A Truly Graceful Wipe Out

A May 2023 intrusion leveraged a 404 TDS drive-by download of a Truebot executable that loaded Cobalt Strike and the FlawedGrace RAT for discovery, lateral movement (including pass-the-hash via Impacket/atexec and Cobalt Strike psexec), and credential dumping; adversaries exfiltrated gigabytes of data and, 29 hours after initial access, deployed an MBR Killer wiper that overwrote boot records and rendered systems inoperable. The report provides technical analysis of malware execution (registry- and PowerShell-based payload staging, process injection, scheduled task persistence), network and file IoCs (IPs, JA3/JARM, hashes, filenames), detection guidance (Sigma, YARA, Suricata rules), and attributes activity with high confidence to Lace Tempest and FIN11 with possible TA505 ties.