A persistent social engineering threat faced by enterprises involves attackers trying to obtain login credentials for identity and access management (IAM), cloud resources, or single sign-on (SSO)-enabled systems.

Bulletproof hosting (BPH) providers operate in a complex and persistent manner, making it challenging for defenders to permanently shut them down. Blocking BPH providers can effectively disrupt malicious activities early in the kill chain.

Bumblebee, a loader used by ransomware threat actors, has recently resurfaced with new distribution techniques and updates to make it more resilient and harder to disrupt.

While law enforcement action against Genesis resulted in the seizure of at least 10 clearnet domains, its Tor site is still running, and its administrators have indicated they will set up new infrastructure.

Monti's entry point is very similar to that of Conti. As such, Monti could be a rebrand of Conti or simply a new ransomware variant that has been developed using the leaked source code of Conti.

Having previously managed a variety of underground side businesses, actors associated with Conti have either branched out as independent contractors or small syndicates, using skills and/or schemes previously used to support Conti’s operations.

Of the cybercriminal groups Intel 471 has observed, Telegram is considered the preferred method of anonymous communication as opposed to in-forum messaging services monitored by administrators.

Security researchers at Intel 471 have discovered several information stealers that are freely available for download that rely on Discord or Telegram for their functionality.

Intel 471 assesses with high confidence that Emotet malware operators’ spam targets will enter a pool of potential Conti victims and it’s likely that Emotet is highly relied upon by Conti ransomware operators to find their current victims.