Intel Name: Fake zoom ends in blacksuit ransomware
Date of Scan: April 1, 2025
Impact: High
Summary: The threat actor gained initial access via a fake Zoom installer, deploying d3f@ckloader and IDAT loader to drop SectopRAT. After nine days, SectopRAT delivered Cobalt Strike and Brute Ratel, enabling lateral movement through remote services and RDP. To facilitate RDP movement, the attacker used QDoor, a malware with proxy capabilities. They archived files with WinRAR, uploaded them to the cloud SaaS app Bublup, and finally executed BlackSuit ransomware across all Windows systems using PsExec.
