Fake Zoom Ends in BlackSuit Ransomware

This DFIR case details a May 2024 intrusion that began with a trojanized Zoom installer (d3f@ckloader) and IDAT loader which injected SectopRAT into MSBuild.exe; after a multi-day dwell period the actor executed Brute Ratel and Cobalt Strike for discovery and lateral movement, deployed a QDoor proxy to tunnel RDP, exfiltrated archived data to Bublup, and used PsExec to distribute and run BlackSuit ransomware across Windows hosts, deleting VSS snapshots and leaving ransom notes; the report includes timelines, YARA/Sigma rules, network/detection artifacts, and extensive IOCs (hashes, IPs, domains).