Simplicity as a Weapon for Stealth and Persistence
In recent years, cyber threat actors have increasingly shifted away from the development of complex, custom-built malware, opting instead for a more subtle and strategic approach that leverages legitimate tools already present within target environments. This significant change reflects a growing preference for “living off the land” tactics—techniques that exploit built-in features of operating systems and widely available offensive security frameworks to maintain access, escalate privileges, and exfiltrate sensitive data while leaving a minimal footprint. Such methods present numerous advantages: they effectively bypass many traditional defenses, substantially reduce the risk of detection, and enhance the operational longevity of intrusions.
The persistent attacks uncovered by Cisco Talos that specifically target organizations in Japan serve as a prime example of this evolution in tactics. In this presentation, we will delve into the discovered campaign and examine the techniques employed by the attackers to effectively mask their presence and evade conventional detection methods. Alongside the disclosure of the attackers’ campaign, we will also discuss our discovery of a pre-configured installer script located on the command and control (C2) server. This script is designed to deploy a comprehensive suite of adversarial tools and frameworks, including Blue-Lotus, BeEF, and Viper C2, all hosted on an Alibaba cloud container Registry. This finding highlights the alarming potential for the misuse of such tools for malicious purposes by the attackers.
Talos observed the attackers’ attempts to steal the victim’s machine credentials during this campaign. However, we assess with moderate confidence that the attackers’ motives extend beyond mere credential harvesting, based on our observations of other post-exploitation activities. These activities include establishing persistence, escalating privileges to SYSTEM level, and gaining potential access to adversarial frameworks, all of which indicate a strong likelihood of future attacks.
We conclude the presentation with a few suggestions to the audience. As adversaries are increasingly favoring simplicity over complexity in their approaches, it is more crucial than ever for organizations to adhere to fundamental security practices—such as regular patching, vigilant monitoring, and effective segmentation—which are vital defenses. Additionally, maintaining continuous readiness for the rapid exploitation of public CVEs is essential in combating these evolving threats.
Chetan Raghuprasad – Cisco Talos
Chetan Raghuprasad is a Cyber Threat Research Engineering Technical Leader with Cisco Talos, where he focuses on investigating the latest developments in the global cyber threat landscape. In his role, Chetan analyses emerging threats to uncover adversary tactics, techniques, and procedures, identifying their motives and origins to produce actionable intelligence. He is deeply involved in disseminating this strategic, operational, and tactical intelligence to counter modern cyber risks. As a recognized subject matter expert, Chetan also publicly represents Cisco Talos by authoring official blogs and speaking at major cybersecurity conferences worldwide. With 17 years of dedicated experience in the information security sector, Chetan has cultivated deep expertise in Threat Intelligence, Digital Forensics, and Cyber Incident Response. His extensive background includes key roles in financial institutions, forensic consulting firm, and leading technology companies.