>samit_hota
Back to adversary profiles
G1011HighActive

EXOTIC LILY: Premier Initial Access Broker Fueling Ransomware Operations

Samit Hota·
Suspected Origin
Europe (likely Central or Eastern Europe), closely linked to Russian cybercrime group WIZARD SPIDER.
Motivation
Financial Gain
Aliases
None documented
Target Sectors
IT, Cybersecurity, Healthcare, Wide Range of Industries
Associated Malware
BazarLoader, BUMBLEBEE, Cobalt Strike, Conti, Diavol
#threat-actor#g1011

Overview

EXOTIC LILY (MITRE ATT&CK ID G1011) is a highly skilled and financially motivated threat group that primarily functions as an Initial Access Broker (IAB). This group specializes in breaching target networks and then selling that access to other malicious actors, with strong indications of a close working relationship with the notorious Russian cybercrime syndicate, WIZARD SPIDER (also known as FIN12 or DEV-0413). EXOTIC LILY’s operations are distinct from typical ransomware-as-a-service (RaaS) affiliates, as they focus solely on gaining the initial foothold rather than deploying the final ransomware payload themselves. Their clients have historically included prominent ransomware operators like the Conti and Diavol groups.

Active since at least September 2021, EXOTIC LILY exhibits a level of sophistication and human interaction in their campaigns that is uncharacteristic of many mass-scale cybercrime operations. While initially targeting specific industries such as IT, cybersecurity, and healthcare, their focus has broadened significantly over time, indicating an opportunistic approach to victim selection across a wide array of organizations and sectors globally. Analysis of their operational patterns suggests their human operators likely work a regular 9-to-5 schedule, consistent with a Central or Eastern European time zone.

Tactics & Techniques

EXOTIC LILY’s primary modus operandi revolves around meticulously crafted spear phishing campaigns designed to achieve initial access. Their social engineering tactics are particularly advanced, often involving detailed identity and domain spoofing to lend credibility to their lures. This includes registering spoofed domains by altering top-level domains (TLDs) to “.us”, “.co”, or “.biz” to mimic legitimate organizations. They go to great lengths to establish trust with targets, creating elaborate fake personas complete with social media profiles and even AI-generated profile pictures. In some cases, they impersonate real employees of targeted companies, harvesting personal data from business databases like RocketReach and CrunchBase, as well as public social media profiles.

The group’s initial attack vector is consistently email, frequently themed as business proposals, such as requests for software development outsourcing or information security services. A notable technique they employ for payload delivery is leveraging legitimate file-sharing services like WeTransfer, TransferNow, TransferXL, and OneDrive. They utilize the built-in email notification features of these services to send malicious links or attachments, effectively bypassing many traditional email security controls. This approach highlights their dedication to evading detection and underscores the human-operated nature of their email campaigns, which are believed to involve minimal automation. Once a target engages, EXOTIC LILY may engage in follow-up discussions to build rapport before delivering the final malicious payload.

Their execution techniques have evolved over time. Initially, they were observed exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444) to achieve remote code execution. Following this, they shifted to delivering malicious ISO files. These ISOs typically contain LNK files that, when clicked, execute hidden DLLs to deploy their loader malware. This constant adaptation in their delivery and exploitation methods showcases their agility and determination to maintain effectiveness.

Notable Campaigns

EXOTIC LILY first came into public view in September 2021, when Google’s Threat Analysis Group (TAG) observed their exploitation of the Microsoft MSHTML 0-day vulnerability (CVE-2021-40444). At the peak of their activity, the group was estimated to be sending over 5,000 carefully crafted spear phishing emails daily, reaching as many as 650 targeted organizations worldwide.

A significant evolution in their tactics was noted in late 2021 and early 2022. They transitioned from the MSHTML exploit to delivering malicious ISO files containing BazarLoader. By March 2022, EXOTIC LILY further refined this approach, replacing BazarLoader with a more advanced custom downloader known as BUMBLEBEE, still delivered via malicious ISOs. This consistent innovation in their toolset and delivery mechanisms demonstrates a continuous effort to overcome defensive measures.

Associated Malware & Tools

The malware utilized by EXOTIC LILY and subsequently by their customers is instrumental to their success as an IAB. Their primary initial access malware includes:

  • BazarLoader: An early stage downloader observed in their campaigns, often delivered within malicious ISO files.
  • BUMBLEBEE: A more advanced custom loader that replaced BazarLoader by March 2022. BUMBLEBEE is capable of collecting extensive system information, including OS version, username, and domain name, using Windows Management Instrumentation (WMI), which is then exfiltrated to a command-and-control (C2) server. It has been observed fetching and executing Cobalt Strike payloads, which are commonly used for post-exploitation activities and hands-on-keyboard access.
  • Cobalt Strike: While not directly developed by EXOTIC LILY, it is a frequently observed post-exploitation framework deployed by their customers once initial access is brokered via BUMBLEBEE.

Their close association with WIZARD SPIDER means that the access they gain is often sold to groups deploying high-impact ransomware. This includes, but is not limited to, Conti and Diavol ransomware variants. It’s crucial to understand that EXOTIC LILY provides the “keys to the kingdom,” enabling these subsequent, devastating ransomware attacks.

Current Status

EXOTIC LILY remains an active and significant threat within the cybercrime landscape. Their profile on MITRE ATT&CK was last modified in April 2025, indicating ongoing relevance and continued tracking by the security community. While specific recent campaigns beyond March 2022 were not detailed in the available searches, the continuous updates to their threat intelligence profile suggest sustained activity. As long as there is a market for initial access to corporate networks, groups like EXOTIC LILY will continue to operate, evolve their tactics, and pose a severe risk to organizations globally. Their sophisticated social engineering, technical prowess in evading detection, and strategic position within the cybercrime ecosystem make them a critical threat to monitor.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call