APT Investigation: Bluebottle Financial Sector Campaign
A deep-dive investigation into a sophisticated multi-stage attack targeting financial institutions in Francophone Africa. Analysts will trace the infection from malicious ISO mounts through GuLoader execution, defense evasion via signed kernel drivers, and lateral movement using dual-use tools like Ngrok and PsExec. This scenario is based on real-world threat intelligence from the Symantec Threat Hunter Team regarding the Bluebottle/OPERA1ER group.
Start this operation
Requires a Pro subscription.
View Pro PlansFree forever โ no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Initial Lure Execution Analysis
10GuLoader Injection Detection
10Kernel Driver Defense Evasion
15Lateral Movement via PsExec
10Ngrok Tunneling Correlation
10RDP Persistence Mechanism
10Credential Theft Pattern Analysis
10Malicious .NET Download Source
10Macro Execution Parent Process
10Encrypted Payload Retrieval
10Registry Persistence Mechanism
10NetWire C2 Port Identification
10Brute Force Source Correlation
20Identify the external IP address responsible for multiple failed RemoteInteractive logon attempts against the workstation FIN-WS-06, as recorded in the security event logs.
Phishing Document Source Domain
10GuLoader Binary Name
10C2 Domain Correlation
10C2 Server IP Identification
15Script Interpreter Analysis
10RAT Payload Hosting
15Reflective Loading Detection
15Sandbox Evasion Check
15Cobalt Strike Beacon Detection
10RDP Lateral Movement Source
10Unauthorized Data Transfer
10Phishing Attachment Filename
10Suspicious Notepad Injection
10Encrypted C2 Traffic Analysis
10Keylogging Activity Correlation
1528 tasks ยท 320 points total
Start investigationTraining Tools
Skills You'll Build
Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.
Prerequisites
- Basic understanding of security alerts
- Experience with log analysis tools
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
This operation requires a Pro subscription.
View Pro PlansFree forever โ no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.