Recently, researchers observed a month-long AvosLocker campaign with an expanded arsenal. The campaign was using multiple legitimate and malicious tools to facilitate its attacks.

About the attack

Researchers from Cisco Talos have found a new campaign by AvosLocker hunting for exposed networks. The attackers have used several different tools, such as Cobalt Strike, Sliver, and several commercially available network scanners.
  • In this incident, the attackers targeted an ESXi server exposed on the internet over VMWare Horizon UAG by exploiting the Log4Shell flaw.
  • During the initial phases, the attackers followed various techniques to gain a foothold on the victim's network. 
  • Moreover, several other payloads and tools were observed on endpoints, along with LoLBins.

Used tools 

  • The attackers used WMI Provider Host on a Windows Server that was the initial point of access to execute an encoded PowerShell script with the DownloadString method on February 11.
  • Three days later, researchers detected RuntimeBrokerService[.]exe for creating a file called watcher[.]exe. These files appear to be related to a cryptocurrency miner instead of AvosLocker.
  • Four weeks later, another encoded PowerShell command was executed using the DownloadString method.
  • Two days later, the attacker executed more PowerShell scripts to download and run the Sliver payload. Further, the scripts download Mimikatz and Cobalt Strike beacon. 

Moreover, the AvosLocker group has used SoftPerfect Network Scanner (transferred via AnyDesk to another server) and PDQ Deploy (a software deployment tool) as legitimate tools during its attacks.


The AvosLocker ransomware group is expanding its arsenal with more legitimate and malicious tools. The recent campaign has displayed the importance of applying updates and patches regularly. Additionally, it is advised to use a reliable anti-malware solution with regular monitoring to stay protected.

Cyware Publisher