Initial access in a pair of intrusions part of the attack campaign involved Crypto Ghouls utilizing a VPN and a contractor’s login credentials, followed by the exploitation of NSSM and Localtonet for remote access, according to a report from Kaspersky. Additional malicious activity was then facilitated by Crypto Ghouls through the delivery of the XenAllPasswordPro, Mimikatz, MiniDump, PingCastle, PAExec, and AnyDesk tools, as well as the CobInt backdoor, dumper.ps1, and cmd.exe.

Source: SC Magazine