.bin\r\nshar.bat Filename Batch script to alter drive permissions\r\nhttps://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nPage 3 of 5\n\nC:\\Windows\\Temp\\run.txt Filename\r\nMalicious PowerShell Script –\r\nDownloader for Komar.ps1\r\n45[.]32[.]229[.]66\r\nIPv4\r\nAddress\r\nServer Hosting Payloads\r\n108[.]62[.]12[.]122\r\nIPv4\r\nAddress\r\nServer Hosting Payloads\r\n4DD315284258A738E7\r\n47250CBA91CB3F\r\nMD5 Agent32.bin\r\n4bbb69bb35f95223e82\r\na573ce0794a78\r\nMD5\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\n72a60d799ae9e4f0a34\r\n43a2f96fb4896\r\nMD5 Agent32.bin\r\n4c32ef0836a0af7025e\r\n97c6253054bca\r\nMD5 shar.bat\r\nba83831700a73661f99\r\nd38d7505b5646\r\nMD5\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\nee2f71faced3f5b5b202\r\nc7576f0f52b9\r\nMD5 run.txt\r\nC524CA6A8A86C36A34\r\nFB4DC06A4A2696E80A\r\n1C07\r\nSHA1 Agent32.bin\r\n704d981f358ba00f8297\r\nbdd249f388ed157a0dd1\r\nSHA1\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\na304497ff076348e0983\r\n10f530779002a326c264\r\nSHA1 Agent32.bin\r\n86ed4544eeca78dc6488\r\n1a916fe1e1f73dc17f7b\r\nSHA1 shar.bat\r\n209ffbc8ba1e93167bca9\r\nb67e0ad3561c065595d\r\nSHA1\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\nd1ff26ea3d2d2ced4b7e7\r\n6d971a60533817048d7\r\nSHA1 run.txt\r\n196CD59446AD6BD6258\r\nEDAF94D4845E1A73455\r\nSHA256 Agent32.bin\r\nhttps://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nPage 4 of 5\n\nF87BCAEFF4241606366\r\nB6F7D87\r\n947c192f7dd6e8329d66f\r\naaa8abcb6b5f59fc7fd8ad\r\naf19811da4a4e8b463983\r\nSHA256\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\n6d5ca42906c60caa7d3e0\r\n564b011d20b87b175cbd\r\n9d44a96673b46a82b07d\r\nf68\r\nSHA256 Agent32.bin\r\n1d142c36c6cdd393fe543\r\na6b7782f25a9cbafca17a\r\n1cfa0f3fc0f5a9431dbf3f\r\nSHA256 shar.bat\r\n79d6b1b6b1ecb446b0f49\r\n772bf4da63fcec6f6bfc7c2\r\ne1f4924 cb7acbb3b4f53\r\nSHA256\r\nKomar.ps1 (Agent32.bin\r\nDownloader)\r\n5cd95b34782ca5acf8a34\r\nd9dc184cb880a19b6edca\r\nf4a4553fa0619b597c2f50\r\nSHA256 run.txt\r\nhxxp://45.32.229.66/komar.ps1 URL\r\nMalicious PowerShell Script –\r\nDownloader for Agent32.bin\r\nhxxp://108[.]62[.]12[.]122/Agent32.bin URL Download URL for Agent32.bin\r\nRelated Articles\r\nWe use cookies, pixels, and other tools on this site, including third party tools, which enable us and third parties to\r\nrecord interactions with our sites and other online services, and to collect activity and user data, such as IP\r\naddress, browsing and search history, and online communications. We use these tools and the information\r\ncollected to operate and improve our sites, protect security, prevent fraud, and enable social media, chat,\r\npersonalization, and other online features, as well as to understand usage and preferences, personalize content and\r\nexperiences, and deliver and measure the performance of targeted content and ads here and on third party sites.\r\nClick 'OK' to use this site with all cookies enabled, or click 'Cookie Settings' to review and change your cookie\r\npreferences for this site. Read more about our Privacy Policy.\r\nSource: https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nhttps://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/"
	],
	"report_names": [
		"using-hindsight-to-close-a-cuba-cold-case"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439030,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf960dc061b463f2400f1e30603ded544e01649b.pdf",
		"text": "https://archive.orkl.eu/cf960dc061b463f2400f1e30603ded544e01649b.txt",
		"img": "https://archive.orkl.eu/cf960dc061b463f2400f1e30603ded544e01649b.jpg"
	}
}