TI Mindmap HUB
Threat Intelligence Report

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware – The DFIR Report

πŸ“… September 20, 2025 πŸ“° thedfirreport.com πŸ” 0 CVE(s) referenced

A threat actor leveraged a fake Windows utility to deploy Cobalt Strike, established persistent backdoors with SystemBC and GhostSOCKS, exfiltrated data via Rclone, and ultimately unleashed LockBit ransomware across the victim’s environment in a coordinated, multi-stage attack.

researcher

Sign in to access the full report including:
detailed analysis, IOCs, MITRE ATT&CK mapping, and STIX bundle.

πŸ” Sign In to Read Full Report

You'll need to accept our Terms of Service to access the platform.

πŸ“Š Visual Mindmap
🎯 IOC Extraction
βš”οΈ MITRE ATT&CK TTPs
πŸ“¦ STIX 2.1 Bundle