September 2024 intrusion tooling analysis of SectopRAT, SystemBC, and Betruger
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers reconstructed a September 2024 intrusion that used SectopRAT, SystemBC, and Betruger to support persistence, discovery, credential theft, and data exfiltration. The analysis shows how the operator assembled a ransomware-ready workflow without ever launching file-encrypting malware, increasing visibility into the pre-ransomware tradecraft used by the actor. The toolchain also links the intrusion to multiple RaaS ecosystems, including Play, RansomHub, and DragonForce.
Related Happenings
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware Activity
First: 22.01.2026 20:00
Last: 22.01.2026 20:00
Sources 1
About this happening:
Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware ActivityAbout this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
RaaS ecosystem analysis shows automation and tooling now drive group success
Threat Actor Meta
First: 04.11.2025 23:31
Last: 04.11.2025 23:31
Sources 1
About this happening:
Research on **ransomware-as-a-service (RaaS)** now ties the strongest group performance to **automation**, **customization**, and **advanced tooling**, increasing **enterprise ext...
RaaS ecosystem analysis shows automation and tooling now drive group success
Threat Actor MetaAbout this happening: Research on **ransomware-as-a-service (RaaS)** now ties the strongest group performance to **automation**, **customization**, and **advanced tooling**, increasing **enterprise ext...
Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor Meta
First: 07.10.2025 20:15
Last: 07.10.2025 20:15
Sources 1
About this happening:
Qilin's **ransomware-as-a-service** model is expanding extortion reach by selling **tools and infrastructure** to affiliates and taking a **15–20%** cut of ransom payments. That a...
Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor MetaAbout this happening: Qilin's **ransomware-as-a-service** model is expanding extortion reach by selling **tools and infrastructure** to affiliates and taking a **15–20%** cut of ransom payments. That a...
Timeline
-
09.09.2025 13:36 2 articles · 8mo ago
September 2024 intrusion analysis links SectopRAT, SystemBC, and Betruger to Play, RansomHub, and DragonForce
Technical Analysis UpdateA September 2024 intrusion against an unnamed victim environment used a malicious DeskSoft EarthTime lure to deploy SectopRAT, then moved through persistence, a new local administrator account, SystemBC proxy tunnelling, RDP-based lateral movement, and reconnaissance with AdFind, SharpHound, SoftPerfect NetScan, PowerShell, and Windows utilities. The operator also used PsExec, Grixba, credential theft from Veeam-related systems, Microsoft Defender tampering, DCSync, and FTP exfiltration, while the toolset and artifacts linked the activity to Play, RansomHub, and DragonForce ransomware ecosystems and showed that no file-encrypting malware was executed.
Show sources
- Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations — www.securityweek.com — 09.09.2025 13:36
- Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations — www.securityweek.com — 09.09.2025 13:36