“graph TB
%% Class Definitions
classDef initial_access fill:#f96,stroke:#333,stroke-width:2px
classDef evasion fill:#bbf,stroke:#333,stroke-width:2px
classDef execution fill:#dfd,stroke:#333,stroke-width:2px
classDef persistence fill:#fdd,stroke:#333,stroke-width:2px
classDef command_control fill:#ffd,stroke:#333,stroke-width:2px
classDef discovery fill:#dff,stroke:#333,stroke-width:2px
classDef lateral_movement fill:#dcd,stroke:#333,stroke-width:2px
classDef impact fill:#f99,stroke:#333,stroke-width:2px
classDef tool_malware fill:#eee,stroke:#333,stroke-width:1px
%% Initial Access Phase
action_drive_by[“Action –
Victims lured via fraudulent websites,
malicious ads, or search engine redirects.”]
class action_drive_by initial_access
action_content_injection[“Action –
Use of Traffic Distribution Systems (TDS)
like TAG-124 or ClickFix to redirect users.”]
class action_content_injection initial_access
action_subvert_trust[“Action –
Using fraudulent certificates like
Foshan Yongqiheng Trading Co., Ltd.”]
class action_subvert_trust evasion
%% Execution and Transfer Phase
action_user_exec[“Action –
Execution of trojanized installers
(e.g., Microsoft Teams, Chrome, or Edge).”]
class action_user_exec execution
malware_initial_payload[“Malware – JunkFiction, NodeSnake, or Endico
Initial stage downloaders executed
via user interaction.”]
class malware_initial_payload tool_malware
action_ingress_transfer[“Action –
Retrieving second-stage malware from
remote Command and Control servers.”]
class action_ingress_transfer execution
malware_second_stage[“Malware – Supper or InterlockRAT
Second-stage backdoors retrieved
to facilitate remote access.”]
class malware_second_stage tool_malware
%% Persistence Phase
action_persistence_linux[“Action –
Linux NodeSnake variants creating
new systemd services.”]
class action_persistence_linux persistence
action_persistence_windows[“Action – Windows Persistence
Utilizing shell configuration modifications
to maintain a foothold.”]
class action_persistence_windows persistence
%% Command and Control Phase
action_c2[“Action –
Establishing reverse shells and
SOCKS5 tunnels for stealthy communication.”]
class action_c2 command_control
%% Discovery Phase
action_discovery_domain[“Action –
Enumerating domain accounts using
commands like net user /domain.”]
class action_discovery_domain discovery
action_discovery_groups[“Action –
Enumerating groups using
net group domain admins /domain.”]
class action_discovery_groups discovery
%% Lateral Movement and Impact Phase
action_lateral_move[“Action –
Moving through environment via RDP
sessions initiated through reverse shells.”]
class action_lateral_move lateral_movement
action_selective_exclusion[“Action – Selective Exclusion
Deploying custom WDAC policies to deny
Microsoft Defender or Sophos EDR.”]
class action_selective_exclusion evasion
action_impact_encryption[“Action –
Final deployment of Interlock or Rhysida
ransomware to encrypt victim files.”]
class action_impact_encryption impact
%% Connections
action_drive_by –>|facilitates| action_content_injection
action_content_injection –>|leads_to| action_user_exec
action_user_exec –>|uses| malware_initial_payload
malware_initial_payload –>|requires| action_subvert_trust
malware_initial_payload –>|triggers| action_ingress_transfer
action_ingress_transfer –>|downloads| malware_second_stage
malware_second_stage –>|establishes| action_persistence_linux
malware_second_stage –>|establishes| action_persistence_windows
malware_second_stage –>|enables| action_c2
action_c2 –>|performs| action_discovery_domain
action_c2 –>|performs| action_discovery_groups
action_discovery_domain –>|informs| action_lateral_move
action_discovery_groups –>|informs| action_lateral_move
action_lateral_move –>|leads_to| action_selective_exclusion
action_selective_exclusion –>|precedes| action_impact_encryption
“
Attack Flow
Click Here For The Original Source.
