Modern cyber threat tracking requires visibility into how distinct threat groups share toolsets, infrastructure, and strategic objectives. Security researchers recently uncovered an interconnected series of cyber campaigns driven by threat groups historically recognized for politically motivated operations, including 4BID, Hakerskii Kit, and C.A.S. While these actors previously restricted their operational boundaries to specific geographical regions—primarily targeting Russian and occasionally Belarusian entities—recent technical data reveals a significant expansion. The current geographic footprint of these campaigns has expanded into commercial and industrial infrastructure across Kazakhstan, the United Arab Emirates (UAE), Syria, and Egypt. This operational pivot indicates a transition from pure ideological hacktivism to financially motivated cybercrime, combining complex post-exploitation frameworks with custom ransomware strains.
Overlapping Threat Actor Streams and Shared Infrastructures
Investigations into compromised enterprise networks revealed a complex web of overlapping indicators of compromise (IoCs), showing that multiple hacktivist clusters are either collaborating or using the same initial access pipelines. Within single compromised networks, analysts identified concurrent deployments of BlackReaperRAT (historically tied to the 4BID group) alongside automated provisioning utilities designed to download and configure legitimate Remote Monitoring and Management (RMM) software.
Simultaneously, threat groups like Hakerskii Kit have publicly claimed successful breaches against heavy industrial facilities, deploying a custom ransomware family known as ClearWater. Public communications from these operations explicitly acknowledged tactical assistance from the C.A.S. group. Compounding this multi-threat environment is the discovery of Warp RAT samples, a signature toolkit of the Goffee threat group, indicating a highly collaborative ecosystem where access methods, utility scripts, and command-and-control (C2) servers are shared among ostensibly independent groups.
Initial Access Mechanisms and Advanced Web Shell Exploitation
The primary vector for initial entry across these campaigns relies on exploiting the well-documented ProxyShell vulnerability cluster within on-premises Microsoft Exchange servers. Upon achieving remote code execution (RCE) at the system level, threat actors drop a modular ASP.NET web shell designated as fd.aspx. This web shell acts as an internal persistence mechanism and command routing gateway. To evade automated web scanners, the shell implements an explicit access control check: incoming HTTP requests must include a specific key parameter that matches a hardcoded AUTH_KEY constant within the script, otherwise returning a generic “Access Denied” message.
Incoming Request ──> [AUTH_KEY Validation] ──(Valid)──> [PowerShell / cmd.exe] ──> Base64 Output
──(Invalid)─> [HTTP "Access Denied"]
Once authenticated, commands embedded within the request’s scriptText parameter are passed directly to the local command line. If native PowerShell execution policies restrict the shell, it automatically falls back to cmd.exe. To avoid generating obvious visual anomalies on the hosting server, the execution block enforces the configuration flags CreateNoWindow: true and UseShellExecute: false.
Furthermore, fd.aspx supports bidirectional file system interactions using Base64-encoded strings embedded directly within standard HTTP request bodies. The integrated UploadFile function allows operators to write binary payloads into any folder accessible by the web server daemon, while the DownloadFile function lets them exfiltrate target data back to the C2 node. The shell also includes a system reconnaissance module that harvests deep machine metadata, querying specific properties:
- OSVersion: Exact kernel and patch distribution
- MachineName & UserDomainName: Local hostname and active domain bounds
- UserName: Active execution context
- ProcessorCount: Hardware scale assessment
- SystemDirectory & CurrentDirectory: Environmental paths
This reconnaissance routine uses the .NET framework’s native DriveInfo.GetDrives() method to enumerate active storage media, map file layouts, calculate available disk space, and retrieve the LastWriteTime metadata for every directory object. This allows threat actors to pinpoint recently modified project files and sensitive business data.
Automation Scripting Tactics and Legitimate RMM Misuse
After establishing a foothold via the web shell, the threat groups deploy specialized installation and persistence scripts. Analysis of these scripts reveals a mix of development qualities: several files feature comments written in Ukrainian, while multiple variants display structural hallmarks of AI-assisted code generation. In several cases, multiple iterative copies of the same script were discovered in a single directory, some entirely non-functional due to logical formatting errors common in raw LLM outputs. When manually corrected by the operators, these scripts automate the deployment of dual-use, legitimate administrative tools to blend in with normal network traffic.
One prominent script automates the installation of AnyDesk. It verifies local administrative privileges before checking for an active anydesk.exe process. If the application is absent, the script downloads the official installer directly from the vendor’s repository, configures a hardcoded unattended access password via the command line, extracts the newly generated unique AnyDesk ID, and exfiltrates a formatted text report to a centralized server at 185.221.153[.]121.
Similar approaches are applied to Microsoft Dev Tunnels. The deployment script installs the utility and outputs the resulting configuration data into a file named login.txt. This file provides the operator with device authentication instructions:
To sign in, use a web browser to open [https://login.microsoft.com/device](https://login.microsoft.com/device) and enter the code [CODE].
Once authenticated via a browser, the script opens specific inbound ports and maps persistent tunnels directly back to the attacker’s infrastructure. Additionally, the attackers deploy the Panorama9 RMM utility using automated scripts that manipulate the Windows Registry to hide the application tray icon and suppress its installation directory from user view. To further deceive security teams, the active Panorama9 services are renamed to Windows Update Helper and Windows Update Helper Cache, with their official service descriptions altered to mimic critical Windows update components.
EDR Evasion via Kernel-Mode Driver Exploitation
To ensure their tools can run without interference from local Endpoint Detection and Response (EDR) software, these actors utilize Bring Your Own Vulnerable Driver (BYOVD) techniques. They deploy a specialized user-mode killer utility designed to disable security agents by leveraging a known vulnerability (CVE-2023-44976) within a legitimate, signed kernel-mode driver (\\.\Warsaw_PM). This approach allows the attackers to execute arbitrary operations in kernel space, bypassing Protected Process Light (PPL) protections that typically shield modern anti-malware processes from termination.
The specific execution steps of this EDR-killing utility follow a highly structured sequence:
1.Process Identification:User-Mode Enumeration.
The user-mode component accepts specific target process names (such as msmpeng.exe) via command-line arguments. It references standard Windows APIs including CreateToolhelp32Snapshot, Process32First, and Process32Next to map running processes and extract their Process Identifiers (PIDs).
2.Driver Drop and Service Instantiation:Privilege Escalation.
The program writes the vulnerable .sys driver payload onto the local disk. It calls the Service Control Manager (SCM) to register a new system service configuration defined as a SERVICE_KERNEL_DRIVER type, subsequently starting the driver within the kernel context.
3.Handle Creation:Establishing Communication.
The user-mode application establishes an active interface handle pointing directly to the symbolic link created by the driver at \\.\Warsaw_PM.
4.DeviceIoControl Communication:Kernel Boundary Bypass.
The application packs the harvested target security PIDs into a structured input buffer and sends a direct DeviceIoControl instruction across the established driver handle.
5.Kernel-Level Process Termination:EDR Disablement.
Exploiting CVE-2023-44976, the driver reads the user-mode request from kernel space. It issues low-level ZwOpenProcess and ZwTerminateProcess calls, forcefully stopping the target security processes from a level of privilege that user-mode security systems cannot block.
Deep Architectural Analysis of Ransomware Payloads
The final stage of these campaigns involves deploying ransomware to encrypt critical data and demand payment. The primary payload, ClearWater, is written in C/C++ and uses a hybrid encryption scheme. It processes target files sequentially, generating unique symmetric encryption keys via the ChaCha20 cipher stream. After encrypting a file’s content, ClearWater appends a custom 264-byte structural metadata trailer directly to the end of the encrypted file. The layout of this appended trailer follows a specific structural architecture:
+-----------------------------------+
| uint8_t label[4] ('M','Y','E','K') | -> 4-Byte File Marker
+-----------------------------------+
| uint32_t rsa_encr_size | -> 4-Byte RSA Data Length
+-----------------------------------+
| uint8_t rsa_encr_data[256] | -> 256-Byte RSA-Encrypted ChaCha20 Key
+-----------------------------------+
To prevent system recovery, ClearWater carries out several automated actions to clear backups and disable built-in Windows recovery mechanisms:
- Shadow Copy Purging: Deletes volume shadow copies via
vssadminandwmiccommands to prevent file restoration. - Backup Catalog Wiping: Destroys the local Windows Server Backup catalog database.
- Recovery Disablement: Modifies boot configuration data to turn off automatic system startup repair and completely disables Windows System Restore paths.
To maintain execution persistence during the encryption phase, the ransomware uses PowerShell commands to inject two persistent link shortcuts (SystemHelper.lnk and WindowsHelper.lnk) into the system-wide and user-specific startup folders (%PROFILEPATH%\All users\Start menu\Programs\Startup and %USERPROFILE%\Start menu\Programs\Startup).
Alongside ClearWater, security researchers observed an updated variant of Blackout Locker. This payload utilizes a highly optimized Rust-based dropper that deploys the core file encryption module alongside a separate screen-locking application, preventing defenders from accessing the user interface while the encryption process runs in the background.
Indicators of Compromise (IoCs)
| Artifact Type | Value / Indicator | Functional Context |
| IP Address | 185.221.153[.]121 | AnyDesk Exfiltration and C2 Beaconing Node |
| File Shell | fd.aspx | Modular ASP.NET ProxyShell Post-Exploitation Shell |
| Driver Handle | \\.\Warsaw_PM | CVE-2023-44976 Kernel Endpoint for EDR Killing |
| Ransomware Marker | MYEK (0x4D59454B) | 4-Byte Binary Magic Header appended to ClearWater targets |
| Startup Shortcut | SystemHelper.lnk | Persistent System-Wide Startup Execution Hook |
| Startup Shortcut | WindowsHelper.lnk | Persistent User-Profile Startup Execution Hook |
Our Opinion on This Case
The operational shift highlighted in this case represents a significant evolution in the cyber threat landscape: the complete erasure of the boundary separating ideological hacktivism from traditional, profit-driven cybercrime. For years, enterprise defense models categorized hacktivists as low-to-medium threats that primarily relied on distributed denial-of-service (DDoS) attacks or superficial website defacements. This case proves that definition is obsolete. By sharing toolsets, using advanced kernel-level EDR killers, and deploying complex hybrid ransomware like ClearWater, these groups are performing high-tier corporate extortion under the guise of geopolitical activism.
What is most concerning is their expanded target geography. Moving beyond localized conflict zones to target commercial enterprises in the UAE, Kazakhstan, and Egypt proves that these threat actors now prioritize financial gain over geopolitical focus. The use of AI-generated scripts also demonstrates how automated coding tools lower the technical barrier to entry, allowing less sophisticated groups to rapidly scale and customize their deployment mechanics. For corporate defenders, this case reinforces a critical lesson: attribution matters less than capability. Organizations worldwide must treat hacktivist groups with the same level of defensive scrutiny, behavioral monitoring, and threat hunting typically reserved for advanced persistent threats (APTs) and professional ransomware syndicates.
