Cybersecurity researchers have recently uncovered a vast and sophisticated hacker toolkit that provides a comprehensive suite of tools for executing and maintaining cyberattacks. Found in an open directory in December 2023, the discovery offers a rare glimpse into the methodologies and tools employed by modern cybercriminals. The toolkit includes a range of batch scripts and malware targeting both Windows and Linux systems, showcasing the attackers’ ability to compromise systems, maintain long-term control, and exfiltrate data.
Among the most significant tools identified were PoshC2 and Sliver, two well-known command and control (C2) frameworks. Although these open-source tools are typically used by penetration testers and red teams to simulate attacks and test security, they have been repurposed by threat actors for malicious purposes. The presence of these frameworks within the toolkit indicates the attackers’ intent to establish persistent remote access to compromised systems, allowing them to conduct further operations undetected.
In addition to these frameworks, the toolkit contained several custom batch scripts designed to evade detection and manipulate system settings.
Scripts such as atera_del.bat and atera_del2.bat were specifically crafted to remove Atera remote management agents, thereby eliminating traces of legitimate administrative tools. Other scripts, like backup.bat and delbackup.bat, were aimed at deleting system backups and shadow copies, a common tactic employed in ransomware attacks to prevent data recovery.
Researchers from DFIR Report also noted the presence of clearlog.bat, a script capable of erasing Windows event logs and removing evidence of Remote Desktop Protocol (RDP) usage. This highlights the attackers’ emphasis on covering their tracks and minimizing the chances of detection.
Additionally, the toolkit included more specialized tools such as cmd.cmd, which disables User Account Control and modifies registry settings, and def1.bat and defendermalwar.bat, which disable Windows Defender and uninstall Malwarebytes.
The discovery of this hacker toolkit underscores the growing sophistication of cyberattacks and the need for organizations to adopt robust cybersecurity measures. With tools designed to disable critical services, delete backups, and evade antivirus software, the toolkit serves as a stark reminder of the evolving threat landscape.
Cybersecurity experts advise organizations to implement comprehensive security strategies, including regular system updates, employee training, and advanced threat detection systems, to protect against such sophisticated attack toolkits. The presence of tools like Sliver and PoshC2 within the toolkit suggests that these servers were likely used in ransomware intrusion activities. Many of the scripts found attempted to stop services, delete backups and shadow copies, and disable or remove antivirus software, further supporting this theory.
As cyber threats continue to evolve, the discovery of this toolkit provides valuable insights into the methods and tools employed by modern cybercriminals. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against the increasingly sophisticated tactics used by threat actors.