- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
- After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days.
- The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
- The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
4838 links
