Paul Jaramillo

Down the BadHatch: Analysis of a Financially Motivated Access Broker

STAC4663 is a financially-motivated threat activity cluster that Sophos has been closely monitoring since early 2023 for its persistent exploitation of emerging vulnerabilities. Our research examines STAC4663’s operations, with a focus on its unique malware, BadHatch / Sardonic Backdoor, and its connections to the ransomware ecosystem.

This presentation will examine cases involving STAC4663, revealing their core tools, techniques, and procedures, including the vulnerabilities targeted and dual-use applications leveraged. Additionally, STAC4663’s usage of SystemBC and involvement in handing off access to ransomware affiliates will be highlighted.

Leveraging insights gained from the recovery of command and control server data, we are able to provide detailed analyses of STAC4663’s tooling, bash history, and global reconnaissance techniques. These insights offer a unique perspective on STAC4663’s operations and their broader implications for the ransomware ecosystem.

Paul is Director of Threat Hunting & Intelligence at Sophos. He has more than 10 years of incident response and 15 years of IT experience with previous stints at Splunk, CrowdStrike, and the US DoE. He has a long-distinguished record of reducing enterprise risk and guiding organizations to an improved security posture. Some highlights include breaking into a two-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensic examiner, and hunting and ejecting nation state adversaries from corporate and government networks.