Meet Exotic Lily, access broker for ransomware and other malware peddlers

Meet Exotic Lily, access broker for ransomware and other malware peddlers

The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.

Among these interested parties TAG found the Contiand Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.

Initial access broker

Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.

These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.

Exotic Lily

From the TAG blogwe can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.

Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.

Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blogabout attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoaderdelivered inside ISO files.

Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.

Social engineering

As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.

Exotic Lily used identity spoofingwhere they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”.  At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using such spoofed accounts, the attackers would send spear phishingemails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.


SHA-256 hashes of the BazarLoaderISO samples:

  • 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
  • 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
  • c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

SHA-256 hashes of the BUMBLEBEEISO samples:

  • 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
  • 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
  • 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
  • 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
  • 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

IPaddress of the C&C server:


Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.