EXOTIC LILY

Threat Actor updated 7 months ago (2024-05-04T18:19:32.545Z)
Download STIX
Preview STIX
Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their modus operandi is an email impersonating an employee of a legitimate company. At one point, Exotic Lily was sending upwards of 5,000 emails a day to some 650 targeted global organizations. Furthermore, the IAB has been linked to Russia-based Evil Corp and SocGholish, a loader activated in 2018. In early September 2021, Google's Threat Analysis Group (TAG) observed Exotic Lily exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). This financially motivated threat actor has shown previous connections to a Russian financially-motivated cybercrime group known as FIN12, and the Conti ransomware group. These connections were further emphasized in a March 2022 report by Google’s TAG, which showed ties between Exotic Lily and a ransomware operator dubbed "Space Kook" by Halcyon. SocGholish, linked to Exotic Lily, has been used by both Evil Corp and the IAB since its activation in 2018. It has also been associated with the Dridex gang malware operation. Exotic Lily, which breaks into corporate networks and then sells that access to other criminals, has proven to be a significant cybersecurity threat. Its activities underline the importance of robust security measures and constant vigilance against phishing attempts.
Description last updated: 2024-05-04T18:05:56.119Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for EXOTIC LILY. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra
2
FIN12 is a possible alias for EXOTIC LILY. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
2
Socgholish is a possible alias for EXOTIC LILY. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Phishing
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the EXOTIC LILY Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago