This threat involves a sophisticated data exfiltration campaign uncovered by Huntress SOC analysts, where threat actors utilize a combination of legitimate compression and backup utilities to stage and exfiltrate sensitive data. Tools such as WinZip, 7Zip, and Windows' native tar.exe are used for data staging, while exfiltration is conducted through utilities like finger.exe and backup tools including Restic, BackBlaze, and s5cmd. In a specific incident dated February 25, 2026, the attackers deployed INC ransomware and used PSEXEC to escalate privileges on compromised systems. They created scheduled tasks to run malicious PowerShell scripts, facilitating persistence and automation of their attack. The Restic backup utility was renamed to winupdate.exe to evade detection while exfiltrating data. The recurrence of these tactics in a previous incident on February 9 suggests a repeatable and evolving attack methodology. The use of legitimate tools for malicious purposes (living off the land) complicates detection, as these tools are often whitelisted or trusted in enterprise environments. The threat actors also employ various MITRE ATT&CK techniques such as T1053.005 (Scheduled Task), T1003 (Credential Dumping), T1562.004 (Impair Defenses: Disable or Modify Tools), T1112 (Modify Registry), T1552.001 (Credentials in Files), T1059.001 (PowerShell), T1078 (Valid Accounts), and T1486 (Data Encrypted for Impact), among others. Although no CVE or known exploits are associated, the threat demonstrates a medium severity level due to its impact potential and complexity.

Organizations worldwide face significant risks from this threat due to the combination of data exfiltration and ransomware deployment. The use of legitimate tools for data staging and exfiltration can bypass traditional security controls, increasing the likelihood of successful breaches. The deployment of INC ransomware following data exfiltration can lead to severe operational disruption, financial loss, and reputational damage. Privilege escalation via PSEXEC and scheduled tasks enables attackers to maintain persistence and move laterally within networks, potentially compromising critical systems. The stealthy nature of the exfiltration, using renamed backup utilities, complicates detection and response efforts. Industries with sensitive data, such as finance, healthcare, government, and critical infrastructure, are particularly vulnerable. The repeated use of these tactics indicates a persistent threat actor capable of evolving their methods, increasing the risk of future incidents.

1. Implement strict application whitelisting and monitor for unusual execution of compression and backup utilities, especially those renamed or executed from uncommon paths. 2. Monitor scheduled tasks and PowerShell script executions for unauthorized or suspicious activity, including the creation of new tasks or scripts running under system or elevated privileges. 3. Employ endpoint detection and response (EDR) solutions capable of detecting living-off-the-land techniques and anomalous use of legitimate tools like PSEXEC, Restic, and finger.exe. 4. Enforce the principle of least privilege to limit the ability of attackers to escalate privileges using tools like PSEXEC. 5. Regularly audit and monitor credential usage and storage, focusing on detection of credential dumping and misuse (T1003, T1552.001). 6. Use network monitoring to detect unusual outbound traffic patterns that may indicate data exfiltration, particularly traffic associated with backup utilities or uncommon protocols. 7. Maintain robust backup and recovery processes isolated from the main network to mitigate ransomware impact. 8. Conduct threat hunting exercises focusing on indicators of compromise such as hashes provided and tactics described. 9. Educate security teams on the threat actor’s methodology to improve detection and response capabilities. 10. Apply multi-factor authentication (MFA) to reduce the risk of credential misuse.