
Fake IP Scanner to BlackCat Ransomware
A multi-day, hands-on-keyboard intrusion that began with a malvertising lure for a popular network scanning utility and ended in enterprise-wide BlackCat ransomware. The trojanized installer side-loaded a malicious library to stage Sliver and Cobalt Strike, the operator dumped credentials living-off-the-land, moved laterally over SMB, exfiltrated data with a renamed Restic client to a dedicated host, then deleted shadow copies and encrypted the estate. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.
Launches in 5 days
Tuesday, July 21, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
8 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.
Get Started Free