March 22, 2023

Researchers detailed the activity of a sophisticated financially motivated threat actor called Karakurt. The activity of the group was first spotted in June 2021, but the group has been more active in Q3 2021.


In June 2021 the gang registered the domains hosting its leak sites, karakurt[.]group and karakurt[.]tech, while in August the group registered a Twitter account with the handle “karakurtlair.” .

The group focuses on data theft and extortion, but the researchers pointed out that it doesn’t use ransomware. In 2021 be Q4 hit over 40 victims

The actors focus almost exclusively on data exfiltration and extortion and are not using ransomware to lock their victims’ files.Most of the known victims (95%) are based in North America, while the remaining 5% are in Europe.

The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.


Initially, the group gained persistence by using the popular post exploit tool Cobalt Strike. In recent attacks, the group switched on VPN IP pool or AnyDesk software to establish persistence and avoid detection.

Once gained access to the target network, the group uses various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.

The threat group in most attacks escalated privileges using previously obtained credentials. For data exfiltration the group has been seen utilizing 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to cloud storage.



  • Employ robust and routine user-awareness and training regimens for users of all systems.
  • Robust crisis management and incident response plan
  • Maintain best practices against malware, such as patching, updating anti-virus software, implementing strict network egress policies, and using application whitelisting.
  • Patch internal & external assets regularly.
  • Disable RDP on external-facing devices and restrict workstation-to-workstation RDP connections.
  • Employ a strong corporate password policy that includes industry standards for password length, complexity, and expiration dates for both human and non-human accounts.
  • Use MFA where possible for authentication and admin account restrictions.
  • Do not store unprotected credentials in files and scripts on shared locations.
  • Encrypt data at rest where possible and protect related keys and technology.

Leave a Reply

%d bloggers like this: