Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

IntelBroker – Threat Actor

January 23, 2025
Reading Time: 3 mins read
in Threat Actors
IntelBroker – Threat Actor

IntelBroker

Location

Serbia

Date of initial activity

2022

Suspected Attribution 

Cybercriminals

Motivation

Financial Gain
Data Theft
Extortion

Associated Tools

Endurance Ransomware

Overview

IntelBroker, a sophisticated threat actor reportedly based in Serbia, has made headlines for its extensive and high-impact cyber operations. Known for targeting a diverse range of sectors, including government, telecommunications, automotive, and technology, IntelBroker has gained notoriety through its aggressive tactics and the use of advanced malware. The actor operates as an intelligence broker, not only breaching prominent organizations but also monetizing their compromised data on underground forums. This dual approach—data theft and sale—has cemented IntelBroker’s reputation as a formidable adversary in the cyber threat landscape.

Common targets

  • Public Administration
  • Information
  • Manufacturing in countries like United States
  • United Kingdom
  • Sweden

Attack Vectors

Software Vulnerabilities

Associated Tools

Endurance Ransomware: This is the primary tool used by IntelBroker to conduct extortion operations. Endurance is a C#-based ransomware that acts more like wiping malware, overwriting file contents with random data, renaming files, and deleting them. The source code for Endurance is publicly available on the threat actor’s GitHub repository, which allows for its modification and widespread use.

How they operate

At the core of IntelBroker’s operations is the Endurance ransomware, a custom-developed strain designed to inflict significant damage on targeted organizations. Unlike conventional ransomware that encrypts files, Endurance acts more like wiping malware. It overwrites the contents of targeted files with random data, renames them with arbitrary strings, and then deletes them, rendering the data irretrievable. The ransomware’s source code is available on the threat actor’s GitHub repository, allowing for its distribution and adaptation across various cybercriminal circles. This method not only disrupts the victim’s operations but also complicates recovery efforts, pushing organizations towards paying ransoms. IntelBroker’s tactics extend beyond the deployment of ransomware. The group is known for exploiting vulnerabilities in widely-used software to gain unauthorized access to systems. For instance, they have leveraged vulnerabilities such as CVE-2024-1597, which impacts Confluence Data Center and Server, to breach their targets. This exploitation of known weaknesses allows IntelBroker to infiltrate networks and gather valuable data, which is then sold on underground forums. The group’s ability to compromise third-party service providers—such as their alleged breach of T-Mobile’s ecosystem—demonstrates a sophisticated approach to expanding their attack surface and increasing their chances of success.

MITRE Tactics and Techniques

Initial Access:
Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in publicly accessible applications, such as Confluence Data Center and Server vulnerabilities, to gain initial access. Spear Phishing (T1566): Targeting individuals within organizations with malicious emails to deliver payloads or gain credentials.
Execution:
Command and Scripting Interpreter (T1059): Utilizing scripts or command-line interfaces to execute malicious commands or payloads. This is relevant for running ransomware and other malicious software. PowerShell (T1059.001): Leveraging PowerShell for executing commands or scripts that are part of their malware operations.
Persistence:
Create or Modify System Process (T1543): Modifying or creating system processes to ensure that their ransomware or other malware remains active on compromised systems.
Privilege Escalation:
Exploitation for Privilege Escalation (T1068): Exploiting vulnerabilities to escalate privileges within a compromised environment.
Defense Evasion:
Obfuscated Files or Information (T1027): Using techniques to obfuscate malware or ransomware code to avoid detection. Indicator Removal on Host (T1070): Clearing or modifying logs and other indicators to avoid detection and analysis.
Credential Access:
Credential Dumping (T1003): Extracting credentials from compromised systems to further their access within the network.
Discovery:
Network Service Scanning (T1046): Scanning network services to identify and exploit vulnerable services within the target network. System Information Discovery (T1082): Gathering information about system configurations and user accounts to better plan their attacks.
Lateral Movement:
Remote Desktop Protocol (T1076): Using RDP to move laterally across the network and access additional systems.
Collection:
Data Staged (T1074): Staging collected data for exfiltration, often found in the process of gathering and preparing stolen information for sale.
Exfiltration:
Exfiltration Over Web Service (T1567): Using web-based services to exfiltrate stolen data from compromised systems.
Impact:
Data Destruction (T1485): Using ransomware like Endurance to destroy or overwrite files, making data recovery difficult. Ransomware (T1486): Encrypting or otherwise rendering data inaccessible to demand a ransom.
References:
  • The Intelbroker Data Leak Threat Actor
Tags: Cyber threatEnduranceGitHubIntelBrokerRansomwareSerbiaSwedenThreat ActorsUnited KingdomUnited StatesVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Coordinated Brute Force Hits Tomcat Manager

SmartAttack Uses Sound To Steal PC Data

Pentest Tool TeamFiltration Hits Entra ID

Subscribe to our newsletter

    Latest Incidents

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    AI Spam Hijacks Official US Vaccine Site

    DragonForce Ransomware Hits Philly Schools

    Erie Insurance Cyberattack Halts Operations

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial