< ciso
brief />
Tag Banner

All news with #initial access broker tag

22 articles

Mistic backdoor linked to KongTuke access broker

๐Ÿ›ก๏ธ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
read more โ†’

Mistic backdoor tied to initial access broker activity

๐Ÿ” Researchers have uncovered a backdoor named Mistic used in enterprise intrusions since April, linked to an initial access broker that sells footholds to ransomware gangs. The Windows DLL-sideloading malware executes in memory, reaches out to C2 servers, and can move, delete, and transfer files while also enabling credential theft. Symantec observed Mistic alongside ModeloRAT and social engineering chains using fake CAPTCHAs and malicious paste-and-run guidance.
read more โ†’

Malicious Edge extension leverages native messaging

๐Ÿ›ก๏ธ A malicious Microsoft Edge extension named Edgecution was used to bypass the browser sandbox and deploy a Python-based backdoor by abusing the Chrome Native Messaging protocol. Attackers lured victims via fake Microsoft update pages and social engineering on Microsoft Teams, delivering a malformed ZIP with an embedded Python runtime and two components: a headless Edge extension and a native Python backdoor. Zscaler links the activity to an IAB associated with the Payouts Kings ransomware operation and provides IoCs and mitigation recommendations.
read more โ†’

Stealthy Mistic backdoor tied to KongTuke broker

๐Ÿ›ก๏ธ Symantec and Zscaler have detected a new backdoor named Mistic (tracked as MTLBackdoor) used in financially motivated intrusions since April, linked to the initial access broker KongTuke/Woodgnat. The malware was observed in attacks against insurance, education, IT, and professional services organizations and was sometimes deployed after ModeloRAT via social-engineering on Microsoft Teams. Mistic is designed for long-term stealth, side-loading as version.dll from a legitimate executable and running payloads in memory while offering file management, remote command execution, configurable C2 check intervals, and a self-deletion kill switch.
read more โ†’

Search-Your-Target Market for Stolen Credentials

๐Ÿ”Ž Flare analyzed 470 underground forum posts from January 2025 to June 2026 revealing a growing service layer that lets buyers query massive infostealer-derived credential collections for specific companies, platforms, domains, geographies, or account types. These sellers act as brokers, offering search, deduplication, formatting, and targeted delivery of credentials from databases claiming billions of records. Buyer feedback highlights gaps in quality, freshness, and validity, while the market partially overlaps with Initial Access Brokers and amplifies account takeover risks.
read more โ†’

Storm-1175 Targets Vulnerable Web-Facing Assets with Medusa

๐Ÿ”’Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.
read more โ†’

Tax Search Ads Deliver ScreenConnect EDR Killer Campaign

โš ๏ธ A large-scale malvertising campaign since January 2026 uses Google Ads to deliver rogue installers for ConnectWise ScreenConnect, ultimately installing a BYOVD EDR killer named HwAudKiller that disables security tools. The actor stacks commercial cloaking services (Adspect and JustCloakIt) and abuses a legitimately signed Huawei audio driver to terminate AV processes from kernel mode. Huntress observed over 60 malicious ScreenConnect sessions and multiple RMM backdoors, indicating pre-ransomware or initial access broker behavior.
read more โ†’

Yanluowang Broker Sentenced to 81 Months; Restitution

๐Ÿ”’ A Russian national, 26-year-old Aleksey Olegovich Volkov (aliases "chubaka.kor" and "nets"), was sentenced to 81 months in U.S. federal prison after pleading guilty to acting as an initial access broker for the Yanluowang ransomware operation. Between July 2021 and November 2022 he sold corporate network access to at least eight U.S. companies, enabling affiliates to deploy ransomware and demand payments. The FBI recovered chat logs, stolen data, victim credentials, and evidence of ransom negotiations after seizing a server tied to the gang, and traced Volkov through Apple iCloud, cryptocurrency exchange records, and social media. He was arrested in Italy in January 2024, extradited to the U.S., and ordered to pay over $9.16 million in restitution and forfeit equipment used in the crimes.
read more โ†’

Russian Initial Access Broker Sentenced to 81 Months

๐Ÿ”’ Aleksei Volkov, a Russian initial access broker tied to dozens of ransomware incidents that produced more than $9m in documented victim losses, has been sentenced to 81 months in a US federal prison. He pleaded guilty to offenses including trafficking in access information, access device fraud and aggravated identity theft. Volkov was linked to Yanluowang and other cybercrime groups, and has agreed to pay at least $9.2m in restitution.
read more โ†’

U.S. Sentences Russian Hacker 6.75 Years for Ransomware Role

๐Ÿ”’ Aleksei Olegovich Volkov, a 26-year-old Russian national, was sentenced in the U.S. to 81 months in prison after pleading guilty to facilitating dozens of ransomware attacks as an initial access broker. Authorities say he helped breach networks and sell access to ransomware groups, resulting in over $9 million in actual losses and more than $24 million in intended losses. He was arrested in Italy in January 2024, extradited to the U.S., and agreed to pay restitution and forfeit tools used in the crimes.
read more โ†’

FBI Seeks Help from Gamers Over Steam Malware Campaign

๐Ÿ•ต๏ธ The FBIโ€™s Seattle Division is asking gamers who unintentionally downloaded malware via the Steam platform to assist an ongoing investigation into a campaign active between May 2024 and January 2026. Investigators say several titles โ€” including BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova โ€” have been identified as distribution points and are requesting affected users complete a short questionnaire. The FBI is collecting information on pre- and post-download communications, financial losses, and crypto wallet or bank account details; responses are voluntary, may result in follow-up contact, and victimsโ€™ identities will be kept confidential.
read more โ†’

TA584 Adopts Tsundere Bot to Enable Ransomware Access

๐Ÿ” Proofpoint researchers report that prolific initial access broker TA584 has begun using Tsundere Bot alongside the XWorm RAT to gain footholds that could lead to ransomware. The group ramped up activity in late 2025, expanding beyond North America and the UK to target Germany, other European countries and Australia. Their emails leverage aged compromised accounts delivered via SendGrid and Amazon SES, unique geofenced URLs, redirect chains and obfuscated PowerShell that loads payloads in memory to evade static detection.
read more โ†’

Cybercrime Inc. 2026: Industrialized Threats for CISOs

๐Ÿ”’ Cybercriminals now operate like businessesโ€”highly specialized, service-oriented, and ROI-drivenโ€”using models such as RaaS and initial access brokers to scale attacks. This industrialization, amplified by AI and automation, forces a shift from reactive detection to proactive prevention and identity-first controls. CISOs must prioritize governance, supply-chain resilience, defensive automation, and strategic partnerships to manage risk amid talent and budget shortfalls.
read more โ†’

Jordanian Pleads Guilty to Selling Network Access to Firms

๐Ÿ”’ Feras Khalil Ahmad Albashiti (known online as "r1z") pleaded guilty to selling access credentials to the networks of at least 50 companies. Extradited from Georgia in July 2024, he admitted selling access to an undercover law enforcement officer for cryptocurrency on May 19, 2023. He faces up to 10 years in prison and fines; sentencing is set for May 11, 2026.
read more โ†’

IAB Abuses EDR and Windows Utilities for Stealthy Malware

๐Ÿ”Storm-0249, an initial access broker, is abusing endpoint detection and response (EDR) components and trusted Windows utilities to execute malware stealthily. In one analyzed incident the actor used social engineering to run curl commands that installed a malicious MSI which drops a DLL placed beside the legitimate SentinelAgentWorker.exe, then performs DLL sideloading to run attacker code inside the signed EDR process. Additional payloads are piped into memory via PowerShell from a spoofed domain, avoiding disk-based detection. Researchers recommend behavior-based detection for trusted processes loading unsigned DLLs and stricter controls on curl, PowerShell, and living-off-the-land binaries.
read more โ†’

RomCom Uses SocGholish to Deliver Mythic Agent to US Firms

๐Ÿ”’ Arctic Wolf Labs observed a targeted September 2025 campaign in which the Russia-aligned RomCom group used fake browser-update prompts to deliver the Mythic Agent implant via a classic SocGholish chain. Researchers say this is the first observed instance of RomCom pairing SocGholish initial access with a Mythic C2-based loader. The intrusion was stopped before impact, and Arctic Wolf published IOCs and mitigation guidance.
read more โ†’

Initial Access Broker Pleads Guilty in Yanluowang Case

๐Ÿ”’Aleksey Olegovich Volkov, a 25-year-old Russian accused of acting as an initial access broker, is set to plead guilty in a federal case tied to the Yanluowang ransomware group. Prosecutors say he sold administrator credentials to operators and received over $256,000, while victims paid ransoms up to $1 million. Investigators traced Bitcoin flows to wallets Volkov verified with identity documents, and his plea includes more than $9 million in restitution.
read more โ†’

Yanluowang Broker Pleads Guilty to Ransomware Access

๐Ÿ”’ Aleksey Olegovich Volkov, a Russian national who used aliases including chubaka.kor and nets, has agreed to plead guilty to acting as an initial access broker for the Yanluowang ransomware group. Between July 2021 and November 2022 he sold credentials that enabled intrusions at eight U.S. companies and facilitated ransom demands ranging from $300,000 to $15 million. FBI warrants seized server logs, stolen data, chat histories and iCloud records linking Volkov to the scheme and to partial Bitcoin payments. He faces up to 53 years in prison and must pay more than $9.1 million in restitution.
read more โ†’

Yanluowang Access Broker Pleads Guilty in Ransomware Case

๐Ÿ”’ A Russian national has pleaded guilty to acting as an initial access broker for the Yanluowang ransomware group, admitting to selling corporate network access used in attacks on at least eight U.S. companies between July 2021 and November 2022. FBI searches of a server tied to the operation recovered chat logs, stolen files, and victim credentials that linked payments and access to the defendant. Investigators traced the suspect through Apple iCloud data, cryptocurrency exchange records, and social media accounts, and blockchain analysis tied portions of ransom payments to addresses he provided. He faces decades in prison and more than $9.1 million in restitution.
read more โ†’

China-linked Hackers Reuse Legacy Flaws to Backdoor Targets

๐Ÿ” Symantec and Carbon Black attributed a midโ€‘April 2025 intrusion to a China-linked threat cluster that targeted a U.S. nonprofit engaged in influencing policy, using mass scanning and multiple legacy exploits (including CVE-2021-44228, CVE-2017-9805, and Atlassian flaws) to gain initial access. The intruders established stealthy persistence via scheduled tasks that invoked legitimate binaries (msbuild.exe, csc.exe), injected code to reach a C2 at 38.180.83[.]166, and sideloaded a DLL through a Vipre component to run an in-memory RAT. Researchers linked the loader to China-aligned clusters such as Salt Typhoon and warned of broader reuse of legacy vulnerabilities and IIS/ASP.NET misconfigurations for long-term backdoors.
read more โ†’