Threat Actor Infrastructure
45[.]84[.]107[.]198 & 193[.]189[.]100[.]202 194[.]165[.]16[.]167 & 174[.]93[.]37[.]132
tabbysbakescodes[.]ws
svchost.exe → B22035C16DFBB8CD2590AA5FB8B84F2DA0ADBE9032ED235A424F191B9DAB1837 ph.exe → 9CFBA0B279FFD1EE86E2239FF516EA958BA2AB77E0A34E857B4D0C09DFC66428 Installer_v5435_x64.exe → 7785D48CC964BDC333E08D1E9ACFB640BBE9A8927FD47FA0001349D8EE20A527 sysdata.exe → 0803d3e72008be11161179f5813c01e0b1941046e680884d2af145184c31d53d TextIntelHost.exe → 642606C78B93EE5292BE54CFED2247B79E6DB75541AE037BDCAB287B19A0D34D7 slhost.exe → 10AA650F708DD5752662DDB796F01C9CD3D5C040E760380FFBF089578A483807 sysdata.vbs MBTDInstallHelper.exe
A threat actor gained unauthorized access to KCD-Web through a compromised administrator account. Operating silently for over two weeks before detection, the attacker created a backdoor account called ‘user’, returned multiple times using different IP addresses, enabled plaintext credential storage, and weakened remote access security settings to prepare for deeper compromise.
When the attacker escalated, they reactivated their communication channel, planted persistence mechanisms, deployed a brute force tool targeting other internal machines, and extracted account passwords directly from memory. They disabled endpoint monitoring to avoid detection and established a persistent backdoor service that survives every system reboot. A second actor later authenticated using stolen credentials confirming the credential theft had real operational impact.
The same attacker then returned using different credentials from the same infrastructure. Before triggering the final payload they accessed sensitive HR and financial files, confirming valuable targets existed. A fake installer deployed from an external drive silently disabled security controls across critical system folders and established a persistent beacon calling back to a confirmed malicious server every ten minutes for over 55 hours. A ransom note was found on the external drive. The encryption never executed, the attacker was caught during the staging phase before files were locked.
WHO
Three threat actors identified. Actor 1 operating from 45[.]84[.]107[.]198 and 193[.]189[.]100[.]202 using compromised administrator account. Actor 2 identified as B_101 operating from 194[.]165[.]16[.]167 using stolen receptionist credentials obtained via LSASS dump.
WHAT
They created unauthorized backup accounts, deployed malicious tools for credential theft and lateral movement, accessed sensitive HR and financial data including employee records and patient invoices, disabled security monitoring, and staged a ransomware deployment that was caught before encryption executed. A second actor authenticated using stolen credentials the following morning.
WHEN
First activity occured on: 2026-03-12 15:32:29
Last known activity: 2026-03-14 15:33:48
WHERE
Primary target - KCD-Web, All malicious tools deployed and executed here. Sensitive data accessed from HR and Financial Folder.
WHY