← Back to Pulse Feed
PULSE DETAIL
A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
BlackSuit
SectopRAT
Brute Ratel
Cobalt Strike - S0154
QDoor
d3f@ckloader
Indicators of Compromise (13 / 46 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 | — | 2025-03-31 | |
| FileHash-SHA1 | 328d5554025757e5ec8e2e9eee2ad97d0e986a59 | — | 2025-03-31 | |
| FileHash-SHA1 | 3eb042e449c6097f29fad255d21aac336fae534b | — | 2025-03-31 | |
| FileHash-SHA1 | 41360d3eae3a71dd60c9ac34788d6863ef4e3e30 | — | 2025-03-31 | |
| FileHash-SHA1 | 5b1e0d72435da7d3a97107cddc655be71769ba53 | — | 2025-03-31 | |
| FileHash-SHA1 | 6c75e2c704f69aaa09cdfd455c7bdbf9336dc7fe | — | 2025-03-31 | |
| FileHash-SHA1 | 8d4f2aa315ce17505b8698db22ec2526805645a4 | — | 2025-03-31 | |
| FileHash-SHA1 | 951154980d3ddd4101b8e09b11669cbedc86f979 | — | 2025-03-31 | |
| FileHash-SHA1 | a13061b229a225441f67d2b25ccda139ee21b14e | — | 2025-03-31 | |
| FileHash-SHA1 | a25cfdcff675277035fb35add9d273934117e943 | — | 2025-03-31 | |
| FileHash-SHA1 | a6dcdfc8e97616c07549290950e78b145883e532 | — | 2025-03-31 | |
| FileHash-SHA1 | c5826e9e3c4b1fece4991f269fd4e5307e92bfe2 | — | 2025-03-31 | |
| FileHash-SHA1 | e50d9e3bd91908e13a26b3e23edeaf577fb3a095 | — | 2025-03-31 |