Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This DFIR Report describes a multi-stage intrusion beginning with a malicious EarthTime installer that deployed SectopRAT, established SystemBC proxy tunnels for RDP access, performed AD credential theft (including DCSync and Veeam credential extraction), executed extensive reconnaissance (Grixba/SharpHound/AdFind/Netscan), staged and archived sensitive files with WinRAR/FS64, exfiltrated data over cleartext FTP, and later dropped the Betruger backdoor — activity consistent with a ransomware affiliate preparing for a ransomware event.