New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Rewinding the Breach: a CSIRT-CTI-Investigation

March 26, 2026

Rewinding the Breach: a CSIRT-CTI-Investigation

Key findings

  • The 12-month intrusion involved at least three distinct activity clusters operating sequentially on the same access:
    • An Initial Access Broker (IAB)
    • An intermediate operator (TA-2)
    • A final actor preparing ransomware deployment
  • Initial access was obtained via credentials stolen from a personal workstation infected with pirated software carrying infostealer malware and sold via Telegram marketplaces.
  • TA-2 reused the access to conduct reconnaissance, privilege escalation, and credential harvesting using common open-source tools.
  • Despite achieving sufficient access, TA-2 paused activity for over one month, suggesting access staging or resale rather than immediate ransomware deployment.
  • The final actor reused the same infrastructure, employed modified TTPs, and nearly deployed ransomware, including MFA bypass via a compromised VPN account.
  • Infrastructure analysis revealed extensive use of anonymization infrastructures:
    • Strong Indicators of Criminal-Focused VPN
      First VPN Service, which exhibits multiple hallmarks inconsistent with legitimate VPN providers, that fuels major ransomware operations.
    • Bulletproof Hosters (BPH) infrastructures linked, on one hand, to Alviva Holding Limited and Flyservers S.A., and to the other hand to Cheapy Host. These infrastructures are associated with activity attributed to the IAB ShadowSyndicate that we already analyzed as well as the new front of the rogue provider CrazyRDP.

Intrinsec's CTI services

Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.

For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.

Intrinsec also offers various services around Cyber Threat Intelligence:

  • Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients' existing tools (EDR, XDR, SIEM, …) through:
      • an operational feed of IOCs based on our exclusive activities.
      • threat intel notes & reports, TIP-compliant.
  • Digital risk monitoring:
      • data leak detection & remediation
      • external asset security monitoring (EASM)
      • brand protection

For more information, go to intrinsec.com/en/cyber-threat-intelligence/.

Follow us on LinkedIn and X

Download the full report content
Contact