Find notable cyber news and cases, enriched with sources, timelines, and signals.

September 2024 intrusion tooling analysis of SectopRAT, SystemBC, and Betruger

Technical Analysis
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Researchers reconstructed a September 2024 intrusion that used SectopRAT, SystemBC, and Betruger to support persistence, discovery, credential theft, and data exfiltration. The analysis shows how the operator assembled a ransomware-ready workflow without ever launching file-encrypting malware, increasing visibility into the pre-ransomware tradecraft used by the actor. The toolchain also links the intrusion to multiple RaaS ecosystems, including Play, RansomHub, and DragonForce.

Related Happenings

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
H score38 First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
H score37 First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: **Mustang Panda** is running new **2026** espionage activity against the **Indian government** and **hydropower** targets, using **Zoho WorkDrive** as a command-and-control and ex...

Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data

Malware Activity
H score41 First: 22.01.2026 20:00 Last: 22.01.2026 20:00 Sources 1

About this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...

RaaS ecosystem analysis shows automation and tooling now drive group success

Threat Actor Meta
H score25 First: 04.11.2025 23:31 Last: 04.11.2025 23:31 Sources 1

About this happening: Research on **ransomware-as-a-service (RaaS)** now ties the strongest group performance to **automation**, **customization**, and **advanced tooling**, increasing **enterprise ext...

Timeline

  1. 09.09.2025 13:36 2 articles · 10mo ago

    September 2024 intrusion analysis links SectopRAT, SystemBC, and Betruger to Play, RansomHub, and DragonForce

    Technical Analysis Update

    A September 2024 intrusion against an unnamed victim environment used a malicious DeskSoft EarthTime lure to deploy SectopRAT, then moved through persistence, a new local administrator account, SystemBC proxy tunnelling, RDP-based lateral movement, and reconnaissance with AdFind, SharpHound, SoftPerfect NetScan, PowerShell, and Windows utilities. The operator also used PsExec, Grixba, credential theft from Veeam-related systems, Microsoft Defender tampering, DCSync, and FTP exfiltration, while the toolset and artifacts linked the activity to Play, RansomHub, and DragonForce ransomware ecosystems and showed that no file-encrypting malware was executed.

    Show sources