Cyber Security News

Google Uncovers Initial Access Broker Behind Conti Ransomware Who Uses Phishing to Infiltrate Organization

Google’s Threat Analysis Group (TAG) has been conducting various analyses on threat actors and their ransomware. In September 2021, they came to know about a threat actor who was known by the name “EXOTIC LILY” exploiting a 0day in Microsoft MSHTML (CVE-2021-40444).

Initial thoughts about this threat actor seemed like another typical group trying to infiltrate organizations. But later, they were found to be what they call an “Initial Access Broker”.

Initial Access Brokers (IAB) are locksmiths for hire in the cyber world. They breach a target and open doors for the highest bidder. This technically proves that they are resourceful and financially motivated. However, reports revealed that they have been working for a Russian Cybercrime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (Crowdstrike).

EXOTIC LILY’s is linked upon data exfiltration and the deployment of ransomware such as Conti or Diavol which are human-operated. As per TAG’s analysis, EXOTIC LILY was sending 5000 emails a day to around 650 organizations all around the world. 

The group was targeting specific industries such as Cybersecurity, IT, and Healthcare until November 2021. Their recent activities suggest that they reduced their focus and are attacking a wide variety of organizations and industries.

Their TTPs are based upon spoofing companies, employees and gaining trust from a targeted organization. Later, they deliver the malware through file-sharing services like WeTransfer, TransferNow, and OneDrive. For a cybercrime group targeting a mass scale of organizations globally, this is rather a very unusual thing like using these kinds of evading techniques.


They spoof an organization’s Top-Level Domain with various other extensions. This builds credibility in email contacts and further techniques followed were delivering the Payload via file-sharing services. One of the evasion techniques they used to deliver the malicious payload link was using the email feature of such file-sharing service providers.

Filling out the victim’s email ID for viewing the link. This method initiates a link that contains a payload to be delivered to the victim via the file-sharing service provider itself. This makes the detection technique very complicated. Further detailed analysis of the group’s activities was published by Google.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago