Babuk

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

Last month, Microsoft reported that the threat actors were exploiting a SharePoint vulnerability to breach corporate networks and deploy ransomware.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."

The deception is deliberate, designed to mislead victims and possibly even seasoned investigators into misidentifying the actual threat actor behind the attack.

...threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN... weaponizing trusted relationships.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

...create Linux encryptors targeting VMware ESXi servers.

"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

"4H RAT sends an OS version identifier in its beacons"; "admin@338 actors used ... ver ... systeminfo"; "Bundlore will enumerate the macOS version ... using /usr/bin/sw_vers -productVersion"; "DarkTortilla ... querying ... WMI objects"; "Turla ... discover operating system configuration details using the systeminfo and set commands"

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

"Babuk can enumerate disk volumes, get disk information"; "Ryuk has called GetLogicalDrives ... and GetDriveTypeW"; "Cuba can enumerate local drives, disk type, and disk free space"; "Chimera ... fsutil fsinfo drives"

...create Linux encryptors targeting VMware ESXi servers.

The police documents were stolen and published by the ransomware attack group Babuk...

The hackers from the Babuk group subsequently published those documents online, and transparency group Distributed Denial of Secrets redistributed them to news outlets including the Guardian.

The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.

EndPoint는 Windows 환경뿐 아니라 ESXi와 NAS 환경도 겨냥하며, 파일 암호화와 데이터 유출 협박을 함께 수행하는 Double Extortion 방식을 사용한다.

Examples include Babuk 'can stop anti-virus services', BOLDMOVE disabling daemons, Conficker terminating services, Lazarus malware disabling Windows services, and SolarWinds Compromise where APT29 'used the service control manager on a remote system to disable services associated with security monitoring products.'

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

The group claimed to have stolen over 250 GB of data from police servers and threatened to expose the information if the department didn’t pay a ransom.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.