jordiserrano.meClickFixKAIROSIntelTracker
Panel de inteligencia » BushidoUK ToolMatrix CommunityReports: CR-021-DRAGONFORCE-APR-2025

BushidoUK ToolMatrix CommunityReports: CR-021-DRAGONFORCE-APR-2025

Report 3 min lectura bushidouk
Fecha
18 Jun 2026
Actor
bushidouk
Tipo
Report
Pais
United States
Sector
Defense
Confianza
high
100
Prioridad analitica
Alta

Basado en actor, pais, IOCs, TTPs, filtracion y calidad de contexto.

16IOCs
0TTPs
bushidoukActor
United StatesPais
Executive Summary
Recurso del BushidoUK Ransomware Tool Matrix - CommunityReports.

Key Points

  • Source: CommunityReports/CR-021-DRAGONFORCE-APR-2025.md
  • BushidoUK Tool Matrix

CommunityReports: CR-021-DRAGONFORCE-APR-2025.md

Recurso del BushidoUK Ransomware Tool Matrix - CommunityReports.

Community Report Template 021 - DragonForce April 2025

Contributor Details

- Real Name: N/A

- Online Handle / Links to profiles: Discord ap_2600

- Employer: Private, DFIR role

- Affiliations: Curated Intelligence, Ransom-ISAC

---

Adversary

- Named adversary: DragonForce

---

Incident Details

- Time of Incident: April 2025

- Victim Country: UK

- Victim Size: 10-50

---

Observed Tools

| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |

|---|---|---|---|---|---|---|---|

| | SimpleHelp | KslD.sys (BYOVD) | Get-VeeamCreds.ps1 | Cobalt Strike | | PowerShell (-EncodedCommand) | Restic |

| | AnyDesk | Windows Defender Real-time Protection disabled | | | | | AWS S3 bucket (wasabisys) |

---

Indicators of Compromise (IOCs)

``

File IOCs (MD5):

- AnyDesk.exe 871eb4b8aefaea1113dd3f08b7cb535c

- SimpleService.exe 73c6073e23de262b60104cccaa56f4f7

- elev_win.exe 8ffac369064a72a36a120c856f502e5d

- KslD.sys eec4e720725b4bfc8568d889d64066ee

- winupdate.exe (Restic) 782ea34eb952fe6d73d7a21e172ac291

IP Addresses:

- 179[.]60.146.40 - Threat Actor C2 (NL), hostname "WIN-VHVV7IAS6MH" - Cobalt Strike

- 91[.]191.209.110 - Threat Actor AnyDesk origin (Sofia, BG), hostname "WIN-4GBGHJII4DG"

Filenames / Paths:

- C:\PerfLogs\win.exe (ransomware encryptor)

- C:\PerfLogs\AnyDesk.exe

- C:\ProgramData\SimpleHelp\ElevateSH\SimpleService.exe

- C:\Users\admin\AppData\Roaming\AnyDesk\ad.trace

- C:\Users\Public\Documents\new.txt (exfil file list)

- C:\windows\system32\winupdate.exe (renamed Restic)

- system32\drivers\wd\KslD.sys (driver for evasion)

Ransomware Note:

- Filename: readme.txt

- Leak blog (TOR): http://z3wqngtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

- Negotiation portal (TOR): http://3pktcrcbmssvrnwe5skburdwe2h3v6lbdnn5kbjqihsg6eu6s6b7ryqd.onion

Notable Commands:

- powershell.exe -EncodedCommand (GetVeeamCreds, DPAPI Unprotect of Veeam SQL creds)

- winupdate.exe init (Restic init against S3 wasabisys)

`

---

#### Any Related Sources

| Date Published | Report |

|---|---|

| 28 January 2025 | https://www.bleepingcomputer.com/news/security/hackers-exploiting-flaws-in-simplehelp-rmm-to-breach-networks/ |

| 30 October 2025 | https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks/ |

| N/A | https://github.com/sadshade/veeam-creds/tree/main |

| N/A | https://www.huntress.com/blog/using-backup-utilities-for-data-exfiltration |

---

#### Summary Diagram

`mermaid

flowchart TD;

A[DragonForce] -->|target| B(Geo: UK

Size: 10-50 Employees);

B --> C{Tools};

C -->|RMM Tools| E[SimpleHelp, AnyDesk];

C -->|Defense Evasion| F[KslD.sys driver, Defender disable];

C -->|Credential Theft| G[Get-VeeamCreds.ps1, DPAPI];

C -->|OffSec| H[Cobalt Strike];

C -->|LOLBAS| J[PowerShell -EncodedCommand];

C -->|Exfiltration| K[Restic to AWS S3 / Wasabi];

``

Referencias

Diamond Model

Adversary
bushidouk
Ver perfil →
Victim
BushidoUK ToolMatrix CommunityReports: CR-021-DRAGONFORCE-APR-2025
United States
Capability
Report
Filtracion: 4 GB
Infrastructure
z3wqngtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
3pktcrcbmssvrnwe5skburdwe2h3v6lbdnn5kbjqihsg6eu6s6b7ryqd.onion
www.bleepingcomputer.com
zensec.co.uk

Relations

Mapa de nodos relacionados por IOCs compartidos, actor, enlaces IntelTracker/OSINT, campanas y victimas observadas. Haz click en un nodo para abrir el post, filtro o fuente.

21 enlaces
Domain
github.com
IOC compartido
Domain
www.huntress.com
IOC compartido
Domain
www.bleepingcomputer.com
IOC compartido
File
powershell.exe
IOC compartido
File
readme.txt
IOC compartido
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
IntelTracker / OSINT link
github.com
bushidouk
enlace asociado al actor
Nodo actual
BushidoUK ToolMatrix CommunityReports: CR-021-DRAGONFORCE-APR-2025
bushidouk · United States
Victima
BushidoUK ToolMatrix CommunityReports: CR-010-AKIRA-AUG-2025
powershell.exe www.huntress.com
IOC compartido
Victima
BushidoUK ToolMatrix CommunityReports: CR-023-DRAGONFORCE-AUG-2024
powershell.exe github.com
IOC compartido
Victima
BushidoUK ToolMatrix ThreatIntel: ExtraThreatIntel
www.huntress.com
IOC compartido
Victima
BushidoUK ToolMatrix GroupProfiles: INC_Ransom
www.huntress.com
IOC compartido
Victima
BushidoUK ToolMatrix CommunityReports: CR-009-AKIRA-AUG-2025
www.huntress.com
IOC compartido
Victima
BushidoUK ToolMatrix CommunityReports: CR-011-CrazyHunter-March-2025
github.com
IOC compartido
Victima
APTTrail: APT BABYSHARK indicators and references
github.com www.huntress.com
IOC compartido
Victima
APTTrail: apt-c-12 indicators and references
github.com
IOC compartido
Victima mismo actor
BushidoUK ToolMatrix Tools: AllTools
18 Jun 2026
mismo actor
Victima mismo actor
BushidoUK ToolMatrix Tools: CredentialTheft
18 Jun 2026
mismo actor
Victima mismo actor
BushidoUK ToolMatrix Tools: DefenseEvasion
18 Jun 2026
mismo actor
Victima mismo actor
BushidoUK ToolMatrix Tools: DiscoveryEnum
18 Jun 2026
mismo actor
Victima mismo actor
BushidoUK ToolMatrix Tools: Exfiltration
18 Jun 2026
mismo actor

Indicadores de Compromiso (IOCs)

TipoValorContextoOSINT
File KslD.sys Artefacto observado VT OffSec SOCRadar
File Get-VeeamCreds.ps1 Artefacto observado VT OffSec SOCRadar
File AnyDesk.exe Artefacto observado VT OffSec SOCRadar
File SimpleService.exe Artefacto observado VT OffSec SOCRadar
File elev_win.exe Artefacto observado VT OffSec SOCRadar
File winupdate.exe Artefacto observado VT OffSec SOCRadar
File win.exe Artefacto observado VT OffSec SOCRadar
File new.txt Artefacto observado VT OffSec SOCRadar
File readme.txt Artefacto observado VT OffSec SOCRadar
File powershell.exe Artefacto observado VT OffSec SOCRadar
Domain z3wqngtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Extraido del contenido VT OffSec SOCRadar
Domain 3pktcrcbmssvrnwe5skburdwe2h3v6lbdnn5kbjqihsg6eu6s6b7ryqd.onion Extraido del contenido VT OffSec SOCRadar
Domain www.bleepingcomputer.com Extraido del contenido VT OffSec SOCRadar
Domain zensec.co.uk Extraido del contenido VT OffSec SOCRadar
Domain github.com Extraido del contenido VT OffSec SOCRadar
Domain www.huntress.com Extraido del contenido VT OffSec SOCRadar

Referencias y enlaces

→ Perfil del actor bushidouk en el blog → Ver bushidouk en IntelTracker → Fuente OSINT: github.com→ Fuente OSINT: github.com → Buscar bushidouk en APTTrail → Repositorio APTTrail → Mas incidentes en United States → Buscar en Google News → Analizar en VirusTotal → Feed RSS del blog
← Volver al panel de inteligencia

Incidentes recientes

June 2026 Stealer Logs18 Jun 2026 · breach CFGI18 Jun 2026 · breach Berkadia18 Jun 2026 · breach Infinite Campus18 Jun 2026 · breach Horizon Family Medical Group18 Jun 2026 · incransom www.wolfconstruction.net18 Jun 2026 · lynx Amazon owned OneMedical.com18 Jun 2026 · shinyhunters NAIC.org18 Jun 2026 · shinyhunters