Type
Campaign
Actors
Pub. date
July 8, 2025
Initial access
Exposed secret
Impact
RansomOpData exfiltration
Observed techniques
Status
Finalized
Last edited
Aug 4, 2025 10:29 AM
In February 2025, a UK-based AWS environment was infiltrated using compromised VPN credentials. The threat actor conducted internal reconnaissance with Nmap and staged data exfiltration using the Rclone tool, transferring sensitive files from AWS file servers, particularly finance and investment data, to external VPS endpoints. Lateral movement was attempted via RDP, with further data staging and outbound SSH connections to known malicious IPs.