New details emerge on prolific Conti-linked cybercrime group

Google's Threat Analysis Group is calling the hackers Exotic Lily, and it says they employed relatively novel tactics.
phishing, emails, lures, exotic lily
(Getty Images)

In early September, researchers with Google’s Threat Analysis Group started tracking a financially motivated hacking group exploiting a since-patched Microsoft vulnerability to gain access to targeted computers.

Later it became clear that the group is what’s known as an initial access broker — a crew specializing in gaining entry to high-value networks and selling that access to other cybercriminals — and that it is closely affiliated with the notorious Conti ransomware organization.

In findings published Thursday, the Google researchers detail how the group they’re calling “Exotic Lily” employed relatively novel tactics to gain access to targets, and how, at its peak, the hackers sent an estimated 5,000 emails per day to as many as 650 targeted organizations globally.

Up through November 2021 the group seemed focused on IT, cybersecurity and health care organizations, but more recently Exotic Lily has been targeting a wide variety of industries, the researchers wrote.


“This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.”

— Google’s threat analysis Group

The group displayed a couple of unique approaches, the researchers said: The hackers spoofed companies and employees to gain the trust of targeted organizations, and the email campaigns appear to have been sent by real human operators with little to no automation. The group also was seen to spoof legitimate company domain names while changing the top-level domain extension to “.co”, “.us” or “.biz,” giving the phishing emails an appearance of more legitimacy.

In some cases the spoofing efforts included fake personas posing as employees of real companies. The personas have social media profiles, personal websites, and include profile pictures generated by online artificial intelligence generative adversarial network (GAN) services.

A fake social media profile created by EXOTIC LILY (Google Threat Analysis Group)

The group also “rather uniquely” uses legitimate file-sharing services, such as WeTransfer, TransferNow and OneDrive, to surreptitiously deliver malware, helping to evade detection mechanisms.


“This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations,” the researchers concluded.

People involved in Exotic Lily, likely based in a central or eastern European timezone, are perhaps tasked with several roles, such as customizing the “business proposal” templates used in the campaigns, handling ongoing communications with victims to gain affinity and trust, and uploading malware to the file sharing services ahead of it being delivered to the victims, the researchers speculated.

The “communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends,” the researchers wrote.

A Conti connection?

Various indicators within the malware deployed against targets suggest associations with Conti, a notorious ransomware group recently in the headlines after a Ukrainian researcher leaked reams of the group’s logs after Conti administrators posted a pro-Russian message the day after Russia’s invasion began.


One of the indicators — a unique profile associated with penetration testing software Cobalt Strike — caught the eye of researchers with Microsoft’s RiskIQ who analyzed some of Exotic Lily’s activities shortly after the Microsoft vulnerability was discovered in September 2021.

“The association of a zero-day exploit with a ransomware group is, however remote, is troubling,” the RiskIQ researchers wrote at the time. “It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem, or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.”

Latest Podcasts