Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A targeted ransomware intrusion began via a malvertising-driven Nitrogen campaign that delivered a trojanized Advanced IP Scanner installer; the loader sideloaded a modified python311.dll which launched Nitrogen payloads that dropped obfuscated Sliver and Cobalt Strike beacons (in-memory via Python scripts). The actor performed hands-on keyboard discovery, dumped LSASS credentials, moved laterally using Impacket/WMExec and SMB, exfiltrated file shares with Restic to a remote server in Bulgaria, and eight days after initial access reset a privileged backup account and deployed BlackCat ransomware across the domain by using PsExec, configuring Safe Mode boot and automatic logon to ensure encryption succeeded; the report includes extensive IOCs, C2 infrastructure, hashes, detection rules, and mapped ATT&CK techniques.