Data Exfiltration and Threat Actor Infrastructure Exposed

Huntress SOC analysts have uncovered sophisticated data exfiltration techniques employed by threat actors. The analysis reveals the use of various tools for data staging, including WinZip, 7Zip, and Windows' native tar.exe. Exfiltration methods observed include the use of finger.exe and backup utilities like restic, BackBlaze, and s5cmd. A specific incident on February 25, 2026, involved INC ransomware deployment, with the threat actor using PSEXEC for privilege escalation and creating a scheduled task to run a malicious PowerShell script. The actor utilized the Restic backup utility, renamed as winupdate.exe, to exfiltrate data. Similar tactics were observed in a previous incident on February 9, suggesting a pattern in the threat actor's methodology.

Pulse ID: 69b3f245c5cf9fd0fee7a16a
Pulse Link: https://otx.alienvault.com/pulse/69b3f245c5cf9fd0fee7a16a
Pulse Author: AlienVault
Created: 2026-03-13 11:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RansomWare #Windows #ZIP #bot #AlienVault