Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

    Monday, May 19, 2025 In: Threat Research Print

    Date: 05/19/2025

    Severity: Critical

    Summary

    The threat actor initially exploited CVE-2023-22527 on a public-facing Confluence server to achieve remote code execution. They followed a repeatable command sequence—installing AnyDesk, creating admin accounts, and enabling RDP—indicating automation or a playbook. Credential theft tools like Mimikatz, ProcessHacker, and Secretsdump were used. Roughly 62 hours post-exploitation, the attackers deployed ELPACO-team ransomware (a Mimic variant), though no major data exfiltration was detected.

    Indicators of Compromise (IOC) List

    IP Address : 

    45.227.254.124

    91.191.209.46

    Hash : 

    be8f00c11010e4e6078d383026833c07

    32f9259285bb3425b67633d73bc74b93859f40a7

    a710ed9e008326b981ff0fadb1c75d89deca2b52451d4677a8fd808b4ac0649b

    35893c46af1af2089498b062379c039f

    238424b26da6e53738aa28a46ba007a195ad608c

    36d3b20e9380aaaac9151280b4ac3e047a0871efbb158f04344946ff67176a48

    3f7d6e5a541aad1a52beb823f1576f6a

    69519da0edeb9ad6ed739982a05b638d3fee20fb

    085ad59bb8d32981ea590a7884da55d4b0a3f5e89a9632530c0c8ef2f379e471

    0a50081a6cd37aea0945c91de91c5d97

    755309c6d9fa4cd13b6c867cde01cc1e0d415d00

    6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

    c9bc430ea5bd0289cf3a6acdb69efac4

    79d3fbde198ffa575904998b92285e3815a860c2

    6e5a6629b5ec2eea276fe93553d31f3d23885b214db0a4c2c9201f65180d767f

    127fe6658efb06e77b674fdb9db7d6d5

    4790bde7c2d233c07165caaab0f5b7d69a60c950

    d5746d9f3284dadf60180f7f7332a08895c609520e0c2327918f259d182cbaf6

    597de376b1f80c06d501415dd973dcec

    629c9649ced38fd815124221b80c9d9c59a85e74

    f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

    54daad58cce5003bee58b28a4f465f49

    162b08b0b11827cc024e6b2eed5887ec86339baa

    28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

    92fd70f19771360bd820091025107382

    dda90a452cc1540657606e5d40d304b1e58da751

    6b93e585479a3c5b9a8edbe2b11a8371cb028e8b196acb1c16a425e8d8530cd7

    77ef2cad0de20482a6bb6cfcdc5d94d1

    f46fa1fbab35f0d697ea896e81c4504de0487e57

    abbe5619e1d7a08f807b57d0949a7f97108a546a415778f25ed35f31ee2cd2f5

    96ec8798bba011d5be952e0e6398795d

    af7c73c47c62d70c546b62c8e1cc707841ec10e3

    c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37

    9a875116622272a7f0fb32ce6cc12040

    02c264691764f3c7ab9492dcb443e52b0ee66229

    15348e1401fe18b83e30a7e7f6b4de40b9981a0e133c22958324a89c188f2c49

    47e001253af2003985f15282cdc90a1c

    6ee6664df9bfb47d97090492b6cde68bf056a42a

    14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8

    e703ffdf065094f30b8b9c107a64736b

    7314f85595ab4496abe02c48b476f57cb6b96804

    9b1df0db16b3b73fe3549856fb4a74414faecffabee0d001865e05b93dda14ec

    1b1e95ea1d26da394688f4c8883721d1

    9e22f5e394ffd8df94b1601fe73f2ae14df731ba

    2c656109db6d2059c41a50e623ceb5e656ff764c44b1e1dbf41131f0206f8238

    96fc8c743f6ba38a69bf866b7fa9e4d1

    5bef86615c8bd715c794505127a6d5245bba9206

    51f2d5fba3d02cba1c99cf2dfd9968b98d0047f501b54b9531e7ad2719706e47

    3e872ca0ac6261b85dd9524a8f3a83db

    b8551ef02737bc7801d2077d7d8aca168eb79b0d

    c7440e621d1c5e90ca4963a4b3b52d27bac05a44248ca88dd51510489d1171bb

    09ba9214257381231934a0115d7af8be

    89e3247d2940d78ab13f060761f0c79afa806f39

    22436fe549d791caa3007b567d28d51c8c75869519019c40564af4de53490fa2

    6fbf6350c52d2f2e6f61530d05148562

    1217a97009eb86249e6c8010d3024f050f62c40d

    3e92ca5b4069eba89d9fcfd7885924282fdf6ca26d0ff8d0502973d9c9bc1fef

    91625f7f5d590534949ebe08cc728380

    bf1b0ab5a2c49bde5b5dbe828df3e69af5d724c2

    3c300726a6cdd8a39230f0775ea726c2d42838ac7ff53bfdd7c58d28df4182d5

    96a1e516cef1ff4791d8785886d56cce

    241f9d2495b0b437813d8cf31fe4e4de8be203ec

    9875d1947b8d18974c938721c273d9322fc9af36be96e0ec696daac2929bb802

    ee8d08b380bf3d3fe9961a0ab428549f

    8900b1ef864eb390bf99b801d78a0b8dbd5d90b6

    ff547a7803cd989f9f09a22323ec3f7079266b9a20a07f2c6f353547318ff172

    44c031e3c922e711f7e3784f6d90b10f

    5f13d476e9fabdf2ac6f805a98d62f3027c473c2

    9e18fcc595d4e158ac7aa9250e45145445b31018b35d6ed91239da2b931b5c37

    53e2e8ce119e2561bb6065b1a42f1085

    d01f72d0a4609be76a83ac76a760485d29be854b

    e5f985b5a1f4f351616516553295e1224a02219825c35e3c64b55ecdc8a0d699

    30a6cd2673ef5b2cb18f142780a5b4a3

    1e0ec6994400413c7899cd5c59bdbd6397dea7b5

    90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018

    f635d1c916a7c56678f08d1d998e7ce4

    35ff55bcf493e1b936dc6e978a981ee2a75543a1

    4f4864a1d5f19a3c5552d80483526f3413497835549dce8c61fef116b666fa09

    e7aa5608c81ba4fcd8d166501b90fc06

    5c714fda5b78726541301672a44eaf886728f88c

    5748bfb17e662fb6d197886a69df47f1071052c3381eb1c609a2bc5dba8c2992

    a75de4c4fd88d94642ad30310c641252

    f7e11585ee968ad256be5a2e4c43a73c07034759

    6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("91.191.209.46","45.227.254.124") or  srcipaddress IN ("91.191.209.46","45.227.254.124")

    Hash 1 :

    md5hash IN ("96a1e516cef1ff4791d8785886d56cce","54daad58cce5003bee58b28a4f465f49","35893c46af1af2089498b062379c039f","30a6cd2673ef5b2cb18f142780a5b4a3","96ec8798bba011d5be952e0e6398795d","127fe6658efb06e77b674fdb9db7d6d5","be8f00c11010e4e6078d383026833c07","47e001253af2003985f15282cdc90a1c","e7aa5608c81ba4fcd8d166501b90fc06","a75de4c4fd88d94642ad30310c641252","44c031e3c922e711f7e3784f6d90b10f","0a50081a6cd37aea0945c91de91c5d97","3f7d6e5a541aad1a52beb823f1576f6a","c9bc430ea5bd0289cf3a6acdb69efac4","597de376b1f80c06d501415dd973dcec","92fd70f19771360bd820091025107382","77ef2cad0de20482a6bb6cfcdc5d94d1","1b1e95ea1d26da394688f4c8883721d1","96fc8c743f6ba38a69bf866b7fa9e4d1","3e872ca0ac6261b85dd9524a8f3a83db","09ba9214257381231934a0115d7af8be","6fbf6350c52d2f2e6f61530d05148562","91625f7f5d590534949ebe08cc728380","ee8d08b380bf3d3fe9961a0ab428549f","53e2e8ce119e2561bb6065b1a42f1085","f635d1c916a7c56678f08d1d998e7ce4")

    Hash 2 : 

    sha1hash IN ("755309c6d9fa4cd13b6c867cde01cc1e0d415d00","629c9649ced38fd815124221b80c9d9c59a85e74","5f13d476e9fabdf2ac6f805a98d62f3027c473c2","1e0ec6994400413c7899cd5c59bdbd6397dea7b5","5c714fda5b78726541301672a44eaf886728f88c","af7c73c47c62d70c546b62c8e1cc707841ec10e3","6ee6664df9bfb47d97090492b6cde68bf056a42a","d01f72d0a4609be76a83ac76a760485d29be854b","35ff55bcf493e1b936dc6e978a981ee2a75543a1","dda90a452cc1540657606e5d40d304b1e58da751","32f9259285bb3425b67633d73bc74b93859f40a7","8900b1ef864eb390bf99b801d78a0b8dbd5d90b6","162b08b0b11827cc024e6b2eed5887ec86339baa","241f9d2495b0b437813d8cf31fe4e4de8be203ec","4790bde7c2d233c07165caaab0f5b7d69a60c950","f7e11585ee968ad256be5a2e4c43a73c07034759","238424b26da6e53738aa28a46ba007a195ad608c","69519da0edeb9ad6ed739982a05b638d3fee20fb","79d3fbde198ffa575904998b92285e3815a860c2","f46fa1fbab35f0d697ea896e81c4504de0487e57","02c264691764f3c7ab9492dcb443e52b0ee66229","7314f85595ab4496abe02c48b476f57cb6b96804","9e22f5e394ffd8df94b1601fe73f2ae14df731ba","5bef86615c8bd715c794505127a6d5245bba9206","b8551ef02737bc7801d2077d7d8aca168eb79b0d","89e3247d2940d78ab13f060761f0c79afa806f39","1217a97009eb86249e6c8010d3024f050f62c40d","bf1b0ab5a2c49bde5b5dbe828df3e69af5d724c2")

    Hash 3 :

    sha256hash IN ("36d3b20e9380aaaac9151280b4ac3e047a0871efbb158f04344946ff67176a48","f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446","c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37","6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d","e5f985b5a1f4f351616516553295e1224a02219825c35e3c64b55ecdc8a0d699","4f4864a1d5f19a3c5552d80483526f3413497835549dce8c61fef116b666fa09","ff547a7803cd989f9f09a22323ec3f7079266b9a20a07f2c6f353547318ff172","9875d1947b8d18974c938721c273d9322fc9af36be96e0ec696daac2929bb802","6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b","14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8","a710ed9e008326b981ff0fadb1c75d89deca2b52451d4677a8fd808b4ac0649b","085ad59bb8d32981ea590a7884da55d4b0a3f5e89a9632530c0c8ef2f379e471","3c300726a6cdd8a39230f0775ea726c2d42838ac7ff53bfdd7c58d28df4182d5","6b93e585479a3c5b9a8edbe2b11a8371cb028e8b196acb1c16a425e8d8530cd7","6e5a6629b5ec2eea276fe93553d31f3d23885b214db0a4c2c9201f65180d767f","d5746d9f3284dadf60180f7f7332a08895c609520e0c2327918f259d182cbaf6","28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063","abbe5619e1d7a08f807b57d0949a7f97108a546a415778f25ed35f31ee2cd2f5","15348e1401fe18b83e30a7e7f6b4de40b9981a0e133c22958324a89c188f2c49","9b1df0db16b3b73fe3549856fb4a74414faecffabee0d001865e05b93dda14ec","2c656109db6d2059c41a50e623ceb5e656ff764c44b1e1dbf41131f0206f8238","51f2d5fba3d02cba1c99cf2dfd9968b98d0047f501b54b9531e7ad2719706e47","c7440e621d1c5e90ca4963a4b3b52d27bac05a44248ca88dd51510489d1171bb","22436fe549d791caa3007b567d28d51c8c75869519019c40564af4de53490fa2","3e92ca5b4069eba89d9fcfd7885924282fdf6ca26d0ff8d0502973d9c9bc1fef","9e18fcc595d4e158ac7aa9250e45145445b31018b35d6ed91239da2b931b5c37","90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018","5748bfb17e662fb6d197886a69df47f1071052c3381eb1c609a2bc5dba8c2992")

    Reference:    

    https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/


    Tags

    MalwareRansomwareELPACO-teamCVE-2023ExploitMimikatzProcessHackerSecretsdumpCredentialTheftVulnerability

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.