EXOTIC LILY
MISPUnknown
Unknown
Unknown
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.
Tecniche Utilizzate (15)
| ID | ATT&CK | Tattiche |
|---|---|---|
| T1102 | Web Service | - |
| T1203 | Exploitation for Client Execution | - |
| T1204.001 | Malicious Link | - |
| T1204.002 | Malicious File | - |
| T1566.001 | Spearphishing Attachment | - |
| T1566.002 | Spearphishing Link | - |
| T1566.003 | Spearphishing via Service | - |
| T1583.001 | Domains | - |
| T1585.001 | Social Media Accounts | - |
| T1585.002 | Email Accounts | - |
| T1589.002 | Email Addresses | - |
| T1593.001 | Social Media | - |
| T1594 | Search Victim-Owned Websites | - |
| T1597 | Search Closed Sources | - |
| T1608.001 | Upload Malware | - |
Alias (105)
Malware Utilizzato (2)
Metadata
| ID: | 363 |
| Created: | 13/01/2026 17:48 |
| Updated: | 07/03/2026 04:00 |