The BadPilot campaign operates as a horizontally scalable cyber operation, compromising a wide range of internet-facing systems using publicly available exploits. The subgroup conducts broad scanning for vulnerable systems and leverages commodity exploits to infiltrate networks. Once inside, the attackers establish persistence through remote management tools, web shells, and Tor-based covert access.
Since late 2021, the subgroup has been exploiting multiple vulnerabilities, including Microsoft Exchange (CVE-2021-34473), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), JetBrains TeamCity (CVE-2023-42793), and Microsoft Outlook (CVE-2023-23397). In early 2024, they shifted tactics, increasingly deploying remote monitoring and management (RMM) software such as Atera Agent and Splashtop Remote Services. By exploiting ConnectWise ScreenConnect and Fortinet FortiClient EMS, attackers achieved remote code execution (RCE) and deployed ShadowLink, a persistence mechanism that uses Tor hidden services to evade detection.
The campaign follows a structured attack lifecycle, starting with initial access via public exploits, followed by persistence through web shells (LocalOlive), credential harvesting, and tunneling utilities like Chisel and rsockstun. Microsoft also observed modifications to Outlook Web Access (OWA) login pages and DNS configurations, likely aimed at credential theft and expanding network influence.