├── IOCs - Locked Out, Dropboxed In - When BEC threats innovate.csv ├── TTPs - BlackBasta Chat Leaks.csv ├── TTPs - Locked Out, Dropboxed In - When BEC threats innovate.csv ├── TTPs - Profiling JavaGhost - May2025.csv └── TTPs - Profiling Laundry Bear - June 2025.csv /IOCs - Locked Out, Dropboxed In - When BEC threats innovate.csv: -------------------------------------------------------------------------------- 1 | Type,Data,Confidence,Notes 2 | URL,hxxps://usmuvr2y8u[.]opawalerch[.]shop/?email=,HIGH,Original indicator from the incident response case. 3 | Domain,1y4vvc[.]designedbydrake[.]com,HIGH,Original indicator from the incident response case. 4 | Domain,rmlsjufbad[.]bolaa[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 5 | Domain,tuqqme1qyd[.]online-folder[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 6 | Domain,cghlaggzy8[.]airjordanrg[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 7 | Domain,rv92jdk6xn[.]online-folder[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 8 | Domain,ikklv5russ[.]folders[.]tech,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 9 | Domain,sqmjnz0s6u[.]inovecapa[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 10 | Domain,42uucgibld[.]saddlerandco[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 11 | Domain,vl0mw7ckvv[.]thelastpepe[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 12 | Domain,ccsbc8jgpa[.]jessesexpress[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 13 | Domain,dwz2sanhzn[.]passknowyourmeme[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 14 | Domain,wz00acfwqo[.]piscreatub[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 15 | Domain,hies1amtrl[.]thelastpepe[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 16 | Domain,zolfvfqc2c[.]thelastpepe[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 17 | Domain,0p9tobrxup[.]inizineko[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 18 | Domain,9gkhaxrahi[.]around-broadcast[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 19 | Domain,fmndr3wke2[.]lawmakerbars[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 20 | Domain,bkbbhmnkec[.]dozashop[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 21 | Domain,thvf5kfbnc[.]dentsplsyirona[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 22 | Domain,i9qyfdow3d[.]thiticteph[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 23 | Domain,vdfj9o9nwe[.]goofy-playground[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 24 | Domain,83t23tmt4j[.]jullusbaer[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 25 | Domain,wp6v32ws17[.]rtprubikslot[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 26 | Domain,3ozciiup4u[.]savvyandsassy[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 27 | Domain,imv57xudqx[.]n3ns06[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 28 | Domain,ixhfmcmpbx[.]rowvirtual[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 29 | Domain,qfnhzf5e3y[.]rw-lnvest[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 30 | Domain,ucfqhzprwu[.]lookerstudi0-microsoft0nline[.]net,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 31 | Domain,05gddnqysh[.]doume01056565661[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 32 | Domain,z4h8pccdst[.]doume01055511343[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 33 | Domain,r9ogle9lxu[.]jmarsksystems[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 34 | Domain,awxgg4v7nb[.]locomprosubito[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 35 | Domain,kubfac373a[.]poupintrom[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 36 | Domain,y9leo9lnc4[.]ludlothity[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 37 | Domain,husjaszk8p[.]axubl[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 38 | Domain,ylpqqm1fmf[.]difogatold[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 39 | Domain,jm7le0nvcr[.]windandwaterhome[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 40 | Domain,kzeixyjols[.]s2andeampar[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 41 | Domain,y6lm61mrkl[.]luminoushills[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 42 | Domain,kiubn0poot[.]idealsfab[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 43 | Domain,eokqokxz3d[.]graf-autoreifen[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 44 | Domain,usermain10[.]site,MEDIUM,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 45 | Domain,svr[.]usermain10[.]site,MEDIUM,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 46 | Domain,tp49u6[.]designedbydrake[.]com,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 47 | Domain,2sasmbdrnc[.]rhormiramb[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 48 | Domain,w1h02jgdy5[.]pavicoparn[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 49 | Domain,fmy9vrshoz[.]fettweding[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 50 | Domain,v7gc5j3rds[.]momenberek[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 51 | Domain,2sxv09vjfs[.]nironiolax[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 52 | Domain,q6extzjouk[.]icarlayand[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 53 | Domain,w6x80a18li[.]vulsomerio[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 54 | Domain,ceoippm4ia[.]tulcianara[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 55 | Domain,juwxivm0rm[.]fleadaliev[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 56 | Domain,t01abhs78f[.]watialhani[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 57 | Domain,qrw3ibiitb[.]smoncacasp[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 58 | Domain,la4nxuc6ao[.]funthipina[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 59 | Domain,xkdnngowie[.]varntitagi[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 60 | Domain,2k4os0m1i0[.]zonenctrin[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 61 | Domain,5fxu4ykxo2[.]erostatcom[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 62 | Domain,4k0jm9bwaz[.]bemisamete[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 63 | Domain,4sdawknqtl[.]swoninanii[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 64 | Domain,k6vxjpxv54[.]sineetsiol[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 65 | Domain,mwvy9up0xp[.]crenasetts[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 66 | Domain,yiwdszotnf[.]recusenawa[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 67 | Domain,v78dmza0xg[.]ananironit[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 68 | Domain,zngktdidcv[.]awelimoste[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 69 | Domain,uz9hw0u5a5[.]sarbeturch[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 70 | Domain,ykl8ikifco[.]figearnere[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 71 | Domain,97jbtglxo9[.]fslocerann[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 72 | Domain,8ffaqtwb3o[.]putisaiack[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 73 | Domain,zawjtv7pvs[.]plubalisia[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 74 | Domain,w5icwgvkzx[.]posteresci[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 75 | Domain,lnymtfvrsa[.]robanoutem[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 76 | Domain,nvklnf62mj[.]snoideseya[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 77 | Domain,ad4nrmlppi[.]ostelamuty[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 78 | Domain,eggfbrr2dy[.]pheadialna[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 79 | Domain,reeqxmtnib[.]algaitists[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 80 | Domain,xt7b4dqx4s[.]akunprocuan[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 81 | Domain,vx36u8ygad[.]saferaific[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 82 | Domain,9ep13gkb31[.]dersemansl[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 83 | Domain,k2v1dzjqes[.]mazenernac[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 84 | Domain,mat57djqw4[.]mirenceafi[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 85 | Domain,8cb7uvecuf[.]gehincetis[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 86 | Domain,1bpb6exm0h[.]oppepetird[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 87 | Domain,idjeitvrsv[.]forrabsonx[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 88 | Domain,qojwb0kasu[.]fooscobily[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 89 | Domain,4dcjnr4289[.]epessuperb[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 90 | Domain,c8ayb3ljtg[.]oinatenigm[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 91 | Domain,gb9bftax4w[.]cateeantok[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 92 | Domain,t5h9vf5vu9[.]carnesilcy[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 93 | Domain,fswfncfn8s[.]prerceabor[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 94 | Domain,wgsujh1j4w[.]odiransier[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 95 | Domain,cpcqvlxnjg[.]balastiarb[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 96 | Domain,mygcn6nezs[.]muteampham[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 97 | Domain,ptyquabrig[.]betusisave[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 98 | Domain,6sjzaoahe7[.]whisdangon[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 99 | Domain,0of3hotmlc[.]baigamillo[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 100 | Domain,429n6uor4j[.]aheserwead[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 101 | Domain,fpvet7qpfb[.]decrevoold[.]store,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 102 | Domain,jgasbtunvu[.]revamescle[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 103 | Domain,qagjp4omfe[.]ugalidaser[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 104 | Domain,dbtocteo3z[.]foriemevid[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 105 | Domain,wsoujzatjl[.]pindatitma[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 106 | Domain,i31wi5jvvo[.]shalagruey[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 107 | Domain,nq5fvlqecl[.]glenoslint[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 108 | Domain,aagaz5jql2[.]paphiclito[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 109 | Domain,tvnqeb2phr[.]brimmeoneo[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 110 | Domain,fruqhp6wst[.]teasithlef[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 111 | Domain,sicyfjo8pj[.]excenaread[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 112 | Domain,ttclq0dvsm[.]etrarinthy[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 113 | Domain,8x32qprnr0[.]miluarismo[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 114 | Domain,2phbsojej3[.]gerasamarp[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 115 | Domain,nrafziwnnx[.]lhaicarnan[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 116 | Domain,g7dfbdax0t[.]honininjah[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 117 | Domain,qa2rgygar3[.]mieliarilo[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 118 | Domain,rfsfwh5lvh[.]imerivilen[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 119 | Domain,thnaytggqw[.]hoorecress[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 120 | Domain,uesp5ggijb[.]nobeseinge[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 121 | Domain,oewpjnwroa[.]nineocrogy[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 122 | Domain,usmuvr2y8u[.]opawalerch[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 123 | Domain,iym6ivfg1m[.]borraletex[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 124 | Domain,e0ibsoqqbl[.]xerttionct[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 125 | Domain,s5tzzweovy[.]laescumant[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 126 | Domain,ugusekc8kk[.]splumettep[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 127 | Domain,fuqqzwtrrn[.]sourtmaite[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 128 | Domain,fimzqx0ung[.]erematisps[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 129 | Domain,hyya3keayt[.]winifanada[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 130 | Domain,wicnkedfc1[.]yolenaccid[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 131 | Domain,vkcgqz7waz[.]vulazeterm[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 132 | Domain,ctjeqa09je[.]qatiomaloq[.]shop,HIGH,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 133 | Domain,abcsvr4[.]xyz,MEDIUM,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" 134 | Domain,svr[.]abcsvr4[.]xyz,MEDIUM,"Pivot on domain registration patterns (e.g., Registrar, NameServer, SSL cert.)" -------------------------------------------------------------------------------- /TTPs - BlackBasta Chat Leaks.csv: -------------------------------------------------------------------------------- 1 | Tactic;Technique ID;Technique;Procedure;;; 2 | Initial Access;T1078.002;Valid Accounts: Domain Accounts;Access via AD/AzureAD/EntraID accounts via ADFS SSO;;; 3 | Initial Access;T1078.004;Valid Accounts: Cloud Accounts;Use of valid RDP/Citrix/M365/Oracle Cloud credentials;;; 4 | Initial Access;T1133;External Remote Services;Access via RDP gateways, Citrix, ADFS SSO, and web shells;;; 5 | Execution;T1059.009;Command and Scripting Interpreter: Cloud API;Execution of payloads via Azure console or ESXi shell;;; 6 | Execution;T1059.003;Command and Scripting Interpreter: Windows Command Shell;Rclone, file wipes, and SSH launches from Windows-based systems;;; 7 | Persistence;T1098.001;Account Manipulation: Additional Cloud Credentials;Configuring Azure-based backup for data siphoning;;; 8 | Privilege Escalation;T1078;Valid Accounts;Same account reuse across Citrix, Oracle, and Windows Domain Controllers;;; 9 | Defense Evasion;T1562.001;Impair Defenses: Disable or Modify Tools;Disable ESXi autostart, hide VMs;;; 10 | Defense Evasion;T1036;Masquerading;Payloads deployed as system-sounding scripts;;; 11 | Credential Access;T1552.001;Unsecured Credentials: Credentials In Files;Hardcoded creds in Oracle Cloud, Citrix, RDP;;; 12 | Discovery;T1087;Account Discovery;Manual ADFS site testing to enumerate services;;; 13 | Discovery;T1082;System Information Discovery;Screenshots and enumeration of installed cloud agents;;; 14 | Lateral Movement;T1021.004;Remote Services:SSH;Proxychains SSH into ESXi nodes;;; 15 | Lateral Movement;T1021.001;Remote Services: RDP;Login through RDP services in Azure, Google Cloud, Citrix;;; 16 | Collection;T1114.002;Email Collection: Remote Email Collection;M365 documents from shared drives;;; 17 | Collection;T1560.001;Archive Collected Data: Archive via Utility;Archive creation via zip/7z for transfer;;; 18 | Exfiltration;T1048;Exfiltration Over Alternative Protocol;"Rclone exfiltration from cloud servers; or FTP";;; 19 | Impact;T1490;Inhibit System Recovery;Wiping backups post-exfil (FTP);;; 20 | Impact;T1486;Data Encrypted for Impact;ESXi locker for encrypted VMs;;; -------------------------------------------------------------------------------- /TTPs - Locked Out, Dropboxed In - When BEC threats innovate.csv: -------------------------------------------------------------------------------- 1 | Tactic,Technique ID,Technique,Procedure 2 | Initial Access,T1199,Trusted Relationship,The threat actor exploits trusted relationships between the victim’s organization and cloud providers to create accounts without standard verification. 3 | Initial Access,T1566.002,Spearphishing Link,"An email with a Dropbox invoice lures the victim into clicking a link, which redirects them to a phishing page that initiates the attack." 4 | Execution,T1204.002,User Execution: Malicious Link,"The victim clicks the malicious link provided in the email, thereby executing the payload that starts the attack." 5 | Persistence,T1078.004,Valid Accounts: Cloud Accounts,"New cloud service accounts (e.g., Dropbox, WeTransfer) are registered using the victim’s email, enabling impersonation and continued phishing activity." 6 | Persistence,T1098,Account Manipulation,"The threat actor configures eM Client with granted Graph API permissions, effectively obtaining an additional OAuth credential that remains valid even after password resets." 7 | Defense Evasion,T1078.004,Valid Accounts: Cloud Accounts,The threat actor registers additional cloud service accounts using the victim’s email to bypass detection and maintain stealth during phishing operations. 8 | Defense Evasion,T1564.008,Hide Artifacts: Email Hiding Rules,"Email rules are configured to delete or move messages (e.g., to the RSS folder), effectively hiding or removing evidence of the malicious activity." 9 | Credential Access,T1557,Adversary-in-the-Middle,"The phishing page intercepts credentials and MFA tokens entered by the victim, enabling real-time credential collection by the threat actor." 10 | Collection,T1114.003,Email Collection: Email Forwarding Rule,Email forwarding rules are established to automatically redirect incoming emails to a threat actor–controlled destination. 11 | Collection,T1114.002,Email Collection: Remote Email Collection,"The threat actor configures eM Client to sync the mailbox locally, preserving email content even after access to the online account is lost." -------------------------------------------------------------------------------- /TTPs - Profiling JavaGhost - May2025.csv: -------------------------------------------------------------------------------- 1 | ;;;;;; 2 | ;Tactic;Technique ID;Technique;Procedure (Context);; 3 | ;Initial Access;T1078.004;Valid Accounts: Cloud Accounts;"Twilio: Stolen Twilio API credentials (likely) used to access the platform and send fraudulent SMS messages. 4 | AWS: Exploiting long-term IAM access keys to gain access to AWS environments, enabling unauthorized console access.";; 5 | ;Initial Access;T1566.002;Phishing: Spearphishing Link;AWS: Using SES/WorkMail to send phishing emails with malicious links to trick users into revealing credentials or accessing malicious content.;; 6 | ;Execution;T1648;Serverless Execution;"AWS: Creating a Lambda function named ""buckets555"" for malicious execution, likely to run unauthorized code or scripts in the AWS environment.";; 7 | ;Persistence;T1078.004;Valid Accounts: Cloud Accounts;AWS: Using temporary STS credentials for persistent AWS console access, maintaining a foothold without needing permanent credentials.;; 8 | ;Persistence;T1136.003;Create Account: Cloud Account;"Twilio: The threat actor created subaccounts in Twilio to manage fraudulent activities. 9 | AWS: Creating IAM users with login profiles and administrative permissions to maintain long-term access to the AWS environment.";; 10 | ;Persistence;T1543.005;Create or Modify System Process: Cloud Instance;AWS: Creating an EC2 security group named “Administratorsz” to ensure persistent access or control over cloud instances.;; 11 | ;Privilege Escalation;T1078.004;Valid Accounts: Cloud Accounts;AWS: Attaching administrative policies to IAM users, granting elevated access to perform privileged actions in the AWS environment.;; 12 | ;Defense Evasion;T1550.001;Use Alternate Authentication Material: Application Access Token;"Twilio: Stolen Twilio API tokens (likely) used for programmatic authentication to send SMS messages, bypassing user-level authentication. 13 | AWS: Using temporary STS credentials/login URLs to authenticate and bypass detection mechanisms in the AWS environment.";; 14 | ;Defense Evasion;T1562.008;Impair Defenses: Disable or Modify Cloud Logs;AWS: Avoiding GetCallerIdentity API calls to evade CloudTrail detection, reducing visibility of malicious activities.;; 15 | ;Collection;T1530;Data from Cloud Storage;"AWS: Potential reconnaissance of S3 buckets via the Lambda function ""buckets555,"" likely to identify or access sensitive data.";; 16 | ;Command and Control;T1071.001;Application Layer Protocol: Web Protocols;AWS: Using the AWS console over HTTPS for command and control, managing malicious activities via web protocols.;; 17 | ;Command and Control;T1090.002;Proxy: External Proxy;AWS: Routing callbacks through residential/ISP proxies or freely available VPN services to obscure the source of malicious traffic.;; 18 | ;Impact;T1491;Defacement;Websites: Defacements signed by multiple team handles with Bahasa Indonesia phrases, indicating public-facing impact.;; 19 | ;Impact;T1496;Resource Hijacking;"Twilio: Sending ~10,000 fraudulent SMS messages using the victim’s Twilio account, incurring costs and disrupting operations. 20 | AWS: Hijacking SES/WorkMail for phishing campaigns and other AWS resources for malicious purposes, abusing victim infrastructure.";; 21 | -------------------------------------------------------------------------------- /TTPs - Profiling Laundry Bear - June 2025.csv: -------------------------------------------------------------------------------- 1 | ;;;;;; 2 | ;Tactic;ID;Technique;Procedure (Context);; 3 | ;Initial Access;T1078;Valid Accounts;The threat actor uses stolen credentials, potentially purchased from criminal marketplaces, to access valid accounts (Exchange Online, OWA). The Dutch police attack used a stolen session cookie via pass-the-cookie attack.;; 4 | ;Initial Access;T1566.001;Phishing: Spearphishing Attachment;The threat actor sends spear phishing emails with malicious QR codes in PDF attachments redirecting to typosquatted domains spoofing Microsoft Entra for credential theft.;; 5 | ;Persistence / Privilege Escalation;T1098.002;Account Manipulation: Additional Email Delegate Permissions;The threat actor grants additional permissions (e.g., delegated access) to compromised email accounts to maintain persistence in Microsoft 365 environments, targeting accounts managing other accounts.;; 6 | ;Credential Access;T1557;Adversary-in-the-Middle;The threat actor uses the Evilginx framework to conduct AitM phishing, intercepting authentication data during logins to Microsoft cloud services (e.g., Entra ID).;; 7 | ;Credential Access;T1539;Steal Web Session Cookie;The threat actor steals or acquires session cookies, likely via infostealer malware from criminal marketplaces, to authenticate to Microsoft services without credentials. For example, the Dutch police attack.;; 8 | ;Credential Access;T1110.003;Password Spraying;The threat actor password sprays (e.g., “password123,” “qwerty”) across multiple accounts, spread over time, to avoid detection in Microsoft 365 environments.;; 9 | ;Discovery;T1087;Account Discovery;The threat actor downloads the Global Address List (GAL) via Exchange Web Services (EWS).;; 10 | ;Collection;T1114.002;Remote Email Collection;The threat actor steals emails at scale from Exchange Online using EWS or OWA, targeting sensitive information.;; 11 | ;Collection;T1213.002;Data from Information Repositories: SharePoint;The threat actor exploits  known SharePoint vulnerabilities to steal files and credentials from SharePoint environments.;; 12 | ;Collection;T1213.005;Data from Information Repositories: Messaging Applications;The threat actor accesses Microsoft Teams conversations for intelligence gathering.;; 13 | ;Command and Control;T1090;Proxy;The threat actor uses residential proxies to obfuscate C2 traffic, making it appear as legitimate network activity.;; 14 | ;Exfiltration;T1048.003;Exfiltration Over Alternative Protocol Non-C2 Protocol;The threat actor exfiltrates data over unencrypted protocols (e.g., HTTP) to alternate locations, using encoding, from cloud environments.;; 15 | --------------------------------------------------------------------------------