The Reveal Platform
Intel Name: Blurring the lines: intrusion shows connection with three major ransomware gangs
Date of Scan: September 9, 2025
Impact: High
Summary: The intrusion began in September 2024 via a malicious EarthTime installer that deployed SectopRAT and connected to its C2 server. Persistence was established by moving the file and adding a Startup shortcut, followed by creating a local admin account. The actor deployed SystemBC, accessed the host via RDP, ran discovery commands, and performed a DCSync attack. They used RDP and PsExec to move laterally, executed SystemBC with SYSTEM privileges, and performed domain enumeration.
