THREAT OPS › Threat News › Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
<div class="block-paragraph_advanced"><p>Written by: Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, Tyler McLellan</p> <hr /></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">From January through May 2026, Mandiant identified a financ
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- OS Credential DumpingT1003
- SharepointT1213.002
- External Remote ServicesT1133
- Security Account ManagerT1003.002
- Match Legitimate Resource Name or LocationT1036.005
- Boot or Logon Autostart ExecutionT1547
- Malicious FileT1204.002
- SSHT1021.004
- Code SigningT1553.002
- Network Share DiscoveryT1135
- Scheduled Task/JobT1053
- Data from Local SystemT1005
- Email AccountsT1586.002
- Exfiltration Over Web ServiceT1567
- Remote Access ToolsT1219
- Social EngineeringT1684
- MasqueradingT1036
- Protocol TunnelingT1572
- Email AccountsT1585.002
- LSASS MemoryT1003.001
- Email AddressesT1589.002
- Spearphishing VoiceT1598.004
- Command and Scripting InterpreterT1059
- Clear Windows Event LogsT1685.005
- Automated ExfiltrationT1020
- Indicator RemovalT1070
- File and Directory DiscoveryT1083
- Web ServiceT1102
- PowerShellT1059.001
- Registry Run Keys / Startup FolderT1547.001
- Exfiltration over USBT1052.001
- Multi-Factor AuthenticationT1556.006
- Data Encrypted for ImpactT1486
- Subvert Trust ControlsT1553
- Spearphishing VoiceT1566.004
- Social MediaT1593.001
- CredentialsT1589.001
- Exfiltration to Cloud StorageT1567.002
- ImpersonationT1684.001
- Conditional Access PoliciesT1556.009
- System ServicesT1569
- Windows Command ShellT1059.003
- Network Service DiscoveryT1046
- Exfiltration Over Physical MediumT1052
- Remote Desktop ProtocolT1021.001
- Service ExecutionT1569.002
- Data from Local SystemAML.T0037
- Command and Scripting InterpreterAML.T0050
- ImpersonationAML.T0073
- MasqueradingAML.T0074
- OS Credential DumpingAML.T0090
Indicators of compromise
- 598281d2c6de83adf1505ee6077608d0c043623d477e2884d36d65e90686d67asha256
- https://www.ic3.gov/CSA/2026/260526.pdfurl
- https://business-data-leaks.comurl
- https://www.virustotal.com/gui/collection/598281d2c6de83adf1505ee6077608d0c043623d477e2884d36d65e90686d67a/summaryurl
- 192.236.147.131ipv4
- 192.236.147.138ipv4
- 193.141.60.212ipv4
- 192.236.154.158ipv4
- 192.236.146.173ipv4
- 174.169.162.62ipv4
- 64.94.84.97ipv4
- privnote.comdomain
- itdesk.comdomain
- it.comdomain
- helpdesk.comdomain