Press Release May 6, 2020

Illusive Networks Discovers New Nation-State Cyberattack Tools Linked to COVID-19 Phishing Scam

Rapid Detection and Response Uncovers Potential Attack Force Collusion

NEW YORK and TEL AVIV, Israel, May 06, 2020 /PRNewswire/ — Illusive Networks®, the leader in deception-based cyber defense solutions, today revealed it detected and thwarted a nation-state attack linked to a COVID-19 related phishing scam. That led to the discovery of new tools used by cyber criminals, and researchers are investigating the potential involvement of two or more groups.

Illusive Networks’ researchers suspect that the objective of this advanced persistent threat (APT) was a large-scale ransomware attack. The initial infection vector was a sophisticated phishing email related to COVID-19 which was opened by an end user. Attack characteristics appear almost identical to the BazarBackdoor attack developed by TrickBot, a well-known cybercrime group. Following the initial breach, attackers worked quickly to gain a broad presence across the network.

Illusive identified several tools including a PowerShell script that had an embedded secondary tool (shell code) – a Cobalt Strike beacon that is indicative of the attack being associated with the TrickBot group. The Cobalt Strike beacon allowed the attackers to communicate back to a command and control center. More than one communication link to command and control was apparent, leading researchers to suspect two or more groups worked separately, yet in collusion, to progress the attack. Additional tools discovered include Metasploit, mimikatz and SharpHound/Bloodhound. No other security solution was able to provide real-time detection with the necessary forensics information to prove that an APT was occurring.

The initial breach occurred before Illusive technology was installed, but the Illusive Platform was deployed instantly and within 24 hours, it identified suspicious interaction with a distributed deception on a protected print server. An unauthorized user with strong credentials had established a base of operations on the print server and had moved laterally from it to infiltrate other systems across several domains. Illusive back tracked the user’s lateral movement and found dozens of compromised machines the attackers had reached by moving laterally using RDP, WMI and other means.

Matan Kubovsky, vice president of research and development, Illusive Networks, said: “Security solutions may not always be able to protect an enterprise from a breach, so more focus should be allocated to threat detection once an attacker has entered the system, regardless of the tools they are using. In this case, Illusive was able to deploy in a matter of hours and detected a breach almost immediately, as the technology focuses on the lateral movement of the attack and not the tool itself. The Illusive Platform’s ability to accurately identify attacks in progress and provide rich, real-time forensics meant we could quickly contain the attack.”

About Illusive Networks
Illusive Networks uses next-generation deception technology to stop cyber-attacks by paralyzing attackers, destroying their ability to make decisions, and depriving them of the means to move sideways towards attack targets. Illusive’s inescapable deception and attack surface reduction capabilities eliminate high-risk pathways to critical systems, force attackers to reveal themselves early in the threat lifecycle, and capture real-time forensics that accelerate incident response. Built on agentless, advanced automation, and requiring very little security team support, Illusive immediately shifts the advantage to defenders, freeing precious resources from the complicated and data-heavy approaches that overloaded them in the past.

For more information, visit, contact us at or follow on LinkedIn, @Illusivenw on Twitter and Facebook.

Media Contact for Illusive:

Corey Eldridge