The attack on **Veeam** involved a multi-stage payload delivery via fake CAPTCHA pages, deploying **information stealers** to harvest authentication tokens, browser cookies, and stored credentials. Attackers bypassed **MFA**, escalated privileges via a **SOCKS proxy DLL** (loaded via `rundll32.exe`), and created a backdoor admin account (*Supportt*) to maintain persistence. They reset the legitimate **Administrator account password**, preventing recovery. Extensive reconnaissance was conducted using tools like **ScreenConnect**, **NetScan**, and **AnyDesk** (deployed via ATERA Networks) to map the network and identify privileged accounts (e.g., **Domain Admins**, **service accounts**).The attackers **targeted Veeam’s backup infrastructure**, extracting credentials from SQL databases (e.g., `VeeamBackup.[dbo].[Credentials]`) using **PowerShell scripts with base64-encoded payloads**. Compromised credentials included **Domain Admins, Exchange servers, SQL databases, and file servers**, enabling lateral movement. **Defense evasion** was achieved via **BYOVD (Bring Your Own Vulnerable Driver)** using *eskle.sys* (linked to Chinese gaming cheat tools) to disable security solutions. The attack compromised **domain controllers, backup repositories, and critical servers**, posing severe operational and security risks.
TPRM report: https://www.rankiteo.com/company/veeam-software
"id": "vee4762147102425",
"linkid": "veeam-software",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'type': 'Enterprise Organization'}],
'attack_vector': ['Fake CAPTCHA Pages (Malicious JavaScript)',
'Multistage Payload Delivery (C2 Servers: '
'45[.]221[.]64[.]245, 104[.]164[.]55[.]7)',
'Information Stealers (Token/Cookie/Credential Harvesting)',
'Legitimate Tool Abuse (Rundll32.exe, ScreenConnect, '
'AnyDesk, ATERA Networks)',
'Anti-AV Tools (2stX.exe, Or2.exe, eskle.sys BYOVD)'],
'data_breach': {'data_encryption': 'Partially (Veeam Credentials Stored '
'Encrypted; Decryption Key Found: '
'0jmz9Hrgy08rc0XrNpQ***[REDACTED]**)',
'data_exfiltration': 'Likely (Implied by Credential '
'Harvesting and Lateral Movement)',
'file_types_exposed': ['SQL Database Records',
'Stored Browser Credentials',
'System Tokens'],
'sensitivity_of_data': 'High (Administrative and Service '
'Account Credentials)',
'type_of_data_compromised': ['Authentication Tokens',
'Browser Cookies',
'Stored Credentials (Plaintext '
'and Encrypted)',
'Veeam Backup Database Records '
'(SQL Tables: Credentials, '
'BackupRepositories, '
'WinServers)']},
'description': 'Analysis of embedded obfuscated JavaScript within fake '
'CAPTCHA pages revealed a multistage payload delivery system '
'that initiated downloads from secondary command-and-control '
'servers (45[.]221[.]64[.]245/mot/ and '
'104[.]164[.]55[.]7/231/means.d). The attack involved '
'information stealers harvesting authentication tokens, '
'browser cookies, and stored credentials, enabling attackers '
'to bypass MFA and move laterally using legitimate user '
'sessions. The attackers deployed a SOCKS proxy DLL for remote '
'access, created a backdoor administrative account '
"('Supportt'), and conducted extensive reconnaissance. They "
'targeted Veeam backup infrastructure to harvest credentials, '
'used anti-AV tools (2stX.exe, Or2.exe, eskle.sys driver) for '
'defense evasion, and leveraged dual-RMM tools (AnyDesk, '
'ScreenConnect) for persistent access.',
'impact': {'brand_reputation_impact': 'High (Due to Credential Theft and '
'Potential Data Breach)',
'data_compromised': ['Authentication Tokens',
'Browser Cookies',
'Stored Credentials (Domain Admins, Service '
'Accounts, Local Admins)',
'Veeam Backup Database Credentials (SQL '
'Queries: user_name, password)'],
'identity_theft_risk': 'High (Stored Credentials and Tokens '
'Compromised)',
'operational_impact': ['Compromised Administrative Accounts',
'Lateral Movement Across Network',
'Potential Data Exfiltration',
'Security Tool Evasion (Anti-AV Disabled)',
'Persistent Access via RMM Tools'],
'systems_affected': ['Domain Controllers',
'Exchange Servers',
'SQL Databases',
'File Servers',
'Backup Repositories',
'Endpoints (Via Information Stealers)',
'Veeam Backup Infrastructure']},
'initial_access_broker': {'backdoors_established': ['SOCKS Proxy DLL '
'(socks64.dll loaded via '
'rundll32.exe)',
'Backdoor Admin Account '
"('Supportt' added to "
'Administrators group)',
'Legitimate Administrator '
'Password Reset',
'RMM Tools (AnyDesk '
'9.0.5, ScreenConnect)'],
'entry_point': 'Fake CAPTCHA Pages with Obfuscated '
'JavaScript',
'high_value_targets': ['Veeam Backup Infrastructure '
'(Credential Harvesting)',
'Domain Controllers (Lateral '
'Movement)',
'Exchange Servers',
'SQL Databases']},
'investigation_status': 'Ongoing (Assessment Based on Observed Tactics)',
'motivation': ['Credential Theft',
'Lateral Movement',
'Persistence',
'Data Exfiltration (Likely)',
'Potential Ransomware/Extortion (Implied by Credential '
'Harvesting)'],
'post_incident_analysis': {'root_causes': ['Successful Social Engineering '
'(Fake CAPTCHA Pages)',
'Insufficient Protection for '
'Stored Credentials (Veeam Backup)',
'Abuse of Legitimate Tools '
'(Rundll32.exe, RMM Platforms)',
'Lack of Anti-AV Driver Protection '
'(eskle.sys BYOVD)',
'MFA Bypass via Stolen '
'Tokens/Cookies']},
'threat_actor': 'Agenda (Assessed)',
'title': 'Sophisticated Social Engineering and Credential Harvesting Attack '
'via Fake CAPTCHA Pages',
'type': ['Social Engineering',
'Credential Harvesting',
'Privilege Escalation',
'Lateral Movement',
'Defense Evasion',
'Persistence',
'Discovery'],
'vulnerability_exploited': ['Human Trust (Fake CAPTCHA Social Engineering)',
'Stored Credentials in Veeam Backup '
'Infrastructure',
'Legitimate Administrative Tools (ScreenConnect, '
'AnyDesk, RMM Platforms)',
'Driver Vulnerability (eskle.sys for Anti-AV '
'Bypass)']}