Threat ID: TL-2026-0099 | Severity: HIGH | Status: ACTIVE
Actors: LockBit, BianLian, Black Basta, Conti/TrickBot | Motivation: FINANCIAL
Attribution Confidence: HIGH
MITRE Techniques: 28 | Detections: 9 | Sectors: Enterprise, Healthcare, Financial, Manufacturing
Ransomware-as-a-service operations have systematically shifted from dedicated malicious servers to legitimate hosting infrastructure for command-and-control. LockBit affiliates responsible for approximately 1,700 US attacks and $91 million in documented ransoms operated across bulletproof hosting providers, compromised VPS panels, and cloud platforms simultaneously -- making C2 traffic indistinguishable from legitimate customer workloads. Operation Cronos seized 34 servers across multiple jurisdictions in February 2024, yet LockBit resumed operations within days.
We dug into five documented hosting abuse strategies, mapped 28 MITRE ATT&CK techniques, and built production-ready detections targeting Cobalt Strike beacon patterns, reverse proxy tunneling, and hosting panel credential abuse.
CISA Cybersecurity Advisory AA24-131A documenting Black Basta ransomware gang tactics, techniques, and command-and-control infrastructure indicators.
Executive Summary
- What: Ransomware groups systematically abuse legitimate hosting providers, bulletproof hosting services, and cloud platforms for stealthy C2 operations, rendering IP reputation-based defenses ineffective
- Who: LockBit (1,700 US attacks, $91M ransoms), Black Basta (500+ victims), BianLian (custom Go backdoors, Ngrok/Rsocks), Conti/TrickBot (dedicated infrastructure procurement teams)
- Impact: Multi-sector targeting across enterprise, healthcare, financial, manufacturing, legal, and government organizations; infrastructure replacement outpaces law enforcement takedowns
- Status: Actively exploited; Operation Cronos (Feb 2024) and ZServers sanctions (Feb 2025) disrupted but did not eliminate the pattern
- Detection: 9 production-ready detections available on Threadlinqs Intelligence
Timeline
| Date | Event |
|---|---|
| 2020-01-05 | LockBit ransomware first observed targeting US organizations |
| 2022-02-27 | Conti group leaks reveal dedicated infrastructure procurement teams and VPS rotation playbooks |
| 2022-04-01 | Black Basta emerges using Cobalt Strike on legitimate hosting; linked to FIN7 |
| 2022-06-01 | BianLian begins operations with custom Go backdoors; adopts Ngrok and Rsocks tunneling |
| 2023-06-14 | CISA/FBI publish LockBit advisory AA23-165a documenting 1,700 US attacks, $91M ransoms |
| 2024-02-20 | Operation Cronos: international takedown seizes 34 LockBit servers across multiple jurisdictions |
| 2024-06-01 | Operation Morpheus disrupts 593 malicious Cobalt Strike servers across 27 countries |
| 2024-11-08 | CISA updates Black Basta advisory AA24-131a documenting Teams-based social engineering |
| 2024-11-20 | CISA updates BianLian advisory AA23-136a documenting Rsocks and Ngrok C2 patterns |
| 2025-01-01 | Black Basta posts final victim; internal chat logs leak in March 2025 |
| 2025-02-01 | US, UK, Australia sanction ZServers bulletproof hosting; Dutch police seize 127 servers |
Technical Analysis
Traditional C2 infrastructure relied on attacker-owned servers with static IPs, making blocklisting effective. That model is gone. Modern RaaS operations have evolved what researchers term "living off the infrastructure" -- five distinct strategies that exploit the trust inherent in legitimate hosting.
Five Hosting Abuse Strategies
1. Bulletproof Hosting. Services operating from weak-enforcement jurisdictions that tolerate malicious activity. Procured via Russian-language cybercrime forums, these providers ignore abuse complaints and resist law enforcement requests. ZServers, a Russia-based provider sanctioned by the US, UK, and Australia in February 2025, supplied LockBit with attack infrastructure. Dutch police subsequently seized 127 ZServers servers.
2. Compromised Hosting Panels. Stolen credentials grant access to VMmanager, cPanel, and Plesk management panels, enabling rapid VM provisioning on legitimate hosting accounts. The infrastructure appears to belong to legitimate customers, and abuse investigations target the compromised account holder rather than the attacker.
3. Legitimate Cloud Abuse. Accounts created on AWS, Azure, GCP, and DigitalOcean using stolen identities and cryptocurrency payment. C2 traffic routes through cloud provider IP ranges that no enterprise can broadly block without disrupting legitimate services.
4. Reverse Proxy and Tunneling. BianLian documented extensive use of Ngrok and modified Rsocks (SOCKS5) proxies to relay C2 through legitimate tunnel infrastructure. Cloudflare Tunnels provide similar capability. The C2 traffic terminates at the tunnel provider's IP, not the attacker's.
5. C2 Frameworks on Legitimate Hosting. Cobalt Strike, Brute Ratel, Sliver, and Havoc deployed on commodity VPS instances with domain fronting and malleable C2 profiles. Operation Morpheus disrupted 593 malicious Cobalt Strike servers across 27 countries in 2024, contributing to an 80% reduction in unauthorized use. The operators just moved to Sliver and Havoc.
Why IP Reputation Fails
Traditional Model: Attacker Server (static IP) ← Blocklist effective
↓
Living off Infra: [Legitimate CDN] ← [Domain Fronting] ← Cobalt Strike
[Ngrok Tunnel] ← [SOCKS5 Proxy] ← BianLian C2
[AWS/Azure VPS] ← [Stolen Identity] ← LockBit Beacon
↓
Cannot blocklist without blocking legitimate servicesAttack Chain
- Infrastructure Procurement -- Affiliate acquires VPS via bulletproof hosting, compromised panel credentials, or stolen-identity cloud account; Cobalt Strike team server deployed within hours
- Initial Access -- Phishing with spearphishing links (
T1566.002) or exploitation of external remote services (T1133) delivers the initial beacon - Command and Control -- Cobalt Strike beacon calls back over HTTPS (
T1071.001) with domain fronting through legitimate CDNs; BianLian uses Ngrok tunneling (T1572) - Credential Access -- LSASS memory dumping (
T1003.001) via Mimikatz, enabled by EDR disabling (T1562.001) - Lateral Movement -- RDP (
T1021.001) and network service discovery (T1046) across the victim network - Exfiltration -- RClone or cloud CLI tools stage data to attacker-controlled cloud storage (
T1567); double-extortion pressure - Impact -- Ransomware deployment encrypts critical systems (
T1486); C2 infrastructure rotated within hours of detection
Threat Actor Profiles
LockBit
The most prolific ransomware operation until Operation Cronos. CISA Advisory AA23-165a documents approximately 1,700 US attacks and $91 million in collected ransoms. LockBit ran a sophisticated affiliate model with dedicated infrastructure procurement. The February 2024 takedown seized 34 servers, but the group spun back up within days using backup infrastructure. What caught our attention was the February 2025 sanctions against ZServers -- targeting the hosting supplier rather than the operators themselves signals a shift in law enforcement strategy.
Black Basta
Emerged in April 2022, rapidly accumulating over 500 victims per CISA Advisory AA24-131a. Strong links to the FIN7 threat group based on shared EDR evasion modules and overlapping C2 IP addresses. Cobalt Strike was the primary post-exploitation framework, deployed on legitimate hosting. Black Basta posted its last victim in January 2025; internal chat logs leaked in March 2025 exposed operational details.
BianLian
Operates custom Go-based backdoors with documented Ngrok and modified Rsocks (SOCKS5) tunneling for C2. CISA Advisory AA23-136a details the group's shift from encryption-based ransomware to pure data exfiltration and extortion, reducing infrastructure requirements while maintaining revenue.
Conti / TrickBot Ecosystem
The 2022 Conti leaks revealed dedicated infrastructure procurement teams managing VPS rotation, bulletproof hosting relationships, and payment laundering. Every RaaS crew since has borrowed from this playbook. Conti's infrastructure docs effectively wrote the manual for "living off the infrastructure" -- the methodology now standard across successor groups.
Detection
Threadlinqs Intelligence provides 9 production-ready detection rules targeting the infrastructure abuse patterns documented across these campaigns. Static IPs are useless here. Detection focuses on behavioral indicators -- beacon timing, certificate anomalies, traffic asymmetry.
Splunk SPL
Catching Cobalt Strike beacon callbacks in Splunk -- this targets periodic HTTPS connections with consistent intervals, JA3/JA3S fingerprint anomalies, and the asymmetric request/response sizes that give beacons away.
SPLindex=zeek OR index=pan_traffic sourcetype=bro:ssl:json OR sourcetype=pan:traffic
| eval beacon_interval=round((_time - prev_time), 0)
| where dest_port=443 OR dest_port=8443 OR dest_port=80
| stats count dc(beacon_interval) as interval_variance
avg(beacon_interval) as avg_interval
stdev(beacon_interval) as interval_stdev
values(ja3) as ja3_hashes
sum(bytes_out) as total_out sum(bytes_in) as total_in
by src_ip, dest_ip, dest_port
| eval jitter_pct=round((interval_stdev/avg_interval)100, 2)
| where count > 50 AND avg_interval >= 60 AND avg_interval <= 300
AND jitter_pct < 15
AND total_out < total_in 0.1
| table src_ip dest_ip dest_port count avg_interval jitter_pct
ja3_hashes total_out total_in
Low jitter percentage (under 15%) combined with consistent callback intervals between 60-300 seconds and asymmetric traffic volumes (small requests, larger responses) are strong Cobalt Strike beacon indicators. Our analysis found that the 60-second default sleep timer is still the most common configuration across LockBit affiliates as of February 2026 -- most operators never bother to change it.
Microsoft KQL
Hunting for Ngrok, Cloudflare Tunnel, and SOCKS5 reverse proxy execution -- the relay tools BianLian and other groups use to bounce their C2 traffic through legitimate infrastructure.KQLDeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ngrok.exe", "ngrok", "cloudflared.exe",
"cloudflared", "rsocks", "3proxy", "microsocks")
or ProcessCommandLine has_any(
"ngrok", "cloudflared tunnel", "socks5",
"--proxy-type socks5", "tunnel --no-autoupdate")
| extend ToolCategory = case(
FileName has "ngrok", "Ngrok Tunnel",
FileName has "cloudflared", "Cloudflare Tunnel",
ProcessCommandLine has "socks5", "SOCKS5 Proxy",
"Unknown Proxy Tool")
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine, ToolCategory,
InitiatingProcessFileName
| sort by Timestamp desc
Any execution of these tunneling tools outside authorized development or zero-trust deployments warrants immediate investigation.
Sigma
This one flags rapid deployment of multiple offensive tools on a newly provisioned VM -- a pattern consistent with ransomware staging infrastructure. We observed this staging pattern repeatedly across LockBit affiliate infrastructure during our analysis.SIGMAtitle: Multi-Tool Deployment on Fresh VM (Ransomware Staging)
id: 9b2d4e7a-1c3f-5a8b-6d0e-f2a4b6c8d0e2
status: experimental
description: >
Detects deployment of multiple offensive tools (Cobalt Strike,
Mimikatz, network scanners, RClone, proxy tools) within 24 hours
of VM creation. Consistent with ransomware C2 staging.
references:
- https://intel.threadlinqs.com/#TL-2026-0099
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.resource_development
- attack.t1608.001
- attack.t1588.002
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_tools:
- Image|endswith:
- '\cobaltstrike.exe'
- '\beacon.exe'
- '\mimikatz.exe'
- '\rclone.exe'
- '\nmap.exe'
- '\advanced_ip_scanner.exe'
- '\ngrok.exe'
- '\3proxy.exe'
- '\chisel.exe'
- CommandLine|contains:
- 'Invoke-Mimikatz'
- 'Invoke-Rubeus'
- 'SharpHound'
- 'rclone copy'
- 'rclone sync'
condition: selection_tools
falsepositives:
- Authorized penetration testing engagements
- Security training environments
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| Pattern | HTTPS callbacks at 60-300s intervals, <15% jitter | Cobalt Strike beacon periodicity |
| Pattern | JA3 hash inconsistent with declared TLS client | Malleable C2 profile fingerprint |
| Domain | .tcp.ngrok.io, .ngrok-free.app | Ngrok tunnel C2 relay |
| Domain | .trycloudflare.com | Cloudflare Tunnel abuse |
| Pattern | SOCKS5 handshake (0x05) on non-standard ports | Rsocks/3proxy C2 relay |
| Pattern | DNS queries to domains registered <30 days | Infrastructure procurement indicator |
Behavioral Indicators
- Burst VM creation (5+ instances within 1 hour) on hosting panels
- Cobalt Strike, Brute Ratel, or Sliver binaries on servers provisioned within 7 days
- RClone or cloud CLI transferring >1GB from newly provisioned VMs
- Hosting panel logins from new geolocations or Tor exit nodes followed by rapid provisioning
- Asymmetric HTTPS traffic: small outbound requests, larger inbound responses on consistent intervals
- DNS resolution patterns matching domain generation algorithms (DGA)
Tool Indicators
| Type | Indicator | Context |
|---|---|---|
| Tool | Cobalt Strike 4.x | Primary C2 framework across LockBit, Black Basta |
| Tool | Brute Ratel C4 | Alternative C2 framework with EDR evasion |
| Tool | Sliver / Havoc | Open-source C2 alternatives post-Operation Morpheus |
| Tool | Ngrok | BianLian reverse tunnel C2 relay |
| Tool | RClone | Data exfiltration staging to cloud storage |
| Tool | Mimikatz | LSASS credential dumping |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Resource Development | Acquire Infrastructure: VPS | T1583.003 | VPS procurement via bulletproof hosting or stolen identities |
| Resource Development | Acquire Infrastructure: Server | T1583.004 | Dedicated server acquisition for high-throughput C2 |
| Resource Development | Compromise Infrastructure: Server | T1584.004 | Hosting panel credential compromise for VM provisioning |
| Resource Development | Obtain Capabilities: Tool | T1588.002 | Cobalt Strike, Brute Ratel, Sliver acquisition |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | Beacon deployment on newly provisioned infrastructure |
| Initial Access | Valid Accounts | T1078 | Compromised hosting panel credentials |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Initial victim access via phishing campaigns |
| Execution | PowerShell | T1059.001 | Post-exploitation command execution |
| Persistence | External Remote Services | T1133 | VPN and RDP persistence mechanisms |
| Command and Control | Web Protocols | T1071.001 | HTTPS-based Cobalt Strike beacons |
| Command and Control | Protocol Tunneling | T1572 | Ngrok, Cloudflare Tunnel C2 relay |
| Command and Control | External Proxy | T1090.002 | SOCKS5 proxy chains (Rsocks, 3proxy) |
| Command and Control | Encrypted Channel | T1573.002 | TLS-encrypted C2 with custom certificates |
| Defense Evasion | Disable Security Tools | T1562.001 | EDR disabling before ransomware deployment |
| Defense Evasion | Traffic Signaling | T1205 | Beacon sleep/jitter configuration |
| Credential Access | LSASS Memory | T1003.001 | Mimikatz credential dumping |
| Lateral Movement | Remote Desktop Protocol | T1021.001 | RDP for lateral movement across victim networks |
| Exfiltration | Exfiltration Over Web Service | T1567 | RClone to attacker-controlled cloud storage |
| Impact | Data Encrypted for Impact | T1486 | Ransomware encryption of critical systems |
Full MITRE ATT&CK mapping with 28 techniques: View coverage on Threadlinqs
TL-2026-0099 threat intelligence overview on Threadlinqs — ransomware C2 infrastructure analysis with 9/9 detection coverage and shared IOC indicators.
Recommendations
- Deploy behavioral C2 detection rather than relying on IP blocklists -- monitor for beacon periodicity (60-300s intervals, low jitter), TLS certificate anomalies, and asymmetric traffic patterns
- Block or alert on tunneling tools including Ngrok, Cloudflare Tunnel, and SOCKS5 proxy utilities unless explicitly authorized for development use
- Implement JA3/JA3S fingerprinting on network perimeters to identify Cobalt Strike malleable C2 profiles masquerading as legitimate browsers
- Monitor hosting panel access for anomalous logins (new geolocations, Tor exit nodes) followed by burst VM creation
- Enforce MFA on all remote access including VPN, RDP, and hosting management panels -- compromised credentials remain the primary initial access vector across these campaigns
References
- CISA Advisory AA23-165a: LockBit -- CISA/FBI, 2023
- CISA Advisory AA23-136a: BianLian -- CISA/FBI, Updated November 2024
- CISA Advisory AA24-131a: Black Basta -- CISA/FBI, Updated November 2024
- Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware -- The DFIR Report, 2025
- Cobalt Strike Team Servers: The Great Ransomware Enabler -- ReliaQuest
- US Sanctions LockBit's Bulletproof Hosting Provider -- BleepingComputer, 2025
- Lessons from Black Basta's Collapse -- Barracuda, 2026
- MITRE ATT&CK T1583.003: Virtual Private Server -- MITRE
- MITRE ATT&CK T1071.001: Web Protocols -- MITRE
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0099.*