Azuki Import/Export Compromise
STATUS: CONTAINED
ANALYST: Erick Cisneros Ruballos
DATETIME: Nov 23, 2025
A highly targeted corporate espionage intrusion resulting in external RDP access, Microsoft Defender tampering, active credential dumping via Mimikatz, and bulk data exfiltration leveraging Discord C2 channels.
Executive Assessment
Azuki Import/Export Trading Co. recently experienced a targeted intrusion likely stemming from corporate espionage, wherein a competitor successfully undercut a primary shipping contract by exactly 3%.
Initial forensic assessment indicates an external attacker compromised the IT administrator workstation (AZUKI-SL) via a brute-forced Remote Desktop Protocol (RDP) connection. The attacker established deep registry persistence, harvested local administrator credentials, and actively exfiltrated internal pricing data utilizing a Discord webhook tunnel.
Reconstructed Attack Chain
Initial Access (TA0001)
Brute-force login via external RDP targeting kenji.sato from attacking IP 88.97.178.12.
Internal Discovery (TA0007)
Immediate execution of 'ARP.EXE -a' post-compromise to map out internal LAN subnet topography.
Defense Evasion (TA0005)
Attacker staged 'C:\ProgramData\WindowsCache', wiped the Security Event Logs using 'wevtutil', and injected 3 explicit exclusions into Windows Defender.
System Persistence (TA0003)
Created backdoor local admin account named 'support'. Registered malicious scheduled task mimicking 'Windows Update Check' pointing to payload.
Credential Access (TA0006)
Transferred a disguised binary 'mm.exe'. Executed 'sekurlsa::logonpasswords' dumping LSASS memory hashes via Mimikatz.
C2 & Exfiltration (TA0011)
Archived pricing sheets into 'export-data.zip'. Opened an HTTPS tunnel to 78.141.196.6 and exfiltrated the archive via Discord API webhooks.
Indicators of Compromise
| Indicator | Value |
|---|---|
| IPv4 (Attacker) | 88.97.178.12 |
| IPv4 (C2) | 78.141.196.6:443 |
| File Payload | export-data.zip |
| Binary | mm.exe (Mimikatz) |
| Directory Stage | C:\ProgramData\WindowsCache |
| Script | wupdate.ps1 |
MITRE ATT&CK Map
T1078T1059.001T1053.005T1562.001T1070.001T1003.001T1041KQL Threat Hunt Validation
Direct telemetry queries executed in Microsoft Defender for Endpoint proving the attack path.
DeviceProcessEvents
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine contains "::"
| where FileName has "mm.exe"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| where DeviceName has "azuki"// Detecting the zip compression
DeviceProcessEvents
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine contains "zip"
| where DeviceName has "azuki-sl"
// Finding the upload mechanism via curl to Discord webhooks
DeviceNetworkEvents
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where DeviceName has "azuki-sl"
| where InitiatingProcessFileName == "curl.exe"DeviceRegistryEvents
| where RegistryKey has @"Windows Defender\Exclusions\Extensions"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| summarize UniqueExtensions = dcount(RegistryValueName)Immediate Containment Directives
- !Reset all Active Directory credentials for compromised accounts (kenji.sato, support).
- !Disable external RDP access from public WAN and enforce strict MFA boundaries.
- !Wipe the scheduled task 'Windows Update Check' via administrative shell.
- !Forensically isolate and delete the staging directory 'C:\ProgramData\WindowsCache'.
- !Null-route outbound network connections destined for '78.141.196.6' inside the edge firewall.