{ "id": "7bfeabcf-3afb-40b0-9578-c1e37a733631", "created_at": "2026-04-06T00:18:43.300301Z", "updated_at": "2026-04-10T13:12:48.901192Z", "deleted_at": null, "sha1_hash": "de83d274e5daa8a4729f2faa6455411c0834cbf2", "title": "Hackers fork open-source reverse tunneling tool for persistence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2345260, "plain_text": "Hackers fork open-source reverse tunneling tool for persistence\r\nBy Bill Toulas\r\nPublished: 2022-03-09 · Archived: 2026-04-05 18:43:02 UTC\r\nSecurity experts have spotted an interesting case of a suspected ransomware attack that employed custom-made tools\r\ntypically used by APT (advanced persistent threat) groups.\r\nAlthough no concrete connection between groups has been uncovered, the operational tactics, targeting scope, and malware\r\ncustomization capabilities signify a potential connection.\r\nAs detailed in a report sent to Bleeping Computer by Security Joes, the threat actors observed in an attack against one of its\r\nclients in the gambling/gaming industry where a mix of custom-made and readily available open-source tools were used.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe most notable cases are a modified version of Ligolo, a reverse tunneling utility that's freely available for pentesters on\r\nGitHub, and a custom tool to dump credentials from LSASS.\r\nAttack in the wild\r\nAccording to the incident responders at Security Joes, the attack unfolded on a weekend evening and followed a rapid\r\ndevelopment, showcasing the actors’ skills and \"red teaming\" knowledge.\r\nThe initial access came through compromised employee SSL-VPN credentials, followed by admin scans and RDP brute-force, and then credential harvesting efforts.\r\nThe subsequent steps involved accessing additional machines with high privileges, the deployment of a custom proxy\r\ntunneling for secure communications, and finally, the dropping of Cobalt Strike.\r\nAlthough the threat actors never had the chance to proceed any further in this particular case, Security Joes believes the next\r\nstep would be to deploy a ransomware payload, as the methods followed match those of typical ransomware gang\r\noperations.\r\nHowever, this part hasn't been confirmed as the responders stopped the execution of the payload before the infiltrators were\r\nready to deploy anything on the compromised network.\r\nCustom tools\r\nThe threat actors used several off-the-shelve open-source tools commonly used by numerous adversaries, like Mimikatz,\r\nSoftPerfect, and Cobalt Strike.\r\nOne notable differentiation is the deployment of ‘Sockbot’, a GoLang-written utility based on the Ligolo open-source\r\nreverse tunneling tool.\r\nOperation of the Ligolo tool (GitHub)\r\nThe hackers modified Ligolo with meaningful additions that removed the need to use command-line parameters and\r\nincluded several execution checks to avoid running multiple instances.\r\nAs a researcher of Security Joes told Bleeping Computer, a customized Ligolo isn't a common sight in the arsenal of any\r\nthreat actors, apart from the Iranian state-sponsored MuddyWater hacking group, who is the only threat group known to\r\nmodify it.\r\nThe reason for this rarity is that Ligolo isn't suitable for malicious deployment, so to make it fit intrusion operations, coding\r\nskills are required.\r\n\"Comparing the new variant (Sockbot) to the original source code available online, the threat actors added several\r\nexecution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a\r\nhard-coded string to avoid the need of passing command line parameters when executing the attack and set the\r\npersistence via a scheduled task.\" - Security Joes\r\nAnother case of particular interest is ‘lsassDumper’, a custom tool also written in GoLang, used by the actors for automatic\r\nexfiltration from the LSASS process to the “transfer.sh” service.\r\nSecurity Joes claims this is the first time lsassDumper has been spotted in the wild, which again demonstrates the particular\r\nthreat actor’s capacity and sophistication.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nPage 3 of 5\n\nlsassDumper code snippet (Security Joes)\r\nAlso, direct dumping of credentials from LSASS is another typical method of ransomware gangs, so it's another element that\r\nbacks this hypothesis.\r\nFinally, the network infiltrators used ADFind for network reconnaissance, a freely available tool that adversaries use to\r\ngather information from the Active Directory, also very common in the ransomware space.\r\n“Based on the behavior, the tools seen in this intrusion and the targeted sectors, we concluded that the attackers behind this\r\noperation are tightly related to a Russian-speaking ransomware gang, which is taking tools used by other groups and adding\r\ntheir personal signature to them.” - concludes the report from Security Joes.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/" ], "report_names": [ "hackers-fork-open-source-reverse-tunneling-tool-for-persistence" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434723, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de83d274e5daa8a4729f2faa6455411c0834cbf2.pdf", "text": "https://archive.orkl.eu/de83d274e5daa8a4729f2faa6455411c0834cbf2.txt", "img": "https://archive.orkl.eu/de83d274e5daa8a4729f2faa6455411c0834cbf2.jpg" } }