A new and sophisticated post-exploitation framework known as EXFILTRATOR-22, or EX-22, has surfaced, designed to facilitate ransomware deployment within enterprise networks while maintaining stealth. This tool presents a range of features that streamline the post-exploitation process, making it increasingly accessible for cybercriminals, as outlined in a recent report by cybersecurity firm CYFIRMA.
Among its capabilities are the establishment of reverse shells with elevated permissions, file upload and download functions, keystroke logging, ransomware deployment for file encryption, and the initiation of live Virtual Network Computing (VNC) sessions, allowing for real-time access to compromised systems. Furthermore, EX-22 is engineered to ensure persistence after system reboots and includes functionalities for lateral movement via a worm, visualization of running processes, cryptographic file hashing, and authentication token extraction.
With moderate confidence, CYFIRMA assessed that the developers of EX-22 are likely based in North, East, or Southeast Asia and may comprise former affiliates of the notorious LockBit ransomware group. This association raises alarms due to the technical similarities and shared infrastructure between EX-22 and the LockBit malware family, both of which employ domain fronting techniques to obscure command-and-control communications.
Promoted as a fully undetectable malware package through platforms like Telegram and YouTube, EX-22 is available for subscription at a rate of $1,000 monthly or $5,000 for lifetime access. Criminal actors acquiring this toolkit gain access to a dedicated login panel to remotely control the malware via the EX-22 server.
Since its debut on November 27, 2022, the developers have consistently evolved the toolkit, indicating a commitment to active development. This continuous enhancement suggests a robust operational capability aimed at extending covert access to compromised networks for prolonged periods. The emergence of the post-exploitation framework-as-a-service (PEFaaS) model presents a new challenge for businesses seeking to maintain security.
As EXFILTRATOR-22 joins the ranks of existing frameworks such as Manjusaka and Alchimist, it raises important questions regarding the landscape of malicious tools available to cybercriminals. Other legitimate frameworks—such as Cobalt Strike, Metasploit, and Havoc—continue to be exploited for nefarious purposes, highlighting the need for ongoing vigilance and proactive defenses against cyber threats.
