EXOTIC LILY

Threat Actor updated 4 months ago (2024-05-04T18:19:32.545Z)

Download STIX

Preview STIX

Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their modus operandi is an email impersonating an employee of a legitimate company. At one point, Exotic Lily was sending upwards of 5,000 emails a day to some 650 targeted global organizations. Furthermore, the IAB has been linked to Russia-based Evil Corp and SocGholish, a loader activated in 2018. In early September 2021, Google's Threat Analysis Group (TAG) observed Exotic Lily exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). This financially motivated threat actor has shown previous connections to a Russian financially-motivated cybercrime group known as FIN12, and the Conti ransomware group. These connections were further emphasized in a March 2022 report by Google’s TAG, which showed ties between Exotic Lily and a ransomware operator dubbed "Space Kook" by Halcyon. SocGholish, linked to Exotic Lily, has been used by both Evil Corp and the IAB since its activation in 2018. It has also been associated with the Dridex gang malware operation. Exotic Lily, which breaks into corporate networks and then sells that access to other criminals, has proven to be a significant cybersecurity threat. Its activities underline the importance of robust security measures and constant vigilance against phishing attempts.

Description last updated: 2024-05-04T18:05:56.119Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Conti	2	Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
FIN12	2	FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Socgholish	2	SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the EXOTIC LILY Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Top 3 Malware Loaders of 2023 that Fueling 80% of Cyber Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	3 Malware Loaders Detected in 80% of Attacks: Security Firm
CERT-EU	a year ago	Three malware loaders behind 80% of intrusions, researchers find
InfoSecurity-magazine	a year ago	Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
CERT-EU	a year ago	These 3 loaders were behind 80% of intrusions this year
CERT-EU	a year ago	3 Malware Loaders are Responsible for 80% of Attacks, ReliaQuest Says
CERT-EU	a year ago	3 Malware Loaders Detected in 80% of Attacks: Security Firm
CERT-EU	a year ago	The 3 Malware Loaders Behind 80% of Incidents - ReliaQuest
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Does it matter if your company is hacked?
MITRE	2 years ago	Exposing initial access broker with ties to Conti