Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Essential information
- Published
- 08/09/2025 21:36
- Modified
- 09/09/2025 22:10
- Tags
- 2025-09-08 betruger data exfiltration grixba lateral movement multi-group affiliation multi-group operation ransomware sectoprat systembc
- Related entities
- 12 techniques (mitre), 1 others
Description
This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various tools for reconnaissance, lateral movement, and data exfiltration, including SystemBC, Betruger backdoor, AdFind, SharpHound, and Grixba. They leveraged RDP and Impacket's wmiexec for lateral movement, and used WinRAR and WinSCP for data collection and exfiltration. The intrusion lasted six days before the threat actors were evicted, showcasing a range of advanced persistent threat techniques and highlighting the blurred lines between different ransomware operations.