IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
released on 2024-06-10 @ 11:03:36 AM
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT, for credential access and lateral movement. Over eight days, the adversary methodically moved across the network, collecting data before ultimately deploying ALPHV ransomware on multiple hosts.