Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
released on 2024-04-26 @ 08:45:50 AM
The Securonix Threat Research team observed a malicious campaign deploying SSLoad malware alongside Cobalt Strike implants and ScreenConnect RMM software, enabling the threat actors to infiltrate systems, gather sensitive data, and ultimately take over the victim's entire Windows domain. The initial infection vector was a phishing email containing a link to a JavaScript file that kicked off a multi-stage payload deployment. Once inside, the attackers were able to install RMM software, move laterally, extract credentials, and create a malicious domain admin account, compromising the organization's infrastructure.