Experts told about the initial access broker Exotic Lily, whose services are used by Conti


Experts from Google Threat Analysis Group told about a group called Exotic Lily, engaged in hacking organizations and selling access to their networks.

The main method used by the group to gain access to the networks of the attacked organizations is targeted phishing. Every day, attackers send out about 5 thousand emails directing victims to domains under their control that are very similar to legitimate ones (for example, users they are sent to ).

Phishers impersonate fictional personalities, and recently began to take data from business information search services like RocketReach and CrunchBase and impersonate real people. In addition, they use legitimate file-sharing sites, including TransferNow, TransferXL, WeTransfer and OneDrive, to transfer payload to victims bypassing security solutions.

Exotic Lily’s clients are Russian cybercrime groups Fin12 (aka Wizard Spider), Conti and Diavol.

The group seems to maintain a high level of work-life balance, as its activity is typical for a working day from 9:00 to 17:00 in Eastern and Central Europe, with little activity on weekends.

Although Exotic Lily is closely associated with cyber-extortion groups, it is a separate organization, and its sphere of interests is limited only to initial access. Others are engaged in the deployment of extortionate software.

Start a discussion …