216.73.217.98

Hide Your RDP: Password Spray Leads to RansomHub Deployment

· Published 30/06/2025 18:49 · Modified 01/07/2025 08:16

Export JSON

Essential information

Published
30/06/2025 18:49
Modified
01/07/2025 08:16
Tags
2025-06-30 credential-theft data exfiltration lateral movement living-off-the-land mimikatz password spray ransomhub ransomware rdp
Related entities
9 observables, 1 intrusion sets (apt), 25 techniques (mitre), 2 malware

Description

This report details a cyberattack where threat actors gained initial access through a attack on an exposed server. They used and Nirsoft for credential harvesting, and employed techniques along with tools like Advanced IP Scanner for network discovery. The attackers utilized Rclone for via SFTP and deployed across the network using SMB and remote services. The intrusion lasted six days, culminating in widespread encryption and ransom demands. Key phases included initial access, , credential theft, , and deployment, demonstrating a sophisticated and multi-staged attack methodology.

External references