Campaign Analysis of sLoad and Ramnit

Where Does Breached Data Go?

Campaign Analysis of sLoad and Ramnit

Over recent months, Leonardo's UK ARCHANGEL Cyber Incident Response Team (CIRT) observed a threat actor attempting to use data stolen from successful cyber-attacks to launch campaigns against other targets.


The team detected a phishing campaign that used malformed shell link files (LNK), also known as shortcut files, containing embedded PowerShell scripts to distribute sLoad script-based malware and the Ramnit banking Trojan. The phishing emails mimicked order delivery notifications, a common phishing lure, with the attackers using the target’s full name and address to make the emails more convincing.


Following infection, sLoad searches the infected hosts' DNS cache for UK home and business banking websites that have been visited. The Ramnit banking Trojan then attempts to steal sensitive data from web browsers such as banking credentials, to facilitate fraudulent financial transactions.


In late September, the CIRT noticed a significant increase in sLoad and Ramnit activity that coincided with a data breach notification from a hosting provider of a third-party supplier used by one of our customers. It is highly likely that the data obtained from that breach was being used in this campaign against the customer and other targets.


Thanks to Leonardo’s UK ARCHANGEL Protective Monitoring Service and intelligence-led Incident Response Service, the CIRT was able to give the customer peace of mind by confirming no breach had occurred. Measures were quickly implemented to protect the customer before the surge in campaign activity occurredm because the tactics, techniques and procedures used by this threat actor were already well understood.


Further information

  Download the white paper – Campaign Analysis of sLoad and Ramnit: Where Does Breached Data Go?


To learn more about how Leonardo can help protect your business, call our team on 0117 900 8935 or email us at