{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] Data Exfiltration and Threat Actor Infrastructure Exposed", "protected": false, "publish_timestamp": "1774048913", "published": true, "threat_level_id": "2", "timestamp": "1774048913", "uuid": "b04cc940-1a1c-43ea-9a99-4c1d5106fcd8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#423494", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify System Firewall - T1562.004\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0bacad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rename Legitimate Utilities - T1036.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"inc ransom\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658833", "to_ids": false, "type": "link", "uuid": "d45cf306-eb60-474b-81e9-1d09f461d8b2", "value": "https://www.huntress.com/blog/data-exfiltration-threat-actor-infrastructure-exposed" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658833", "to_ids": false, "type": "text", "uuid": "ec81fe23-eb3f-4b2a-9199-b4d90c5c96b0", "value": "Huntress SOC analysts have uncovered sophisticated data exfiltration techniques employed by threat actors. The analysis reveals the use of various tools for data staging, including WinZip, 7Zip, and Windows' native tar.exe. Exfiltration methods observed include the use of finger.exe and backup utilities like restic, BackBlaze, and s5cmd. A specific incident on February 25, 2026, involved INC ransomware deployment, with the threat actor using PSEXEC for privilege escalation and creating a scheduled task to run a malicious PowerShell script. The actor utilized the Restic backup utility, renamed as winupdate.exe, to exfiltrate data. Similar tactics were observed in a previous incident on February 9, suggesting a pattern in the threat actor's methodology." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658833", "to_ids": false, "type": "text", "uuid": "f780c8bd-822f-40ad-8500-22239fcac99b", "value": "Name: Data Exfiltration and Threat Actor Infrastructure Exposed\nAuthor: AlienVault\nAdversary: \nTags: [\"data exfiltration\", \"restic\", \"vipre\", \"inc ransomware\"]\nTgtd countries: []\nMlwr families: [\"INC ransomware\"]\nAttack_ids: [\"T1053.005\", \"T1003\", \"T1562.004\", \"T1112\", \"T1552.001\", \"T1059.001\", \"T1562.001\", \"T1078\", \"T1486\", \"T1036.003\", \"T1070.004\", \"T1490\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "C:\\123\\edr.exe No sample in VT\r\nLast check:21/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774028171", "to_ids": true, "type": "sha256", "uuid": "eda31a4b-1dcf-41e7-8fca-2e08daa89eed", "value": "1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "c:\\perflogs\\win.exe No sample in VT\r\nLast check:21/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774028172", "to_ids": true, "type": "sha256", "uuid": "5fd49e0f-88cd-473a-bcc4-7abce2a351f2", "value": "e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ] } }