A recently identified post-exploitation framework offered as a service appears to be operated by former affiliates of the LockBit ransomware, cybersecurity company Cyfirma reports.
Dubbed Exfiltrator-22 or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0.
The malicious tool appears to have been created by skilled developers with knowledge of anti-analysis and defense evasion techniques, who are employing an aggressive marketing strategy, claiming that their solution is fully undetectable.
Exfiltrator-22’s operators, Cyfirma says, are likely operating from Asia and are interested in building their own affiliation program, using a subscription-based payment model: the malware is offered at $1,000 for a month, or $5,000 for lifetime access.
Customers are provided with access to a login panel for the Ex22 server, which is hosted on a bulletproof virtual private server, from where they can remotely control the malware and collect information from the infected devices, update malware configuration, deploy new versions of the tool, and create new campaigns.
“By keeping their operations centralized on a remote server, [the threat actors] can make it more difficult for security researchers to analyze and identify the source of the malware,” Cyfirma says.
Capabilities provided by Exfiltrator-22 include an elevated reverse shell, file download and upload, keylogger, file encryption (ransomware), live connection to the infected device, elevation of privilege, persistence, lateral movement, LSASS credential dumping, hashing, viewing a list of running processes, and exfiltration of authentication tokens.
The framework can bypass User Access Control (UAC), can create scheduled tasks, and allows attackers to check group memberships for the existing user and to select the payload to be executed on the target machine.
The threat actor likely completed the framework’s development in November 2022 and started advertising it on a newly created Telegram channel in early December. However, the malware developer continued to work on the tool, and has made several announcements of a new feature being added.
Cyfirma has discovered that the malware developers abuse Akamai’s content delivery network (CDN) to host Exfiltrator-22’s C&C infrastructure and believes that they likely employ an obfuscation plugin for Tor and domain fronting to hide Tor traffic in legitimate HTTPS connections.
While digging deeper into the framework, Cyfirma discovered that it uses the same domain fronting technique and C&C infrastructure as a LockBit 3.0 sample.
“It can be concluded with high confidence that the threat actors who created EX-22 are highly sophisticated threat actors that are likely to continue to increase the evasiveness of the malware. With continuous improvements and support, EX-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates,” Cyfirma concludes.
Related: New ‘Alchimist’ Attack Framework Targets Windows, Linux, macOS
Related: Intezer Documents Powerful ‘Lightning Framework’ Linux Malware
Related: ‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

More from Ionut Arghire
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
Latest News
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
