3 malware familiesExploits CVEs in the wild

EXOTIC LILY

Also known asEXOTIC LILY

Exotic Lily is a phishing-focused threat actor and initial access broker. The content explicitly describes it as a Conti initial access broker and notes reporting that Lazarus likely resorted to initial access broker services including Exotic Lily’s. Exotic Lily has conducted email thread-hijacking campaigns using malicious ISO attachments and has relied on victims opening malicious links in emails for execution. It has gained execution through malicious LNK files contained within ISO files, which execute hidden DLLs. The actor has also used malicious documents exploiting CVE-2021-40444 affecting Microsoft MSHTML. Its tradecraft includes creating email accounts to spoof targeted organizations, registering spoofed domains by changing the top-level domain to .us, .co, or .biz, and establishing social media profiles that mimic employees of targeted companies. The group gathers victim information through open-source research, business databases including RocketReach and CrunchBase, social media, and victim website contact forms to support impersonation and tailored phishing. For payload delivery, Exotic Lily has abused legitimate file-sharing services and their notification features, including WeTransfer, TransferNow, TransferXL, and OneDrive, and has uploaded malicious payloads to those services. The content also links Exotic Lily to BumbleBee delivery in an intrusion where a phishing email likely delivered a password-protected ZIP containing an ISO and malicious LNK file that executed rundll32 to load a DLL payload. Known alias information in the provided content is limited to the lowercase form exotic_lily.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics45 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

5 techniques

T1589

Gather Victim Identity Information

T1589.002

Email Addresses

T1593

Search Open Websites/Domains

T1593.001

Social Media

T1594

Search Victim-Owned Websites

T1595

Active Scanning

T1595.002

Vulnerability Scanning

T1597

Search Closed Sources

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1583.001×2

Domains

T1583.002

DNS Server

T1585

Establish Accounts

T1585.001×3

Social Media Accounts

T1585.002×2

Email Accounts

T1586

Compromise Accounts

T1608×2

Stage Capabilities

T1608.001×3

Upload Malware

T1608.002

Upload Tool

TA0001

Initial Access

2 techniques

T1190

Exploit Public-Facing Application

T1566×2

Phishing

T1566.001×26

Spearphishing Attachment

T1566.002×8

Spearphishing Link

T1566.003

Spearphishing via Service

TA0002

Execution

4 techniques

T1059×3

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1129

Shared Modules

T1203×8

Exploitation for Client Execution

T1204

User Execution

T1204.001×2

Malicious Link

T1204.002×12

Malicious File

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

2 techniques

T1068

Exploitation for Privilege Escalation

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0005

Stealth

2 techniques

T1036

Masquerading

T1036.008

Masquerade File Type

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0007

Discovery

1 technique

T1087

Account Discovery

T1087.002

Domain Account

TA0011

Command and Control

4 techniques

T1090×2

Proxy

T1102×3

Web Service

T1105

Ingress Tool Transfer

T1572×2

Protocol Tunneling

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BumblebeeIn this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022.1Mar 18, 2026

Conti...multiple overlaps with Conti ransomware.1Mar 8, 2026

Diavol...deployment of ransomware including Conti and Diavol.1Mar 8, 2026

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-40444Microsoft MSHTML Remote Code Execution VulnerabilityIn the wildEvidence2

EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

31 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

31 IOCsView more in app

hash.sha256

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

Domains

6 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru

hash.sha1

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

4 total

••••••••••••••••••••••••••••••••••••••

ip.v4

4 total

••••••••••••••••••••••••••••••••••••••

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Binary Execution from an Archive | Splunk Security Content

Listed as a threat actor associated with the malicious file execution technique detected by this analytic.

splunk researchNews

Apr 13, 2026

Detection: Windows EFI Volume Mount Attempt Via Mountvol | Splunk Security Content

Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.

splunk researchNews

Apr 13, 2026

Detection: Windows Unusual File Creation in Confluence Directory | Splunk Security Content

Listed as a threat actor associated with exploitation of public-facing applications and malware/tool upload activity relevant to Confluence exploitation detection.

splunk researchNews

Apr 13, 2026

Detection: Windows Universal Data Link File Creation | Splunk Security Content

Referenced as a threat actor associated with spearphishing attachment activity involving malicious file execution and potential credential capture via UDL files.

+76 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping34

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables31

Domains, IPs, and hashes tied to this actor, refreshed continuously.