🇷🇺Conti
🇷🇺 Conti is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 26 detection use cases to this actor across 83 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-06-08 to 2026-06-12.
crit 1high 1
26Use cases
2Articles
83Techniques
8IOCs
Known aliases
ContiWizard SpiderTrickBot GroupGOLD ULRICKUNC1878TEMP.MixMasterGrim SpiderFIN12GOLD BLACKBURNITG23Periwinkle TempestDEV-0193Pistachio TempestDEV-0237
Top techniques
All other tracked techniques
T1003 · OS Credential DumpingT1003.002 · Security Account ManagerT1003.003 · NTDST1005 · Data from Local SystemT1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1021 · Remote ServicesT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1021.006 · Windows Remote ManagementT1027.010 · Command ObfuscationT1033 · System Owner/User DiscoveryT1036.004 · Masquerade Task or ServiceT1041 · Exfiltration Over C2 ChannelT1047 · Windows Management InstrumentationT1048 · Exfiltration Over Alternative ProtocolT1048.003 · Exfiltration Over Unencrypted Non-C2 ProtocolT1052.001 · Exfiltration over USBT1053.005 · Scheduled TaskT1055 · Process InjectionT1055.001 · Dynamic-link Library InjectionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1074 · Data StagedT1074.001 · Local Data StagingT1078 · Valid AccountsT1078.002 · Domain AccountsT1082 · System Information DiscoveryT1087.002 · Domain AccountT1098.001 · Additional Cloud CredentialsT1102 · Web ServiceT1105 · Ingress Tool TransferT1112 · Modify RegistryT1133 · External Remote ServicesT1135 · Network Share DiscoveryT1136.001 · Local AccountT1136.002 · Domain AccountT1195.002 · Compromise Software Supply ChainT1197 · BITS JobsT1200 · Hardware AdditionsT1204.001 · Malicious LinkT1204.002 · Malicious FileT1210 · Exploitation of Remote ServicesT1218 · System Binary Proxy ExecutionT1218.011 · Rundll32T1219 · Remote Access ToolsT1222.001 · Windows PermissionsT1489 · Service StopT1490 · Inhibit System RecoveryT1518.001 · Security Software DiscoveryT1518.002 · Backup Software DiscoveryT1528 · Steal Application Access TokenT1543.003 · Windows ServiceT1547.001 · Registry Run Keys / Startup FolderT1547.004 · Winlogon Helper DLLT1550.002 · Pass the HashT1552.006 · Group Policy PreferencesT1553.002 · Code SigningT1555.003 · Credentials from Web BrowsersT1555.004 · Windows Credential ManagerT1557.001 · Name Resolution Poisoning and SMB RelayT1558.003 · KerberoastingT1560.001 · Archive via UtilityT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1566.004 · Spearphishing VoiceT1567 · Exfiltration Over Web ServiceT1567.002 · Exfiltration to Cloud StorageT1569.002 · Service ExecutionT1570 · Lateral Tool TransferT1585.002 · Email AccountsT1588.002 · ToolT1588.003 · Code Signing CertificatesT1657 · Financial TheftT1685 · Disable or Modify Tools
Detection use cases (26)
Conti/Wizard Spider: BazarLoader/Cobalt Strike beacon spawned from Office macro, followed by AdFind + nltest recon Conti pre-encryption sabotage: vssadmin/wbadmin/wmic shadow-copy wipe + bcdedit recovery disable + service stoppage chain Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) Remote service execution — PsExec / SMB lateral movement Quick Assist launched followed by remote interactive session (UNC3753 vishing pretext) AnyDesk, Bomgar, SuperOps or Zoho Assist installer execution (UNC3753 RMM foothold) Privnote[.]com self-destructing-note URL access from corporate endpoint Outbound connection to UNC3753 (Luna Moth) infrastructure IPs WinSCP or Rclone exfiltration from end-user workstations USB mass-storage attached followed by bulk file copy (UNC3753 physical intrusion) Outbound mail to or domain lookup of business-data-leaks[.]com (UNC3753 extortion infrastructure) Phishing-link click correlated to endpoint execution Email attachment opened from external sender 1Password impossible-travel sign-in Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer package install spawning script-host with non-registry C2 within 5 minutes Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 MinutesThreat-intel articles (2)
Tracked indicators
Domains (1)
business-data-leaks.comIP addresses (7)
174.169.162.62 192.236.146.173 192.236.147.131 192.236.147.138 192.236.154.158 193.141.60.212 64.94.84.97