Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

3AM Ransomware Email Bomb and Vishing Threat

May 22, 2025
Reading Time: 3 mins read
in Alerts
GitLab Patch Stops Service Disruption Risks

A 3AM ransomware affiliate is conducting very highly targeted cyberattacks against corporate environments. These attackers often use email bombing and also spoofed IT support phone calls. This voice phishing socially engineers employees into giving up their valuable remote access credentials. This specific attack tactic was previously linked to the notorious Black Basta ransomware gang. It was also later observed being used in various sophisticated FIN7 cybercrime group attacks. Its proven effectiveness has unfortunately driven a much wider adoption among other threat actors. Sophos reports seeing at least 55 attacks leveraging this technique between Nov 2024 and Jan 2025. The leak of Black Basta’s internal conversations helped other threat actors quickly learn it.

A recent 3AM ransomware attack targeted one of Sophos’s clients in early 2025. This particular incident used a similar approach to Black Basta but with a twist. The attackers used real phone phishing instead of relying solely on Microsoft Teams vishing. They cleverly spoofed the target company’s real IT department official phone number. This sophisticated tactic made the malicious call appear much more legitimate to the employee. This deceptive call occurred during an intense email bombing wave against the targeted user. The attacker then successfully convinced the employee to open Microsoft Quick Assist for them.

They were told to grant remote access supposedly as a response to malicious activity.

Once remote access was granted the attacker downloaded a malicious archive from a spoofed domain. This downloaded archive contained a VBS script a QEMU emulator and a Windows 7 image. The Windows 7 image was pre-loaded with the dangerous QDoor backdoor for persistent access. QEMU was specifically used to evade detection by routing network traffic through virtual machines. This allowed for persistent yet largely undetected attacker access to the corporate network. Through this access attackers performed reconnaissance using common tools like WMIC and PowerShell. They created a new local admin account to connect via Remote Desktop Protocol (RDP). A commercial remote management tool XEOXRemote was also installed for easier ongoing system access. Eventually they compromised a domain administrator account gaining even higher network privileges.

Despite Sophos blocking lateral movement 868GB of data was exfiltrated using GoodSync tool.

Sophos’s security products successfully blocked subsequent attempts to run the 3AM ransomware encryptor. Therefore damage was primarily contained to data theft and encryption of the initial compromised host. This sophisticated cyberattack lasted for a total of nine days from start to finish. The actual data theft portion was concluded by the third day of the intrusion. Sophos suggested several key defense steps that can help to block these attacks. Recommendations include auditing administrative accounts and also using effective XDR security tools. Enforcing signed scripts via PowerShell execution policies and using IoC blocklists also helps. Ultimately increasing employee awareness is crucial to block email bombing and voice phishing. The 3AM ransomware operation itself first launched in the later part of 2023. It has since been linked by researchers to the Conti and Royal ransomware gangs.

Reference:

  • 3AM Ransomware Social Engineering Email Bombing Uses QEMU For Evasion
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

Forminator Plugin Flaw Risks 600,000 Sites

Forminator Plugin Flaw Risks 600,000 Sites

July 2, 2025
Forminator Plugin Flaw Risks 600,000 Sites

Oil-Themed Phishing Spreads Snake Keylogger

July 2, 2025
Forminator Plugin Flaw Risks 600,000 Sites

Kimsuky Tricks Users Into Self Hacking

July 2, 2025
C4 Bomb Cracks Chrome Cookie Encryption

Scammers Use Fake Ads to Steal Pi Wallets

July 1, 2025
C4 Bomb Cracks Chrome Cookie Encryption

Blind Eagle Uses VBS Scripts to Deploy RATs

July 1, 2025
C4 Bomb Cracks Chrome Cookie Encryption

C4 Bomb Cracks Chrome Cookie Encryption

July 1, 2025

Latest Alerts

Oil-Themed Phishing Spreads Snake Keylogger

Forminator Plugin Flaw Risks 600,000 Sites

Kimsuky Tricks Users Into Self Hacking

Scammers Use Fake Ads to Steal Pi Wallets

Blind Eagle Uses VBS Scripts to Deploy RATs

C4 Bomb Cracks Chrome Cookie Encryption

Subscribe to our newsletter

    Latest Incidents

    Cyberattack on Brazils CM Software Vendor

    Cyberattack Halts Hero España Production

    Hacker Attack on Australian Airline Qantas

    Cyberattack Hits Austrian Hospital Vendor

    Sophisticated Attack Hits War Crimes Court

    Ransomware Hits Swiss Government Vendor

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial