The Redact ransomware group, an extortion-only offshoot linked to UNC6671, has targeted FCCI Insurance Group, stealing 145 GB of corporate data. The group bypassed multi-factor authentication by utilizing advanced voice phishing (vishing) and session hijacking to execute automated cloud-to-cloud data extraction.
Purchase lookalike identity provider domains (Okta/Entra ID) and host customized AiTM reverse-proxy panels.
Impersonate IT helpdesk to lure employees into logging into the phishing site, intercepting credentials and active session cookies.
Navigate to security settings using hijacked sessions to register a new rogue MFA device (e.g., FIDO2 keys).
Scrape directories to identify privileged accounts; launch highly targeted internal phishing via Teams or email.
Automated scripts abuse Graph API, OneDrive, and SharePoint to download files and upload them to public or attacker servers.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
ANUBIS ransomware has targeted Quest Health Solutions, exfiltrating 239 GB of sensitive operational data. Operating under a dual-threat encryption and wiping model, this Go-based malware poses severe risks to healthcare infrastructure. Explore the technical attack chain, SIEM detection rules, and containment steps.
An investigation into the Aur0ra ransomware incident affecting ALS Global. We break down the risks associated with the exfiltrated administrative and financial data.
KTR Real Estate Advisors has suffered a significant data compromise, with 206 GB of financial records and proprietary architectural data exfiltrated by the ANUBIS ransomware group.
This original source is hosted on the Tor network. Use Tor Browser to open it, and treat the forum as untrusted while reviewing the post.
Onion URL
http://neclc36yt4yaa5lv54kh4qbhvjcvuv6nnaurqowkellytpvj3afh4aid.onion/companies
Compromising corporate identity providers through Adversary-in-the-Middle (AiTM) phishing kits and strategic voice phishing (vishing) has emerged as the principal attack vector for the threat group operating under the Redact ransomware label. In a confirmed compromise targeting FCCI Insurance Group (fcci-group.com), the group successfully exfiltrated 145 GB of sensitive enterprise data. This incident demonstrates a broader paradigm shift where attackers abandon traditional software exploits in favor of bypassing multi-factor authentication (MFA) via session hijacking and rogue device registration.
Redact, previously identified in threat landscapes as BlackFile and currently transitioning infrastructure to the Pink brand, represents a highly dangerous class of extortion-only adversaries. Rather than spending weeks researching software zero-days, these threat groups focus on the human and authentication layers of corporate cloud environments. By integrating sophisticated voice manipulation with real-time session capture, they effectively neutralize standard SMS-based or mobile push multi-factor protections. Understanding how these groups target enterprises is vital for security teams seeking to harden their external defenses.
Unlike traditional automated malware operations, the threat actors behind Redact execute a hands-on-keyboard approach that relies entirely on legitimate identity credentials and cloud administrative features. They operate under several industry tracking identifiers, including UNC6671, CL-CRI-1116, and Cordial Spider, which are frequently linked to the decentralized cybercriminal network known as The Com.
For organizations looking to comprehensively map their external vulnerabilities and evaluate lookalike domain threats, establishing continuous visibility is a critical step. Discover how our Attack Surface Management services can help identify exposed assets, misconfigured portals, and lookalike domain structures before attackers can exploit them. Additionally, securing continuous external awareness through our Dark Web Monitoring platform ensures your security team is alerted the moment corporate credentials appear in underground forums.
The attack chain begins with thorough external reconnaissance. The threat actors purchase lookalike domains designed to mimic corporate Identity Providers (IdP) such as Okta or Microsoft Entra ID. These domains utilize target-specific subdomains and second-level domains to appear legitimate to unsuspecting employees. Alongside these domains, the actors deploy advanced Adversary-in-the-Middle (AiTM) phishing platforms, such as modified versions of the Doko kit, which are designed to act as reverse proxies. These proxies intercept traffic between the victim, the fake landing page, and the genuine authentication portal, allowing real-time harvesting of passwords and active login session cookies.
With their infrastructure prepared, the attackers execute voice phishing (vishing) campaigns. Utilizing spoofed VoIP lines or manipulated Caller ID Names (CNAM), they call corporate employees, pretending to be IT helpdesk or security technicians. They construct highly believable social engineering scripts, informing the employee of a simulated security alert, a mandatory software update, or an active account issue. The victim is then directed to log into one of the lookalike domains. As the user completes the login sequence, the AiTM phishing kit captures both the password and the multi-factor authentication (MFA) token, instantly establishing an active, validated session for the attacker.
To avoid repeating the vishing phone call, the threat actor must secure persistent access to the target cloud environment. Using the stolen session token, the attacker logs in and immediately navigates to the user's personal security registration panel. They register a new, attacker-controlled MFA device, such as a rogue FIDO2 hardware key, an authenticator application, or a customized passkey. Because this action occurs from an already-authenticated web session, it is often treated by default policies as a trusted user update. Future access requests by the attacker are authenticated using this newly registered rogue device, completely bypassing the victim's legitimate MFA setup.
Once persistent access is established, the threat actor maps the organization's internal structure. They use built-in, legitimate directory tools to harvest enterprise structure maps, targeting senior administrators, executive leadership, or IT support personnel who possess elevated privileges. Rather than using noisy brute-force tools, they escalate privileges via internal phishing, sending highly targeted malicious messages through compromised corporate email accounts or trusted platforms such as Microsoft Teams to compromise administrative accounts.
Data exfiltration is executed using standard, administrative cloud APIs rather than malware. Threat actors utilize automated Python or PowerShell scripts to interact with Microsoft Graph API, OneDrive, SharePoint, or Salesforce. These scripts search systematically for directories containing sensitive financial records, customer details, or proprietary corporate data. During this programmatic exfiltration process, security teams may notice anomalous user-agent strings, specifically Python-requests/2.28.1, initiating massive read and download requests. The stolen data is then uploaded directly from the corporate cloud to attacker-controlled storage buckets or public hosting platforms, ensuring the exfiltration bypasses standard network firewalls entirely.
The exfiltration of 145 GB of data from an organization like FCCI Insurance Group highlights the severe risk faced by the insurance and financial sectors. These industries handle vast quantities of personally identifiable information (PII), regulatory filings, and sensitive underwriting documents. A data breach of this scale often triggers strict regulatory reporting requirements, including compliance frameworks such as HIPAA, GDPR, or GCC regional data protection laws, which mandate rapid disclosure and carry heavy non-compliance penalties.
Furthermore, groups associated with The Com are known for utilizing aggressive double-extortion tactics. When victims refuse to pay the ransom demands, these groups escalate pressure by conducting harassing outreach to executives, board members, and clients. In extreme cases, attackers have been observed orchestrating SWATting attacks, where emergency services are dispatched to the homes of corporate officers under false pretenses. This extreme intimidation underscores why technical remediation must be paired with proactive security controls.
To evaluate if your domain has been targeted or exposed in previous credential dumps, implementing proactive scanning is essential. Use FemtoSec's Dark Web Scanner to check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Defending against identity-based threat actors requires security teams to focus on continuous visibility and structural posture hardening. Rather than relying on traditional perimeter devices, security strategies must emphasize identity hygiene and prompt log analysis.
Monitor MFA Modifications: Configure real-time alerts within your cloud identity providers (Microsoft Entra ID, Okta) to flag any new MFA device registration, particularly when the change originates from a newly observed IP address, residential proxy network, or commercial VPN range.
Implement Impossible Travel Detection: Set up automated alerts that trigger when a single user account logs in from geographically distant locations within a time frame that is physically impossible to travel.
Enforce Phishing-Resistant MFA: Transition away from easily intercepted MFA factors, such as SMS codes or standard push notifications. Deploy hardware-based, domain-bound FIDO2 security keys that cannot be relayed by reverse-proxy phishing kits.
Audit Cloud API User-Agents: Set up security information and event management (SIEM) rules to identify programmatic access to cloud storage resources (SharePoint, OneDrive) from unusual or non-browser user-agent strings, such as Python-requests.
Strict Helpdesk Verification: Implement rigorous out-of-band verification protocols for all password and MFA reset requests, ensuring helpdesk personnel cannot be manipulated by voice phishing actors.
