Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising strategies.

Recent investigations have uncovered a disturbingly effective method involving fake software downloads, such as a counterfeit “WinSCP” installer, propagated through malicious ads on platforms like Bing.

One documented case revealed a user searching for “WinSCP download” via Microsoft Edge being redirected from ftp-winscp[.]org to a compromised WordPress site.

This site hosted a malicious ZIP file, WinSCP-6.3.6-Setup.zip (SHA-256: fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2), which bundled legitimate DLLs with a malicious python312.dll.

Upon execution, this triggered DLL sideloading, installing WinSCP in the foreground while covertly loading the NitrogenLoader DLL, establishing an initial foothold for a broader attack chain that ultimately deployed BlackCat ransomware.

Cobalt Strike Beacons and Log Clearing Thwart Detection Efforts

Further forensic analysis of compromised systems revealed the extensive use of Cobalt Strike, a notorious post-exploitation framework, to facilitate ...