Pulse Detail — Threat Intelligence

PULSE NAME

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

WHITE ELPACO-team AlienVault 2025-05-19 Modified: 2025-06-18

IOCs

HIGH VOLUME

A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like Mimikatz. They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, on key servers approximately 62 hours after initial access. While ransomware was deployed and some logs deleted, no significant data exfiltration was observed.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1047 T1133 T1543.003 T1071 T1190 T1219 T1562.004 T1112 T1003.001 T1134.002 T1016 T1057 T1059.001 T1562.001 T1078 T1068 T1486 T1012 T1059.003 T1136 T1018 T1105 T1021.001 T1003.003

MALWARE FAMILIES

ELPACO-team

Indicators of Compromise (90)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2020-1472	—	2025-05-19
CVE	CVE-2021-34527	—	2025-05-19
CVE	CVE-2023-22518	—	2025-05-19
CVE	CVE-2023-22527	—	2025-05-19
FileHash-MD5	09ba9214257381231934a0115d7af8be	—	2025-05-19
FileHash-MD5	0a50081a6cd37aea0945c91de91c5d97	—	2025-05-19
FileHash-MD5	127fe6658efb06e77b674fdb9db7d6d5	—	2025-05-19
FileHash-MD5	1b1e95ea1d26da394688f4c8883721d1	—	2025-05-19
FileHash-MD5	30a6cd2673ef5b2cb18f142780a5b4a3	—	2025-05-19
FileHash-MD5	35893c46af1af2089498b062379c039f	—	2025-05-19
FileHash-MD5	3e872ca0ac6261b85dd9524a8f3a83db	—	2025-05-19
FileHash-MD5	3f7d6e5a541aad1a52beb823f1576f6a	—	2025-05-19
FileHash-MD5	44c031e3c922e711f7e3784f6d90b10f	—	2025-05-19
FileHash-MD5	47e001253af2003985f15282cdc90a1c	—	2025-05-19
FileHash-MD5	53e2e8ce119e2561bb6065b1a42f1085	—	2025-05-19
FileHash-MD5	54daad58cce5003bee58b28a4f465f49	—	2025-05-19
FileHash-MD5	597de376b1f80c06d501415dd973dcec	—	2025-05-19
FileHash-MD5	6fbf6350c52d2f2e6f61530d05148562	—	2025-05-19
FileHash-MD5	77ef2cad0de20482a6bb6cfcdc5d94d1	—	2025-05-19
FileHash-MD5	91625f7f5d590534949ebe08cc728380	—	2025-05-19
FileHash-MD5	92fd70f19771360bd820091025107382	—	2025-05-19
FileHash-MD5	96a1e516cef1ff4791d8785886d56cce	—	2025-05-19
FileHash-MD5	96ec8798bba011d5be952e0e6398795d	—	2025-05-19
FileHash-MD5	96fc8c743f6ba38a69bf866b7fa9e4d1	—	2025-05-19
FileHash-MD5	9a875116622272a7f0fb32ce6cc12040	—	2025-05-19
FileHash-MD5	a75de4c4fd88d94642ad30310c641252	—	2025-05-19
FileHash-MD5	be8f00c11010e4e6078d383026833c07	—	2025-05-19
FileHash-MD5	c9bc430ea5bd0289cf3a6acdb69efac4	—	2025-05-19
FileHash-MD5	e703ffdf065094f30b8b9c107a64736b	—	2025-05-19
FileHash-MD5	e7aa5608c81ba4fcd8d166501b90fc06	—	2025-05-19
FileHash-MD5	ee8d08b380bf3d3fe9961a0ab428549f	—	2025-05-19
FileHash-MD5	f635d1c916a7c56678f08d1d998e7ce4	—	2025-05-19
FileHash-SHA1	02c264691764f3c7ab9492dcb443e52b0ee66229	—	2025-05-19
FileHash-SHA1	1217a97009eb86249e6c8010d3024f050f62c40d	—	2025-05-19
FileHash-SHA1	162b08b0b11827cc024e6b2eed5887ec86339baa	—	2025-05-19
FileHash-SHA1	1e0ec6994400413c7899cd5c59bdbd6397dea7b5	—	2025-05-19
FileHash-SHA1	238424b26da6e53738aa28a46ba007a195ad608c	—	2025-05-19
FileHash-SHA1	241f9d2495b0b437813d8cf31fe4e4de8be203ec	—	2025-05-19
FileHash-SHA1	32f9259285bb3425b67633d73bc74b93859f40a7	—	2025-05-19
FileHash-SHA1	35ff55bcf493e1b936dc6e978a981ee2a75543a1	—	2025-05-19
FileHash-SHA1	4790bde7c2d233c07165caaab0f5b7d69a60c950	—	2025-05-19
FileHash-SHA1	5bef86615c8bd715c794505127a6d5245bba9206	—	2025-05-19
FileHash-SHA1	5c714fda5b78726541301672a44eaf886728f88c	—	2025-05-19
FileHash-SHA1	5f13d476e9fabdf2ac6f805a98d62f3027c473c2	—	2025-05-19
FileHash-SHA1	629c9649ced38fd815124221b80c9d9c59a85e74	—	2025-05-19
FileHash-SHA1	69519da0edeb9ad6ed739982a05b638d3fee20fb	—	2025-05-19
FileHash-SHA1	6ee6664df9bfb47d97090492b6cde68bf056a42a	—	2025-05-19
FileHash-SHA1	7314f85595ab4496abe02c48b476f57cb6b96804	—	2025-05-19
FileHash-SHA1	755309c6d9fa4cd13b6c867cde01cc1e0d415d00	—	2025-05-19
FileHash-SHA1	79d3fbde198ffa575904998b92285e3815a860c2	—	2025-05-19
FileHash-SHA1	8900b1ef864eb390bf99b801d78a0b8dbd5d90b6	—	2025-05-19
FileHash-SHA1	89e3247d2940d78ab13f060761f0c79afa806f39	—	2025-05-19
FileHash-SHA1	9e22f5e394ffd8df94b1601fe73f2ae14df731ba	—	2025-05-19
FileHash-SHA1	af7c73c47c62d70c546b62c8e1cc707841ec10e3	—	2025-05-19
FileHash-SHA1	b8551ef02737bc7801d2077d7d8aca168eb79b0d	—	2025-05-19
FileHash-SHA1	bf1b0ab5a2c49bde5b5dbe828df3e69af5d724c2	—	2025-05-19
FileHash-SHA1	d01f72d0a4609be76a83ac76a760485d29be854b	—	2025-05-19
FileHash-SHA1	dda90a452cc1540657606e5d40d304b1e58da751	—	2025-05-19
FileHash-SHA1	f46fa1fbab35f0d697ea896e81c4504de0487e57	—	2025-05-19
FileHash-SHA1	f7e11585ee968ad256be5a2e4c43a73c07034759	—	2025-05-19
FileHash-SHA256	085ad59bb8d32981ea590a7884da55d4b0a3f5e89a9632530c0c8ef2f379e471	—	2025-05-19
FileHash-SHA256	0b83f2667abff814bb724808c404396e6ad417591165f1762a8e99ec108d4996	—	2025-05-19
FileHash-SHA256	14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8	—	2025-05-19
FileHash-SHA256	15348e1401fe18b83e30a7e7f6b4de40b9981a0e133c22958324a89c188f2c49	—	2025-05-19
FileHash-SHA256	22436fe549d791caa3007b567d28d51c8c75869519019c40564af4de53490fa2	—	2025-05-19
FileHash-SHA256	28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063	—	2025-05-19
FileHash-SHA256	2c656109db6d2059c41a50e623ceb5e656ff764c44b1e1dbf41131f0206f8238	—	2025-05-19
FileHash-SHA256	36d3b20e9380aaaac9151280b4ac3e047a0871efbb158f04344946ff67176a48	—	2025-05-19
FileHash-SHA256	3c300726a6cdd8a39230f0775ea726c2d42838ac7ff53bfdd7c58d28df4182d5	—	2025-05-19
FileHash-SHA256	3e92ca5b4069eba89d9fcfd7885924282fdf6ca26d0ff8d0502973d9c9bc1fef	—	2025-05-19
FileHash-SHA256	4f4864a1d5f19a3c5552d80483526f3413497835549dce8c61fef116b666fa09	—	2025-05-19
FileHash-SHA256	51f2d5fba3d02cba1c99cf2dfd9968b98d0047f501b54b9531e7ad2719706e47	—	2025-05-19
FileHash-SHA256	5748bfb17e662fb6d197886a69df47f1071052c3381eb1c609a2bc5dba8c2992	—	2025-05-19
FileHash-SHA256	6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d	—	2025-05-19
FileHash-SHA256	6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b	—	2025-05-19
FileHash-SHA256	6b93e585479a3c5b9a8edbe2b11a8371cb028e8b196acb1c16a425e8d8530cd7	—	2025-05-19
FileHash-SHA256	6e5a6629b5ec2eea276fe93553d31f3d23885b214db0a4c2c9201f65180d767f	—	2025-05-19
FileHash-SHA256	90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018	—	2025-05-19
FileHash-SHA256	9875d1947b8d18974c938721c273d9322fc9af36be96e0ec696daac2929bb802	—	2025-05-19
FileHash-SHA256	9b1df0db16b3b73fe3549856fb4a74414faecffabee0d001865e05b93dda14ec	—	2025-05-19
FileHash-SHA256	9e18fcc595d4e158ac7aa9250e45145445b31018b35d6ed91239da2b931b5c37	—	2025-05-19
FileHash-SHA256	a710ed9e008326b981ff0fadb1c75d89deca2b52451d4677a8fd808b4ac0649b	—	2025-05-19
FileHash-SHA256	abbe5619e1d7a08f807b57d0949a7f97108a546a415778f25ed35f31ee2cd2f5	—	2025-05-19
FileHash-SHA256	c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37	—	2025-05-19
FileHash-SHA256	c7440e621d1c5e90ca4963a4b3b52d27bac05a44248ca88dd51510489d1171bb	—	2025-05-19
FileHash-SHA256	d5746d9f3284dadf60180f7f7332a08895c609520e0c2327918f259d182cbaf6	—	2025-05-19
FileHash-SHA256	e5f985b5a1f4f351616516553295e1224a02219825c35e3c64b55ecdc8a0d699	—	2025-05-19
FileHash-SHA256	f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446	—	2025-05-19
FileHash-SHA256	ff547a7803cd989f9f09a22323ec3f7079266b9a20a07f2c6f353547318ff172	—	2025-05-19
domain	delete.me	—	2025-05-19

References (1)

↗ https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware