SoftPerfect Network Scanner
SoftPerfect Network Scanner is a commercial network-scanning and internal reconnaissance utility used to discover hosts, shared folders, and available services. In the provided reporting it appears under names including netscan.exe, netscanpack.exe, SoftPerfectNetworkScannerPortable.exe, and renamed copies such as li.exe. It is consistently described as being used post-compromise for internal network enumeration, subnet discovery, target list building, and Active Directory environment mapping rather than as a self-propagating payload. Reported threat actors and operations using the tool include Black Basta, BlackCat/ALPHV affiliates, Akira affiliates, actors exploiting Citrix NetScaler CVE-2023-4966 in intrusions investigated by Mandiant, Everest ransomware operators, and the Crypt Ghouls cluster. Observed victim sectors and environments include healthcare, legal and professional services, technology, government, Russian businesses and government agencies, and enterprise Windows/AD networks, with some reporting also involving VMware ESXi-focused ransomware operations. High-confidence associated artifacts mentioned in the content include filenames netscan.exe, netscanpack.exe, SoftPerfectNetworkScannerPortable.exe, and C:\Intel\li.exe. The tool is commonly used alongside other reconnaissance and post-exploitation tooling such as AdFind, PingCastle, Cobalt Strike, remote administration tools, credential-dumping utilities, and ransomware deployment workflows.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The file was identified as a version of the SoftPerfect Network Scanner – a powerful commercial network-scanning tool with the ability to discover shared folders and available services.
"...utilities, including SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro..."
"...utilities, including SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro..."
"...utilities, including SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro..."
"...utilities, including SoftPerfect Network Scanner, PingCastle, and XenAllPasswordPro..."
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Stealth
2 techniquesthe threat actor created a malicious file named ‘C:\Intel\svchost.exe’... attempting to mask the malware as benign activity... Additional executions of the Stowaway tunneling tool were also observed during this phase using the names ‘svchost.exe’, ‘tomcat.exe’, and ‘tomcat7.exe’.
Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts.
Discovery
4 techniquesAdvanced Port Scanner — an off-the-shelf tool to identify open ports and determine the versions of software running on the system
Several actors used discovery tools such as BloodHound, AdFind, Advanced IP Scanner, SoftPerfect Network Scanner, NBTscan, RustScan, and SNScan for user, system, and network discovery.
SoftPerfect Network Scanner (Netscan) was used to conduct port scanning activities to understand what network services were actively running on hosts.
The threat actor leveraged the SoftPerfect tool to perform several manual reconnaissance activities, which included searching for passwords in Group Policy xml files, accessing remote folders via Windows Explorer...
Lateral Movement
2 techniquesThey then copied lactenin.exe from the entry workstation to the domain controller over SMB at 11:38 UTC and executed it immediately.
The threat actor moved cab files to the remote hosts using SMB and then expanded and ran them using wmiexec.py commands.
Command and Control
1 techniqueThe threat actor used PowerShell to download and execute a script named ‘vic64.ps1’ from ‘bashupload[.]com’... the threat actor copied over SMB a Stowaway instance named ‘vga.exe’ to the remote server.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Network scanning/enumeration tool used post-compromise to discover hosts/services and support lateral movement planning.
Network scanning utility used to discover hosts/services during reconnaissance to enable lateral movement and targeting.
Legitimate network scanning tool used for internal discovery and reconnaissance to support lateral movement.
Commercial network scanning utility abused for internal reconnaissance, discovery of shared folders and services, and manual exploration of reachable systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.