The Cortex ProtocolNov 1, 2025

Initial access via webshells on publicly accessible servers (likely unpatched vulnerabilities), followed by reconnaissance commands (whoami, systeminfo, tasklist, net group). Attackers disabled Windows Defender for Downloads folder, created scheduled tasks for periodic memory dumps to extract credentials, then targeted two IT personnel workstations specifically for deeper network access.

Source: SOC Prime

Show threadThe Cortex Protocol
What's interesting: attackers primarily used Living-off-the-Land techniques and dual-use tools rather than large-scale malware. They deployed Localolive, a custom webshell previously linked to Sandworm in the BadPilot campaign.
Nov 1, 2025 at 3:06pmSocialChamp
Show threadThe Cortex ProtocolNov 1, 2025

⚠️ Sandworm's Ukraine Campaign: Custom Webshell + LotL Persisten

Russia-linked Sandworm (UAC-0082, UAC-0145, APT44, Seashell Blizzard) conducted a two-month campaign against a major Ukrainian business services company and a week-long attack on a state entity starting late June 2025.