Data Exfiltration and Threat Actor Infrastructure Exposed

Huntress SOC investigated an incident where threat actors used base64-encoded PowerShell to configure Restic (renamed as winupdate.exe) with S3 credentials and an exposed RESTIC_PASSWORD to stage/exfiltrate data, removed security agents (VIPRE/EDR), disabled Windows Defender, and deployed INC ransomware (c:\perflogs\win.exe), with RestartManager activity observed during file encryption; the report includes SHA256 IOCs and notes similar prior activity and external reporting.