Exotic Lily group is an initial access broker that utilizes large-scale phishing operations to infiltrate specific corporate networks and subsequently sells access to those networks to ransomware groups such as Conti and Diavol gangs.
Exotic Lily was first discovered exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444), which piqued the curiosity of researchers as a potentially sophisticated threat actor. Following additional analysis, it was revealed that the group is an initial access broker that utilizes large-scale phishing operations to infiltrate specific corporate networks and subsequently sells access to those networks to ransomware groups such as Conti and Diavol gangs.
The group starts by producing fake social media profiles, including LinkedIn profiles, by exploiting readily available employee data to make the illicit clones look genuine using advanced A.I. imaging technology. When it was originally discovered, the malware was in the form of a document file that attempted to attack the CVE-2021-40444 vulnerability. Subsequently, the threat actor switched to ISO archives having BazarLoader DLLs with LNK shortcuts.
