STAC4365

STAC4365 is a threat cluster tracked by Sophos as a ransomware affiliate of the Qilin ransomware-as-a-service operation. Sophos assessed with high confidence that STAC4365 was responsible for a January 2025 incident affecting a managed service provider and multiple downstream customer environments. The group has been linked by Sophos to phishing activity dating back to November 2022. According to the provided content, STAC4365 relies on adversary-in-the-middle phishing to steal credentials and bypass MFA, using the evilginx framework, spoofed ScreenConnect domains, and Amazon SES tracking redirects. In the cited intrusion, the actor impersonated a ScreenConnect authentication alert, redirected the victim through awstrack[.]me infrastructure to a fake ScreenConnect domain, proxied the legitimate login flow, captured credentials and a time-based one-time password, and then authenticated to the legitimate ScreenConnect Cloud portal using a compromised super administrator account. After obtaining access, STAC4365 deployed an attacker-managed ScreenConnect instance named ru.msi across multiple customer environments. The actor then conducted network enumeration, user discovery, credential resets, lateral movement, data collection, and exfiltration before deploying Qilin ransomware. Observed tooling and techniques included use of legitimate tools and Windows utilities such as PsExec, NetExec, WinRM, and ScreenConnect for remote command execution and credential access; use of veeam.exe associated with exploitation of CVE-2023-27532 to obtain unencrypted credentials from Veeam Cloud Backup; compression of data with WinRAR; exfiltration of archives to easyupload.io using Chrome Incognito mode; and targeting of backups and modification of boot options to force Safe Mode with networking prior to ransomware deployment. The content identifies STAC4365 specifically as an affiliate group of Qilin. Qilin is also referred to in the content as Agenda, and is described as a ransomware-as-a-service operation active since 2022.