Exotic Lily | Threat Actor Profile

Described by Google TAG as "the opportunistic locksmiths of the security world" — Exotic Lily is a full-time initial access broker that distinguished itself by the unusually high level of human engagement involved in its phishing campaigns. Rather than blasting malware attachments at scale, operators build a fabricated business identity: fake LinkedIn profiles with AI-generated profile photos, spoofed company domains with changed TLDs, and carefully crafted business proposals sent directly to specific employees. The group ran at a sustained 5,000 emails per day to 650 organizations globally at peak, with operators maintaining a 9-to-5 Eastern European weekday schedule. Exotic Lily's access fed directly into Conti and Diavol ransomware deployments via its relationships with Wizard Spider / FIN12.

attributed origin Central/Eastern Europe (assessed from working hours)

operator type Initial Access Broker (IAB)

first observed September 2021 (Google TAG)

primary motivation Financial — access sale to ransomware operators

ransomware link Conti / Diavol (Wizard Spider / FIN12)

peak email volume 5,000+ emails/day to 650 organizations

mitre att&ck group G1011

working hours 09:00–17:00 EST weekdays — Central/Eastern Europe TZ

threat level High

Overview

Exotic Lily was first observed by Google's Threat Analysis Group in early September 2021, when the group was caught exploiting CVE-2021-40444 — a zero-day in Microsoft's MSHTML rendering engine — in business proposal-themed phishing campaigns. TAG's investigation revealed not a sophisticated nation-state actor but something arguably more pragmatically dangerous: a dedicated, well-organized initial access broker running human-operated phishing as a professional service, operating standard business hours and selling access directly to the Conti and Diavol ransomware ecosystem.

What distinguishes Exotic Lily from commodity phishing operations is the investment in persona construction. Before any malicious email is sent, the group builds a fabricated identity: a LinkedIn profile with a name, profile photo generated by an AI face synthesis service, and company affiliation consistent with the phishing pretext. Domain spoofing replicates a legitimate company's domain with a changed TLD — replacing ".com" with ".us", ".co", or ".biz" — so that email headers appear to originate from a plausible organizational address. In November 2021, the group escalated further by copying real employees' personal data from LinkedIn, RocketReach, and CrunchBase and impersonating them directly rather than creating entirely fictional personas.

The Conti and Diavol ransomware connection was confirmed by Google TAG through overlapping infrastructure and Cobalt Strike profile fingerprints. Exotic Lily itself does not deploy ransomware — it establishes access, delivers a loader (BazarLoader or its custom-built Bumblebee), and hands off to downstream ransomware operators. This division of labor is a hallmark of the professionalized ransomware ecosystem: Exotic Lily acquires and qualifies access; Wizard Spider/FIN12 operators deploy the destructive payload. The Conti group's internal communications (leaked in the ContiLeaks in March 2022) referenced working with "spammers" as an outsourced function — consistent with the Exotic Lily relationship model.

iab handoff warning — two adversaries, one intrusion

Exotic Lily's IAB model creates a specific incident response challenge: by the time ransomware deploys in an Exotic Lily-enabled intrusion, the IAB itself may be weeks removed from the environment. The Bumblebee loader installs and exits — its job is system fingerprinting and handoff. The subsequent ransomware operators arrive via the access Exotic Lily established, using completely different tooling. Defenders focused on the ransomware deployment phase may miss the initial access entirely, leaving the IAB foothold unaddressed. Bumblebee artifacts are the earliest detectable indicator of an Exotic Lily-sourced intrusion.

Attack Chain — How Exotic Lily Operates

Exotic Lily's attack chain is unusually deliberate for a financially motivated eCrime actor. The level of human operational investment per target reflects a business model where access quality — not quantity alone — determines downstream value to ransomware buyers.

Step 1

Identity Construction — Fake Persona or Real Employee Clone

Operators create a fabricated business identity before any contact with the target. Early campaigns used entirely invented personas: LinkedIn profiles with AI-generated profile photos, personal websites, and social media presence for the fake employee. In November 2021, the group shifted to impersonating real employees — copying name, title, photo, and company data from LinkedIn, RocketReach, and CrunchBase — for higher credibility. Both approaches involved building a complete, cross-referenced online identity that withstands casual verification.

Step 2

Domain Spoofing — TLD Substitution

A spoofed domain matching the fake or real company's domain is registered, with the only change being the top-level domain: ".com" → ".us", ".co", or ".biz". This allows emails to originate from a domain that reads as the legitimate company in display, while being attacker-controlled. The spoofed domain is used for email sending and, in some cases, for a minimal fake company website to support the pretext.

Step 3

Initial Contact — Business Proposal Pretext

Spearphishing emails are sent from the spoofed domain, presenting a business proposal relevant to the target organization's sector — typically positioning the fictional company as a potential outsourcing partner, supplier, or service vendor. The pretext is designed to initiate a business relationship conversation rather than immediately deliver a payload. Operators engage with responses, discuss proposal details, and schedule meetings — adding operational time but significantly increasing credibility for targets that engage with the initial contact.

Step 4

Payload Delivery — Legitimate File-Sharing Services

Once initial trust is established, the operator uploads the malicious payload to a legitimate file-sharing service — TransferNow, TransferXL, WeTransfer, or OneDrive — and uses the service's built-in email notification feature to share it with the target. This means the delivery email originates from the legitimate file-sharing service's sending domain rather than the attacker's spoofed domain, bypassing many email reputation filters. The payload arrives as a "document" for the business proposal — frequently an ISO archive containing BazarLoader DLLs and LNK shortcuts, or later a Bumblebee loader.

Step 5

Loader Execution — BazarLoader or Bumblebee

Opening the ISO file mounts it as a virtual drive containing a malicious LNK shortcut. The LNK executes the embedded DLL — initially BazarLoader, later the custom Bumblebee loader. Bumblebee uses Windows Management Instrumentation (WMI) to collect system information (OS version, username, domain name) and exfiltrates it in JSON format to a C2 server. It then awaits tasking — which at the time of Google TAG's analysis included Cobalt Strike payload execution. Bumblebee uses a unique "bumblebee" HTTP user-agent string, which provides a distinctive detection indicator.

Step 6

Access Handoff — Ransomware Operators Take Over

Exotic Lily's job ends with established persistent access. Access credentials, active sessions, or backdoors are handed to downstream Conti or Diavol ransomware operators (Wizard Spider / FIN12). These operators conduct their own reconnaissance, lateral movement, and ultimately ransomware deployment — potentially weeks after Exotic Lily's initial compromise. The IAB receives payment for qualified access. By the time ransomware deploys, Exotic Lily's footprint in the environment may be the only remaining evidence of the original intrusion vector.

Target Profile

Exotic Lily's targeting evolved significantly during its documented operational period, moving from precise sector focus to broad opportunistic coverage as the group scaled operations.

Initial focus — IT, cybersecurity, and healthcare (Sep–Nov 2021): The group's early campaigns concentrated on three sectors. IT and cybersecurity organizations hold valuable network access and client relationships that provide high-quality downstream pivot opportunities for ransomware operators. Healthcare organizations carry sensitive patient data and critical operational dependencies that increase payment pressure under ransomware. Both sectors were documented IT sector targeting priorities for Conti operators during this period.
Broadened targeting — all industries (Nov 2021+): From November 2021, Google TAG observed Exotic Lily expanding to attack organizations across virtually all industries with significantly less sector-specific focus. This shift tracked with the group's operational growth — at peak, targeting 650 organizations globally simultaneously across diverse sectors. The broadening reflects either increased Conti/Diavol customer demand for access across sectors or a deliberate expansion of the IAB's addressable market.
Geographic scope — global: Organizations across North America, Europe, and other regions were targeted. The business proposal pretext does not depend on geographic specificity — the fake company can claim to be a vendor or partner for organizations in any market.
Targeting by employee role: The business proposal pretext specifically targets employees who handle vendor relationships, outsourcing, and business development — procurement, business development, partnership management, and executive assistants are the likely primary recipients of initial contact emails. These employees are conditioned to engage with unsolicited business inquiries, making them particularly susceptible to the Exotic Lily approach.

Tactics, Techniques & Procedures

Exotic Lily's TTP set is defined by pre-attack social engineering investment and clever use of legitimate services to bypass email security controls. The group's TTPs are consistent and well-documented from Google TAG's March 2022 report.

mitre id	technique	description
T1566.001	Spearphishing — Business Proposal Pretext	Human-operated spearphishing using a business proposal pretext — presenting the attacker as a potential outsourcing partner or vendor. Unlike automated bulk phishing, Exotic Lily operators engage in multi-step conversations: responding to queries, discussing proposal scope, and scheduling meetings before delivering the malicious payload. Google TAG described this as "a level of human interaction that is rather unusual for cybercrime groups focused on mass-scale operations."
T1583.001	Domain Spoofing — TLD Substitution	Legitimate company domains are spoofed by registering near-identical domains with changed top-level domains: ".com" becomes ".us", ".co", or ".biz". The spoofed domain is used for email sending, making headers appear to originate from the impersonated company. Combined with a fabricated LinkedIn profile and in some cases a minimal fake website, the spoofed identity withstands casual verification by recipients checking sender details.
T1534	Internal Spearphishing — Real Employee Impersonation	From November 2021, the group shifted to impersonating real employees — scraping personal data (name, title, photo, company affiliation) from LinkedIn, RocketReach, and CrunchBase and using it to construct convincing impersonation accounts. This approach provides higher credibility than fictional personas because the impersonated individual is verifiable in professional directories — the recipient finds a real person with the claimed identity when they search, increasing trust.
T1567.002	Exfiltration / Delivery via Legitimate Cloud Services	Malicious payloads are uploaded to legitimate file-sharing services — WeTransfer, TransferNow, TransferXL, OneDrive — and delivered using each platform's built-in email notification feature. This means the final delivery email originates from the legitimate file-sharing service's domain (e.g., no-reply@wetransfer.com) rather than the attacker's spoofed domain — bypassing email reputation filters and SPF/DKIM checks that might flag attacker-controlled sending infrastructure.
T1190	Exploit Public-Facing Application — CVE-2021-40444	Initial exploitation relied on CVE-2021-40444 — a zero-day in Microsoft MSHTML (Trident) rendering engine — where a malicious Office document could execute arbitrary code without user interaction beyond opening the file. Patched in October 2021. The group's first use of a zero-day in its phishing campaigns suggests either independent exploit development or access to the exploit through the broader Eastern European eCrime ecosystem. This zero-day use was what initially attracted Google TAG's attention to the group.
T1553.005	Mark-of-the-Web Bypass — ISO Archive Delivery	After the CVE-2021-40444 patch, Exotic Lily switched to ISO archive delivery. Files extracted from ISO archives mounted as virtual drives did not, at the time, inherit the Mark-of-the-Web (MotW) flag that triggers Office Protected View warnings. This allowed malicious DLLs and LNK shortcuts inside the ISO to execute without the security warnings that would accompany the same files downloaded directly as attachments — bypassing a significant user-facing warning mechanism.
T1047	Windows Management Instrumentation — Bumblebee Fingerprinting	The Bumblebee loader uses WMI to collect system details (OS version, username, domain name) from compromised hosts before exfiltrating them in JSON format to the C2 server. This system fingerprinting step enables downstream Conti/Diavol operators to assess the value of each access before committing resources to manual post-exploitation — qualifying targets and rejecting low-value or sandboxed systems.
T1204.002	User Execution — LNK / Malicious File	ISO files contain an LNK (Windows Shortcut) file that appears to be a legitimate document. When the user double-clicks the shortcut, a command embedded in the LNK's Target field executes the malicious DLL using rundll32 or a similar LOLBin. The shortcut's visual appearance (PDF or document icon) is designed to match the business proposal context, reducing user suspicion about the file type.

Known Campaigns

Exotic Lily's documented operational history spans from September 2021 through at least 2023, with the most detailed public documentation from Google TAG's March 2022 report covering the group's peak activity period.

CVE-2021-40444 Exploitation — IT, Cybersecurity, Healthcare Sep–Oct 2021

Google TAG first observed Exotic Lily in September 2021 exploiting CVE-2021-40444 — a zero-day in Microsoft MSHTML — as part of business proposal-themed phishing campaigns. Initial targeting was focused on IT, cybersecurity, and healthcare organizations. The malicious payload arrived as an Office document exploiting the MSHTML vulnerability, providing code execution without user macro interaction. Microsoft patched CVE-2021-40444 in October 2021 as part of Patch Tuesday, prompting the group to rapidly adapt its delivery mechanism.

ISO / BazarLoader Campaigns — Broad Sector Expansion Nov 2021 – Feb 2022

Following the CVE-2021-40444 patch, Exotic Lily transitioned to ISO archives containing BazarLoader DLLs and LNK shortcuts — leveraging the MotW bypass that ISOs provided on unpatched Windows systems. The group simultaneously expanded targeting from the initial IT/cybersecurity/healthcare focus to broad cross-sector global phishing, reaching 5,000+ emails per day to 650 organizations at peak. This period also saw the shift to real employee impersonation using RocketReach and CrunchBase data. Payloads were delivered via WeTransfer, TransferNow, and OneDrive notification emails. BazarLoader established persistence and delivered additional payloads for downstream Conti operators.

Bumblebee Introduction — Custom Loader with WMI Fingerprinting Mar 2022

In March 2022 — the same month Google TAG published its public Exotic Lily report — the group introduced Bumblebee, a custom-built loader that replaced BazarLoader in ISO deliveries. Bumblebee used WMI for system fingerprinting, exfiltrated host data in JSON format to a C2, and fetched Cobalt Strike payloads for subsequent operators. Its distinctive "bumblebee" HTTP user-agent string provided an attribution anchor. The shift to a custom loader indicated either in-house development capability or commission from a trusted developer within the eCrime ecosystem. Bumblebee's architecture — WMI fingerprinting feeding a JSON C2 with shellcode execution capability — was more sophisticated than BazarLoader's simple dropper model.

Python-Based Loader Variant 2023

ReliaQuest's Photon Threat Research team documented a variant Exotic Lily campaign in 2023 using a Python interpreter and Python-based loader instead of Bumblebee. The LNK file executed a packaged Python environment that loaded a Cobalt Strike Beacon directly. The beacon established a C2 channel and initiated host enumeration. This Python-based delivery variant suggests continued tooling evolution — maintaining delivery agility by supporting multiple loader implementations beyond the standard Bumblebee chain.

Tools & Malware

Exotic Lily's tool inventory reflects an IAB that developed its own custom loader while also distributing established eCrime-ecosystem malware through its phishing infrastructure.

Bumblebee (custom loader): Exotic Lily's purpose-built loader, introduced in March 2022. Distinguished by a unique "bumblebee" HTTP user-agent string. Uses Windows Management Instrumentation (WMI) to collect OS version, username, and domain name from infected hosts, exfiltrating the data in JSON format to a C2 server. Awaits tasking from the C2 including shellcode execution, dropping and running executable files. At the time of Google TAG's analysis, was used to fetch Cobalt Strike payloads for downstream Conti/Diavol operators. Samples were custom-built for Exotic Lily — metadata in LNK shortcuts (Machine Identifier and Drive Serial Number) was shared with BazarLoader ISOs, confirming common infrastructure.
BazarLoader / BazarBackdoor: The group's payload of choice before Bumblebee, distributed via ISO archives with LNK shortcuts. BazarLoader is a modular dropper associated with Wizard Spider/FIN12 and Trickbot operations. Exotic Lily's shift to BazarLoader delivery — alongside a unique Cobalt Strike profile — was a key indicator that confirmed the group's relationship with the Wizard Spider ecosystem. BazarLoader provided persistence and established the channel for downstream Conti/Diavol operator activity.
CVE-2021-40444 exploit (initial): A zero-day exploit for the Microsoft MSHTML rendering engine used in the group's initial September 2021 campaigns. Documents embedding the exploit provided code execution on unpatched systems without requiring macro interaction. Patched by Microsoft in October 2021, prompting the group's switch to ISO-based delivery.
Cobalt Strike: Fetched by Bumblebee as a follow-on payload for downstream Conti/Diavol operators. Exotic Lily used a unique Cobalt Strike profile — documented by RiskIQ — that provided an attribution fingerprint connecting the group to Wizard Spider infrastructure.
Python-based loader (variant, 2023): A packaged Python interpreter and Python-based loader used in some 2023 campaigns as an alternative to Bumblebee, dropping a Cobalt Strike Beacon directly via LNK execution.
AI face generation tools: Publicly available AI face synthesis services were used to generate realistic profile photos for fake LinkedIn personas. This was one of the earliest documented uses of AI-generated images in social engineering by a financially motivated threat actor, predating the widespread discussion of deepfake-enabled phishing by the broader threat intelligence community.

Indicators of Compromise

Exotic Lily's most distinctive detection opportunity is the Bumblebee loader's unique user-agent and WMI fingerprinting behavior. Network and behavioral controls are more reliable than file-hash detection given the group's campaign-customized payloads.

per-campaign unique file hashes — behavioral detection preferred

Google TAG noted that Exotic Lily custom-builds samples per campaign — each ISO delivery uses unique file hashes, making signature-based detection unreliable across campaigns. The group also uses each attachment with a unique hash per recipient in some campaigns. Behavioral detection targeting the Bumblebee user-agent, WMI system enumeration pattern, and ISO auto-mount behavior is substantially more durable.

indicators of compromise — bumblebee loader and delivery chain

user agent "bumblebee" — Bumblebee loader HTTP user-agent string (unique attribution indicator)

behavior WMI query for OS version, username, domain name from a non-administrative process — Bumblebee fingerprinting

behavior JSON-format system data exfiltration from non-browser process to external C2

delivery ISO file delivered via WeTransfer / TransferNow / OneDrive notification email from legitimate service domain

behavior LNK shortcut executing rundll32 or cmd from mounted ISO drive — DLL loader chain

domain pattern TLD substitution: legitimate company domain with .us / .co / .biz replacing .com — sender spoofing pattern

social eng LinkedIn profiles with AI-generated photos and spoofed company affiliation used as sender identity — pre-attack recon signal

Mitigation & Defense

Exotic Lily's attack chain has several distinct intervention points — the social engineering phase, the payload delivery via legitimate services, the ISO auto-mount behavior, and the Bumblebee loader's WMI activity. Controls at any of these points interrupt the chain.

Block or restrict ISO file auto-mount: The MotW bypass that Exotic Lily's ISO delivery exploited has been partially addressed in Windows 11 22H2 and later, which extended MotW propagation to files inside ISO archives. For older Windows versions, Group Policy can be used to block auto-mounting of ISO and IMG files. Preventing automatic mounting forces the user to manually navigate the virtual drive and execute the LNK — an additional interaction step that introduces friction and gives security tools additional inspection time.
Bumblebee user-agent detection: The "bumblebee" HTTP user-agent is a high-fidelity IOC — no legitimate application uses this user-agent string. Configure web proxies and network monitoring to alert on outbound HTTP traffic with "bumblebee" in the User-Agent header. This detection is persistent across Bumblebee variants that maintain the user-agent convention.
Block suspicious outbound WMI: Alert on WMI execution (wmic.exe or Windows WMI COM calls) by processes that are not standard administrative tools. Bumblebee's WMI system enumeration — particularly querying OS version, username, and domain name in sequence — is detectable as an anomalous pattern when triggered by a DLL loaded from a non-standard path via rundll32.
Employee verification procedures for unsolicited business proposals: Exotic Lily's attack specifically targets employees who handle vendor and outsourcing inquiries. Establish a secondary verification procedure for any unsolicited business proposal that requests document download from an external service: verify the sender's identity via the official company website (not the email domain) before engaging. A call to the company's published main number — not a number provided in the email — will reveal that the "proposal" contact does not exist.
Email gateway control for ISO attachments from file-sharing services: Exotic Lily's delivery of ISO files via WeTransfer, OneDrive, and similar services produces emails that originate from legitimate service domains. Configure email gateways to inspect links in emails from file-sharing notification senders for ISO, IMG, and other disk image file types, and sandbox or block downloads of these file types from email-triggered file-sharing links.
Patch CVE-2021-40444: The MSHTML zero-day that first identified Exotic Lily was patched in October 2021. Any system still running unpatched Office or Windows versions vulnerable to CVE-2021-40444 is exposed to the group's earliest attack chain. This patch should be treated as a baseline — if any systems in the environment have not received October 2021 or later patches, this represents a critical security gap beyond Exotic Lily.
LinkedIn sender verification for business context: Before engaging with any business proposal that arrives via email, verify the sender's LinkedIn identity by navigating directly to LinkedIn (not via any link in the email) and searching for the person. Check the account's connection history, post frequency, and endorsements — AI-generated profile photos often appear unusually photorealistic or have visual artifacts. Google's Reverse Image Search can help identify AI-generated faces.

analyst note

Exotic Lily's public documentation window is relatively narrow — Google TAG's March 2022 report covers the period September 2021 through early 2022, with some continued activity through 2023. The Conti ransomware group announced its shutdown in May 2022 following the ContiLeaks — which would have eliminated Exotic Lily's primary customer for access. It is likely that the group either pivoted to serving alternative ransomware operators (Black Basta emerged from Conti's dissolution and is documented reusing Conti personnel and infrastructure), ceased operations, or continued under lower public visibility. The 2023 Python-loader variant documented by ReliaQuest suggests continued operational activity beyond the primary documented period. Regardless of current Exotic Lily activity levels, the tradecraft it demonstrated — AI-generated personas, real employee identity cloning from professional databases, legitimate file-sharing delivery — has been widely adopted across the IAB ecosystem and represents a template that multiple successor groups have followed.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile