article featured image


Exfiltrator-22 is a new post-exploitation kit that can spread ransomware undetected. Researchers speculate that the creators of this kit are former LockBit 3.0 affiliates, experts in anti-analysis and defense evasion.

Cybercriminals advertise it for $1,000 per month and $5,000 for lifetime access. After paying, clients receive access to a dashboard on a strong VPS (virtual private server) in order to control the malware and send commands.

The skillful authors of this kit will most certainly develop it further, as the product is expected to generate great demand among cybercriminals (despite its high price).

The Timeline

The first Exfiltrator-22 (EX-22) signs appeared on November 27, 2022. Only ten days later, its creators were promoting it on a Telegram channel for other cybercriminals to buy.

In the next period, hackers added features to the original kit. For example, this cybercrime-as-a-service product was now able to hide traffic on infected endpoints.

Exfiltrator-22, a New Post-exploitation Kit for Sale


By January 2023 the kit was 87% ready and up for sale, searching for affiliates. On February 10, 2023, the threat actors behind it posted two YouTube videos that showed its lateral movement and ransomware-spreading features.

Features of the Exfiltrator-22

Cybercriminals created Exfiltrator-22 combining a series of common features with special ones designed for deploying ransomware and data theft.

According to BleepingComputer, its features include:

  • Create a reverse shell with elevated privileges access.
  • Download files from the endpoint to the C2 or upload files to the compromised system.
  • Use a keylogger to record keystrokes.
  • Launch a ransomware program to encrypt data on the compromised system.
  • Take screenshots of the victim’s PC screen.
  • To gain immediate access to the compromised computer, launch a live VNC (Virtual Network Computing) session.
  • Gain greater control over the infected gadget.
  • Create continuity between system reboots.
  • Use a worm module to propagate the malware to additional computers connected to the same network or the open internet.
  • Exfiltrate data out of the LSAAS (Local Security Authority Subsystem Service).
  • Create cryptographic hashes of the victim’s files to keep track of file locations and content modification.
  • Get a summary of the processes that are active on the infected device.
  • Take authentication credentials out of the compromised system.

CYFIRMA researchers discovered links between the Exfiltrator-22 kit and LockBit 3.0 affiliates or members of the ransomware gang. The post-exploitation kit has even the same C2 infrastructure as LockBit 3.0.

The framework uses the same “domain fronting” technique associated with the LockBit and the TOR obfuscation plugin Meek, which helps hide malicious traffic inside legitimate HTTPS connections to reputable platforms.


If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *