Introduction
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021. Google EXOTIC LILY March 2022
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1566.003 Spearphishing via Service
- T1585.001 Social Media Accounts
- T1566.001 Spearphishing Attachment
- T1203 Exploitation for Client Execution
- T1566.002 Spearphishing Link
- T1204.002 Malicious File
- T1585.002 Email Accounts
- T1102 Web Service
- T1594 Search Victim-Owned Websites
- T1204.001 Malicious Link
- T1597 Search Closed Sources
- T1583.001 Domains
- T1593.001 Social Media
- T1589.002 Email Addresses
- T1608.001 Upload Malware
ATT&CK technique IDs (denormalized)
- T1102
- T1203
- T1204.001
- T1204.002
- T1566.001
- T1566.002
- T1566.003
- T1583.001
- T1585.001
- T1585.002
- T1589.002
- T1593.001
- T1594
- T1597
- T1608.001
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- Xploit
- Archelaus Beta
MITRE ATT&CK Software
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] Google EXOTIC LILY March 2022 Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.