Home/ Threat Actors/ EXOTIC LILY

🌐EXOTIC LILY

🌐 EXOTIC LILY is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 15 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1011) ↗

14Use cases

0Articles

15Techniques

0IOCs

About this actor (MITRE)

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2

Known aliases

EXOTIC LILY

Top techniques

T1102 · Web Service T1203 · Exploitation for Client Execution T1204.001 · Malicious Link

All other tracked techniques

T1204.002 · Malicious File T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.003 · Spearphishing via Service T1583.001 · Domains T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1589.002 · Email Addresses T1593.001 · Social Media T1594 · Search Victim-Owned Websites T1597 · Search Closed Sources T1608.001 · Upload Malware

Detection use cases (14)

EXOTIC LILY initial access: spoofed-sender phish with legitimate file-share link followed by ISO/IMG/LNK execution AI · profile S EXOTIC LILY BumbleBee execution: rundll32 spawned from a mounted ISO/IMG with named-export DLL invocation AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Click on URL whose host doesn't match the sender domain MITRE match Email attachment opened from external sender MITRE match Phishing-link click correlated to endpoint execution MITRE match User clicked through a Safe Links warning page MITRE match