Security Experts:

Connect with us

Hi, what are you looking for?



Google Analyzes Activity of ‘Exotic Lily’ Initial Access Broker

Google on Thursday published an analysis of the activities associated with an initial access broker (IAB) linked to a Russian-speaking cybercrime group tracked as FIN12 and Wizard Spider.

Google on Thursday published an analysis of the activities associated with an initial access broker (IAB) linked to a Russian-speaking cybercrime group tracked as FIN12 and Wizard Spider.

Specialized in compromising targets to provide access to other threat actors, the activities of this financially motivated group, which Google tracks as Exotic Lily, are closely tied to data exfiltration and the deployment of ransomware such as Conti and Diavol, and show some overlaps with BazarLoader and TrickBot distribution.

At the peak of its activity, Exotic Lily was likely sending over 5,000 phishing emails a day, targeting roughly 650 organizations globally, mainly focused on the cybersecurity, healthcare, and IT sectors.

The group employs tactics, techniques and procedures (TTPs) typically associated with more targeted attacks – including the spoofing of companies and employees – and uses file-sharing services for payload delivery, to evade detection mechanisms.

Google’s Threat Analysis Group (TAG) has been tracking Exotic Lily since September 2021 – when the hackers were observed targeting CVE-2021-40444, a zero-day vulnerability in Microsoft MSHTML – and says that the group’s attack chain has remained relatively consistent.

[ READ: BlackBerry Researchers Dive Into Prometheus TDS Operations ]

What makes Exotic Lily stand out is the use of domain and identity spoofing: the group creates entirely fake personas to pose as employees of a real company – paired with social media profiles, personal websites, and an AI-generated profile picture.

The group then starts sending spear-phishing emails using spoofed email accounts, and even attempts to schedule a meeting with the target, under the pretext of a business proposal. At the final stage, a payload hosted on a public file-sharing service is sent to the victim.

The payload is sent using a built-in email notification feature, “allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email,” Google explains.

Exotic Lily, the researchers note, is running human-operated phishing at scale, likely from a Central or Eastern European time zone, typically working from 9-to-5 during weekdays, with little activity on weekends.

[ READ: Enterprises Warned of Growing Risk Posed by Initial Access Brokers ]

Initially relying on CVE-2021-40444 exploits, the group has switched to the use of ISO files containing BazarLoader DLLs and LNK shortcuts. The samples appear to have been custom built for this group only.

In attacks observed this month, the group employed ISO files with a DLL containing a custom loader dubbed Bumblebee, which Google identified as “a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation.”

Despite a close connection with FIN12, “Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,” Google concludes.

Related: Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Related: Conti Ransomware Source Code Leaked

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...