← threatfilter.dev / all groups / EXOTIC LILY
EXOTIC LILY
Overview
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 15 techniques across 5 tactics
Reconnaissance
-
T1589.002Email Addresses -
T1593.001Social Media -
T1594Search Victim-Owned Websites -
T1597Search Closed Sources
Resource Development
-
T1583.001Domains -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link -
T1566.003Spearphishing via Service
Execution
-
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Command and Control
-
T1102Web Service
Tools & malware (2)
Bazar · Bumblebee
Reporting (1)
- Exposing initial access broker with ties to Conti — Stolyarov, V