Advantest Ransomware Attack
Incident Date: 20 February 2026
Organization: Advantest Corporation
Industry: Semiconductor Automated Test Equipment (ATE)
Executive Overview
In mid-February 2026, Advantest detected a ransomware intrusion affecting portions of its corporate IT environment. The intrusion appears to have followed a structured, multi-stage attack pattern involving credential compromise, lateral movement, data exfiltration, and finally enterprise-wide encryption.
Given Advantest’s position in the semiconductor supply chain, the incident is particularly sensitive because it may involve:
- Proprietary chip test program data
- Customer validation schematics
- Engineering documentation
- Employee personally identifiable information (PII)
This was not a random malware infection. It was consistent with a hands-on-keyboard intrusion by a ransomware affiliate conducting reconnaissance and targeted data theft before encryption.
What Happened
Phase 1 – Initial Access
Most probable entry vectors:
A. Compromised VPN Credentials
- Stolen credentials from prior breach markets
- MFA push fatigue attack
- Token/session cookie theft
- Weak password reuse
B. Spear Phishing Campaign
- HTML smuggling attachment
- ISO/ZIP file containing loader
- Macro-enabled document
- QR-code phishing redirecting to credential harvest page
C. Edge Device Exploitation
Potential exploitation of:
- VPN appliance authentication bypass
- Citrix/remote gateway RCE
- Secure file transfer zero-day
- Unpatched firewall vulnerability
No confirmed public CVE disclosed yet, but logs reportedly show anomalous remote login patterns.
Phase 2 – Establishing Foothold
After access:
- Deployment of loader (DLL sideload or PowerShell stager)
- Creation of scheduled task for persistence
- Hidden local admin account created
- Beacon to command-and-control (C2)
Persistence Indicators
schtasks /create /sc minute /mo 30 /tn "WindowsUpdateSvc"
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Phase 3 – Privilege Escalation & Credential Access
The attackers likely:
- Dumped LSASS memory
- Performed Kerberoasting
- Extracted NTDS.dit
- Enumerated domain controllers
Commands Observed in Similar Cases
rundll32.exe comsvcs.dll, MiniDump lsass.exe
procdump.exe -ma lsass.exe
ntdsutil "ac i ntds" "ifm" "create full C:\temp"
Windows Event IDs
- 4624 (Logon success)
- 4672 (Admin privileges assigned)
- 4688 (Process creation)
- 4720 (User created)
- 4728 (Added to privileged group)
Phase 4 – Internal Reconnaissance
Attackers enumerated:
- File servers
- Engineering shares
- Backup servers
- Hypervisor management systems
- Database servers
Discovery Commands
whoami /all
nltest /dclist
net group "Domain Admins" /domain
net view /domain
dir /s *.docx
Phase 5 – Data Exfiltration (Double Extortion)
Before encryption, attackers staged data.
Staging Locations
C:\ProgramData\temp\
C:\Users\Public\Documents\
D:\Backup\
Archiving
7z a -pPass123 -mhe sensitive.7z D:\Engineering\
rar a -hpPass123 data.rar
Exfiltration Tools
- rclone.exe
- WinSCP
- SFTP scripts
- TOR proxy tunneling
- curl upload commands
Network Indicators
- Outbound traffic >5GB in short period
- Encrypted outbound connections to VPS IPs
- DNS lookups for newly registered domains
- Long-duration HTTPS sessions outside business hours
Phase 6 – Ransomware Deployment
After exfiltration:
- Domain-wide encryption attempt
- Shadow copy deletion
- Backup service termination
- Ransom note deployment
Commands
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
wbadmin delete catalog -quiet
bcdedit /set {default} recoveryenabled No
Encryption Characteristics
- AES-256 per file
- RSA-2048 public key embedded
- Multi-threaded encryption
- Skips Windows system directories
- Targets network shares
File Extensions Observed in Similar Campaigns
.locked
.black
.enc
.advlock
Ransom Note Names
README.txt
RECOVER_FILES.html
HOW_TO_DECRYPT.txt
Impact Assessment
Operational Impact
- Corporate file servers encrypted
- Engineering documentation inaccessible
- Temporary shutdown of internal systems
- Incident response containment measures
Data Impact
Potential exposure of:
- ASIC test validation programs
- Customer chip yield optimization scripts
- Proprietary semiconductor test algorithms
- Employee payroll and HR data
Supply Chain Risk
If chip validation data was exfiltrated:
- Competitive intelligence exposure
- Risk to semiconductor partners
- Contractual and regulatory implications
Complete Indicators of Compromise (IOCs)
Suspicious Account Creation
Event IDs:
4720
4728
4732
Commands:
net user svc-backup P@ss123! /add
net localgroup administrators svc-backup /add
Credential Dumping Artifacts
Files:
C:\Windows\Temp\lsass.dmp
C:\ProgramData\*.dmp
Registry access:
HKLM\SAM
HKLM\SYSTEM
HKLM\SECURITY
Lateral Movement
Processes:
psexec.exe
wmic.exe
sc.exe create
winrm.cmd
SMB:
\\SERVER\ADMIN$
\\FILE01\C$
Data Exfiltration Indicators
Processes:
rclone.exe
winscp.exe
curl.exe
powershell Invoke-WebRequest
File types:
*.7z
*.rar
*.zip
Network:
- High outbound traffic spikes
- Connections to IP without DNS name
- DNS TXT record tunneling
- Connections to TOR entry nodes
Ransomware Execution
Process creation:
unknown.exe
randomname.exe
Shadow deletion:
vssadmin delete shadows
wmic shadowcopy delete
Service stop:
net stop veeam
taskkill /f /im sqlservr.exe
Detection Rules
Sigma Rule – Shadow Copy Deletion
title: Suspicious Shadow Copy Deletion
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "vssadmin delete shadows"
- "wmic shadowcopy delete"
condition: selection
level: high
Sigma Rule – LSASS Dumping
title: LSASS Memory Dump Attempt
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "lsass"
- "MiniDump"
- "procdump"
condition: selection
level: critical
Sigma Rule – Rclone Exfiltration
title: Rclone Execution
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: "rclone.exe"
condition: selection
level: high
Sigma Rule – Suspicious Archive Creation
title: Mass Archive Creation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- ".7z"
- ".rar"
- ".zip"
condition: selection
level: medium
Detect Abnormal Admin Logins (KQL)
SecurityEvent
| where EventID == 4624
| where LogonType in (3,10)
| where Account contains "admin"
| summarize count() by Account, Computer, bin(TimeGenerated, 1h)
Detect High Outbound Transfer
CommonSecurityLog
| summarize sum(SentBytes) by SourceIP, bin(TimeGenerated, 1h)
| where sum_SentBytes > 5000000000
Threat Hunting Checklist
Immediately review:
- VPN logs for unusual geolocation logins
- PowerShell logs (Event ID 4104)
- DNS logs for newly registered domains
- NetFlow for data spikes
- EDR telemetry for lateral tool usage
- Prefetch artifacts for rclone, 7z, psexec
- $MFT for bulk file modification
- Backup server access logs
- Domain controller replication anomalies
Defensive Hardening Recommendations
- Enforce phishing-resistant MFA (hardware keys)
- Disable legacy authentication protocols
- Segment engineering networks
- Monitor and block TOR exit nodes
- Restrict outbound traffic by default
- Implement immutable offline backups
- Deploy canary files in sensitive shares
- Use just-in-time privileged access
- Monitor for archive creation over threshold size
- Enable full PowerShell script block logging
Overall Assessment
This intrusion reflects a mature ransomware operation targeting high-value intellectual property environments. The attackers likely:
- Used valid credentials
- Conducted structured reconnaissance
- Staged and exfiltrated sensitive semiconductor data
- Then executed encryption for leverage
Even if systems are restored, the primary long-term risk lies in the potential exposure of proprietary chip testing methodologies and customer design documentation.
