Employee impersonation, new ways to gain access to your data.

Mar 14 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got more sticky situations than a Drake video

Today’s hottest cyber security stories:

  • Exotic Lily targets victims via email phishing
  • Infamous Batloader malware lurks in Google search ads


It may sound like a stripper but it’s actually a very smart and very sneaky thing that hides in emails and steals your info. Exotic Lily is getting quite a name for itself thanks in part to its ties to ransomware. It’s been linked to Diavol and Conti, respectively. These are well known ransomware operations.

What is Exotic Lily?

In short: bad news. Exotic Lily, aka PROJECTOR LIBRA and TA580, is an Initial Access Broker (IAB).

FYI, Initial Access Brokers (IABs) are an emerging breed of cybercriminal that sells access to compromised networks. It’s similar to outsourcing models where an organisation decides to focus on their domain expertise instead of wasting resources on things other companies can do better.

Exotic Lily is known for its expertise in obtaining login information from important targets by utilising techniques such as employee impersonation, OSINT, and the creation of convincing fraudulent documents.

It’s also gained considerable traction and success by paying close attention to the finer details of its phishing campaigns.

The attackers follow a well-established procedure that typically commences with initiating an open conversation with the victim.

These profiles exploit the implied trust factor to lure victims into accessing apparently innocuous sites that end up downloading harmful payloads.

So yeah, it sounds like a stripper and if you come into contact with it, the effect it’ll have on your wallet will be similar to if it was a stripper. Boo Exotic Lily.


Google search results seem to be becoming more treacherous by the day, thanks to pesky phishing scams. So, the latest is that Batloader has reared its ugly head again. We’ve covered this nasty strain of malware before and sadly we probably will again. This latest campaign started in February and shows no signs of letting up.

Here’s the technical stuff:

  • The recent BatLoader samples lack the capabilities to establish entrenched access to enterprise networks, however, these were added in the latest variant.
  • In the mid-February variant, the batch file contained a third Python file, obfuscated with PyArmor, that was embedded with an identical series of commands to handle payload retrieval, decryption, and execution.
  • That Python file helps curate payloads for domain-joined systems with more than two IP neighbours in the system’s ARP table.

The scary thing about BatLoader is that it’s continuously improving itself with more convincing tricks such as the impersonation of popular business applications and propagation via Google ads.

Lately, several other threats have been observed using the same impersonation tactics in recent times.

Organisations are suggested to educate employees on how to protect from malware masquerading as legitimate applications.

Is nothing sacred anymore!! Stay safe out there, folks!

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles