Helix, a New Name in the Data Extortion Ecosystem?

Helix, a New Name in the Data Extortion Ecosystem?
ReliaQuest identified Helix, a newly observed data extortion group that uses vishing, device code phishing, MFA abuse, and automated SharePoint exfiltration against multiple targets. Its infrastructure and tradecraft overlap with BlackFile, ShinyHunters, and related successor activity, making the campaign part of a broader fragmented ecosystem. #Helix #BlackFile #ShinyHunters #SharePoint #oskeysynccom

Keypoints

  • ReliaQuest assessed Helix as a previously unreported data extortion group operating a multi-target campaign.
  • The group used vishing, device code phishing, and MFA registration to gain and maintain access without needing passwords.
  • Helix automation focused on SharePoint enumeration and bulk download, enabling rapid exfiltration after initial access.
  • Infrastructure overlap suggests ties to the BlackFile and ShinyHunters ecosystem, including shared registrar and hosting patterns.
  • Helix used target-specific subdomains under oskeysync[.]com and residential proxies geo-matched to victims to blend in.
  • Defensive priorities include disabling device code authentication, restricting SaaS access to managed endpoints, and blocking newly registered domains.
  • ReliaQuest emphasized that the campaign is identity-driven and likely to persist as the broader ecosystem fragments and rebrands.

MITRE Techniques

  • [T1593 ] Search Open Websites/Domains – The actor tailored phishing infrastructure with target-branded subdomains and a registered parent domain to support impersonation (‘registered a target-specific subdomain under the shared oskeysync[.]com parent domain’).
  • [T1598 ] Phishing for Information – The campaign used device code phishing and credential-harvesting subdomains to obtain access (‘initiate a device code phishing flow’ and ‘harvest credentials’).
  • [T1566 ] Phishing – Initial access was obtained through social engineering and impersonation, including vishing-led contact (‘the caller impersonated the target user’s manager’).
  • [T1656 ] Content Injection – The operator inserted a device code into a legitimate authentication flow to capture a session token (‘walked them through entering a device code into Chrome’).
  • [T1110 ] Brute Force – The article does not describe password guessing, but it does describe repeated authentication attempts and token replay-like access patterns; however, this technique is not clearly used and is not included.
  • [T1133 ] External Remote Services – The attacker authenticated into cloud services such as SharePoint using legitimate sessions from unmanaged devices (‘SharePoint access went through’ and ‘authenticated access without ever touching the password’).
  • [T1098 ] Account Manipulation – Persistence was established by registering a new MFA Authenticator app on the compromised account (‘registering a new MFA Authenticator app on the target account’).
  • [T1021 ] Remote Services – The actor used legitimate cloud sessions and residential proxies to maintain remote access to the target environment (‘persistent sessions from residential proxies’).
  • [T1213 ] Data from Information Repositories – The operator enumerated and downloaded SharePoint content (‘issued contentclass:STS_Site and wildcard (*) SharePoint searches to inventory all reachable content’).
  • [T1078 ] Valid Accounts – Access relied on legitimate authenticated sessions and newly registered MFA rather than malware (‘captured a session token’, ‘legitimate MFA registration’).
  • [T1105 ] Ingress Tool Transfer – The campaign used automated tools and scripts from hosted infrastructure to perform collection (‘automated tools enumerate and mass-download SharePoint libraries’).
  • [T1070 ] Indicator Removal on Host – Cleanup included deleting a phishing-awareness notification email (‘deleted a phishing-awareness notification email from the target’s inbox’).

Indicators of Compromise

  • [Domain ] phishing and target-specific credential or device-code infrastructure – oskeysync[.]com, target-specific subdomains
  • [IP address ] exfiltration and SharePoint enumeration host linked to Helix – 179.43.185[.]230, 179.43.185[.]226
  • [Autonomous System / Hosting ] shared hosting provider used in the campaign – AS 51852 (Private Layer INC)
  • [Registrar ] domain registration provider associated with the phishing infrastructure – NICENIC
  • [User-Agent ] automated SharePoint enumeration and download activity – python-requests/2.28.1
  • [URI / Search term ] SharePoint inventory queries used during discovery – contentclass:STS_Site, wildcard (*) SharePoint searches


Read more: https://reliaquest.com/blog/threat-spotlight-helix-new-name-in-data-extortion-ecosystem/