Type
Campaign
Actors
Pub. date
July 8, 2025
Initial access
Exposed secret
Impact
RansomOpData exfiltration
Observed techniques
Status
Finalized
Last edited
Jul 16, 2025 1:33 PM
In February 2025, a UK-based AWS environment was infiltrated using compromised VPN credentials. The threat actor conducted internal reconnaissance with Nmap and staged data exfiltration using the Rclone tool, transferring sensitive files from AWS file servers, particularly finance and investment data, to external VPS endpoints. Darktrace’s Autonomous Response blocked initial exfiltration attempts, but the attacker adapted by shifting exfiltration to alternative infrastructure. Lateral movement was attempted via RDP, with further data staging and outbound SSH connections to known malicious IPs.