Intel Name: Another confluence bites the dust: falling to elpaco-team ransomware
Date of Scan: May 19, 2025
Impact: High
Summary: The threat actor initially exploited CVE-2023-22527 on a public-facing Confluence server to achieve remote code execution. They followed a repeatable command sequence—installing AnyDesk, creating admin accounts, and enabling RDP—indicating automation or a playbook. Credential theft tools like Mimikatz, ProcessHacker, and Secretsdump were used. Roughly 62 hours post-exploitation, the attackers deployed ELPACO-team ransomware (a Mimic variant), though no major data exfiltration was detected.
