Adaptix

Valid Accounts: Domain Accounts T1078.002 engineer, ConfigMgrNAA reuse

Initial Access └── VPN authentication as "engineer" (iSn(wXB.$DeLO1V[k+zm) └── Or "support" (DblfYjZABjbzkUR)

The attack begins with a ZIP attachment. When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background.

Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot

Azureveil retrieves these commands, decrypts them, executes them, and uploads the results back as encrypted blobs.

Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot... @reboot /bin/sh /sbin/syslogda.sh>/dev/null 2>&1 @reboot /bin/sh /sbin/syslogdb.sh>/dev/null 2>&1

In Path A, the infection begins when the victim clicks on the malicious LNK file 計畫申請審查結果通知單.pdf.lnk... In Path B, the victim directly runs _計畫申請審查結果通知單.exe.

Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot

Valid Accounts: Domain Accounts T1078.002 engineer, ConfigMgrNAA reuse

Initial Access └── VPN authentication as "engineer" (iSn(wXB.$DeLO1V[k+zm) └── Or "support" (DblfYjZABjbzkUR)

Inside the VM, persistence and a command and control channel were established through the root crontab that launched two scripts at boot

Valid Accounts: Domain Accounts T1078.002 engineer, ConfigMgrNAA reuse

The blog also examines how trusted services such as Microsoft Azure Blob Storage are abused for command-and-control communication, and how the Adaptix agent is used for data exfiltration and remote control. In addition, we analyze the multi-layer encryption used to protect the payload and how it helps the attacker evade detection.

Valid Accounts: Domain Accounts T1078.002 engineer, ConfigMgrNAA reuse

adversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.

The LSASS results file contains structured output from automated credential extraction across four workstations in the ICG domain. Each dump followed the same pattern: minidump to C:\ProgramData\d.dmp , extract cached logons, enumerate local users, pull credential vaults, and harvest PowerShell history.

Credentials Manager

Network and Pivoting... Network adapter enumeration (MAC, IP, type)

Process and Shell Control Execute shell commands List running processes and named pipes

C2 Management Reconfigure C2 settings at runtime Control file transfer state Retrieve system uptime

Command Capabilities of AZUREVEIL... File System Operations List directory contents and logical drives Read, move, rename, and delete files

adversaries leveraging QEMU, an open-source machine emulator and virtualizer typically used for development and testing, to deploy virtual machines that contained and executed malicious payloads. This approach enabled them to maintain covert access and bypass host-based detection from AV and EDR solutions.

Windows/Linux/MacOs agents support

SMB Beacon Listener

The script syslogdb.sh maintained an SSH connection to the C2 server over TCP 443 and forwarded local port 33443 to the C2 server through this tunnel.

As a result, the beacon’s local traffic was carried over the encrypted SSH channel to remote infrastructure, enabling command-and-control communication while blending into normal outbound traffic.

Network and Pivoting Port forwarding and SOCKS proxy control TCP and UDP pivot connections

the beacon’s local traffic was carried over the encrypted SSH channel to remote infrastructure, enabling command-and-control communication while blending into normal outbound traffic.

"Instead of using a traditional pull-based C2 model, Azureveil follows a dead-drop approach," ... "The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data."

the adversaries proceeded to establish a command and control channel for persistence by deploying and launching a QEMU virtual machine from a Linux disk image named vault.db

Local and Reverse port forwarding support

All communication happens over HTTPS on port 443, which makes the traffic blend in with normal Azure activity.

Azureveil retrieves these commands, decrypts them, executes them, and uploads the results back as encrypted blobs... they can execute commands and exfiltrate files from the target system...