Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New ‘Exfiltrator-22’ Post-Exploitation Framework Linked to Former LockBit Affiliates

A recently identified post-exploitation framework ‘Exfiltrator-22’ uses the same C&C infrastructure as the LockBit ransomware.

A recently identified post-exploitation framework offered as a service appears to be operated by former affiliates of the LockBit ransomware, cybersecurity company Cyfirma reports.

Dubbed Exfiltrator-22 or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0.

The malicious tool appears to have been created by skilled developers with knowledge of anti-analysis and defense evasion techniques, who are employing an aggressive marketing strategy, claiming that their solution is fully undetectable.

Exfiltrator-22’s operators, Cyfirma says, are likely operating from Asia and are interested in building their own affiliation program, using a subscription-based payment model: the malware is offered at $1,000 for a month, or $5,000 for lifetime access.

Customers are provided with access to a login panel for the Ex22 server, which is hosted on a bulletproof virtual private server, from where they can remotely control the malware and collect information from the infected devices, update malware configuration, deploy new versions of the tool, and create new campaigns.

“By keeping their operations centralized on a remote server, [the threat actors] can make it more difficult for security researchers to analyze and identify the source of the malware,” Cyfirma says.

Capabilities provided by Exfiltrator-22 include an elevated reverse shell, file download and upload, keylogger, file encryption (ransomware), live connection to the infected device, elevation of privilege, persistence, lateral movement, LSASS credential dumping, hashing, viewing a list of running processes, and exfiltration of authentication tokens.

The framework can bypass User Access Control (UAC), can create scheduled tasks, and allows attackers to check group memberships for the existing user and to select the payload to be executed on the target machine.

The threat actor likely completed the framework’s development in November 2022 and started advertising it on a newly created Telegram channel in early December. However, the malware developer continued to work on the tool, and has made several announcements of a new feature being added.

Cyfirma has discovered that the malware developers abuse Akamai’s content delivery network (CDN) to host Exfiltrator-22’s C&C infrastructure and believes that they likely employ an obfuscation plugin for Tor and domain fronting to hide Tor traffic in legitimate HTTPS connections.

While digging deeper into the framework, Cyfirma discovered that it uses the same domain fronting technique and C&C infrastructure as a LockBit 3.0 sample.

“It can be concluded with high confidence that the threat actors who created EX-22 are highly sophisticated threat actors that are likely to continue to increase the evasiveness of the malware. With continuous improvements and support, EX-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates,” Cyfirma concludes.

Related: New ‘Alchimist’ Attack Framework Targets Windows, Linux, macOS

Related: Intezer Documents Powerful ‘Lightning Framework’ Linux Malware

Related: ‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.