Skip to main content
Fake IP Scanner to BlackCat Ransomware operation cover
COMING SOONAdvancedPRO

Fake IP Scanner to BlackCat Ransomware

A multi-day, hands-on-keyboard intrusion that began with a malvertising lure for a popular network scanning utility and ended in enterprise-wide BlackCat ransomware. The trojanized installer side-loaded a malicious library to stage Sliver and Cobalt Strike, the operator dumped credentials living-off-the-land, moved laterally over SMB, exfiltrated data with a renamed Restic client to a dedicated host, then deleted shadow copies and encrypted the estate. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.

1h 45m
8 tasks
150 points
Pro

Launches in 5 days

Jul 21, 2026

Tuesday, July 21, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

8 objectives unlock when this operation goes live.

1Incident brief
2Find the initial payload
3Classify the loader's execution-hijack technique
4Recover the harvested administrator
5Separate the exfiltration from the command channel
6Classify the recovery-inhibition step
7Recover the encryptor indicator
8Classify the credential-access technique

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.

Get Started Free