
285 Million Drift Hack Traced To Six
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
🔍 Detection Strategies · attack.mitre.org/detectionstrategies | ||
Detection of Data Destruction Across Platforms | Monitor for mass file overwrite and deletion operations across platforms. Flag bulk DeleteObject/DeleteBucket API calls, mass resource deletion in Azure activity logs, VSS deletion, MBR modifications, and large-scale SMB share removals. Correlate with process behavior and endpoint telemetry. ↳ Drift: 31 rapid vault withdrawals executed within ~12 minutes on April 1 | |
Behavior-chain detection for T1610 Deploy Container | Detect remote or API-driven container creation with non-allow-listed images or risky runtime attributes (--privileged, host PID/NET namespaces, sensitive mounts). Correlates create → start → first network/process actions within a short time window. ↳ Drift: automated bot infrastructure for 63,000+ wallet fund dispersion | |
Compromised software/update chain | Detect tampered application or update delivery: installer writes/replaces binaries; on first run spawns scripts or unsigned DLLs and beacons to non-approved hosts. Correlates installer process → file metadata changes → first-run child anomalies → unexpected outbound connections. ↳ Drift: malicious code repo shared by UNC4736 for vault frontend deployment | |