Threat Intelligence Report Jun 9 - Jun 15 2026

3AM Ransomware

Threat Actor Description

Origin and Identity

3AM is a Rust-based, 64-bit ransomware family that first emerged in 2023 and was first publicly documented in September 2023, when it was deployed as a fallback after an affiliate attempted to deploy LockBit and was blocked. In that original incident, the operators managed to deploy 3AM to only three machines, and it was blocked on two of the three.  The name derives from both the ransom note - which opens with a reference to "3 am, the time of mysticism" - and the file extension .threeamtime applied to encrypted files, which also carry the marker string 0x666. The ransom note is dropped as RECOVER-FILES.txt.  The Rust language was likely selected for encryption speed across large file sets. The strain is human-operated: operators must specify command-line parameters explicitly for each payload.

3AM is assessed to operate within the top-tier Russian-speaking ransomware ecosystem. Open-source analysis assesses it likely works under the reorganised Conti syndicate - specifically Conti's former Team 2, which became Royal and later BlackSuit. This assessment rests on a significant overlap in communication channels, backend infrastructure, and tactics, techniques, and procedures between 3AM and the Conti syndicate, including infrastructure overlaps with IcedID malware deployment and initial-access-broker activity associated with ALPHV/BlackCat. Independent analysis of the Q1 2025 social-engineering campaign reached the same conclusion - that 3AM is a rebranding of BlackSuit/Royal ransomware with ties to Conti.

The Signature Social-Engineering Campaign

3AM's most operationally significant capability is a targeted social-engineering chain documented in a first-quarter 2025 incident. The campaign combined inbox flooding with IT-department impersonation: the primary targeted employee received 24 unsolicited emails within a three-minute period, immediately followed by a voice-phishing (vishing) call that spoofed the organisation's genuine IT-department telephone number. Using the email flood as a pretext ("we are seeing a problem with your account"), the caller persuaded the user to grant remote access via Microsoft Quick Assist. The operators then delivered a QEMU virtual machine - a Windows 7 image pre-loaded with the QDoor backdoor - which ran outside the monitored operating system to evade endpoint protection.

During last-week reporting window, 3AM posted one batch of 12 victims to its leak site, all dated 12 June 2026. No victim posts were observed from 06 to 11 June 2026. The batch covered manufacturing, agriculture and food production, technology, public sector, healthcare accreditation, and professional services across nine countries.

Tactics, Techniques, and Procedures (TTPs)

Phase	Technique ID	Technique Name	Observed Behaviour
Initial Access	T1566	Phishing: Email Bombing	24 unsolicited emails delivered to the target within a 3-minute window via mailing-list subscription flooding, used as pretext for the follow-on vishing call.
	T1598 / T1566.004	Spoofed-IT Vishing	Voice-phishing call spoofing the organisation genuine IT department phone number, persuading the user to grant remote assistance.
Execution	T1219	Remote Access Software: Quick Assist	Microsoft Quick Assist abused for hands-on-keyboard access after the user is socially engineered into granting control.
Defence Evasion	T1610	Deploy Container: QEMU Virtual Machine	A QEMU Windows 7 virtual machine pre-loaded with the QDoor backdoor is launched on the host to run outside the monitored OS and evade endpoint protection. Launched via Update.vbs from \ProgramData\UpdatePackage_exic\.
Command & Control	T1071 / T1572	QDoor Backdoor + Tunnelling	QDoor (Qt-based networking tunneler) binds to the host NIC and beacons to hardcoded C2 88.118.167[.]239:443; secondary QDoor copies (vol.exe / svchost.exe) beacon to 172.86.121[.]134.
Discovery	T1087 / T1482 / T1018	Domain & Network Discovery	gpresult, whoami /all, nltest /DOMAIN_TRUSTS, nltest /dclist:, quser, net group "domain Admins" /domain, net view, net share, wmic product get name,version, netstat, ipconfig /all, ping sweeps.
Privilege Escalation	T1136.001 / T1543	Account Creation + gsudo	New local administrator accounts created (net1 user ... /add; net1 localgroup Administrators ... /add); gsudo used for elevation; PsExec for execution.
Persistence	T1053.005	Scheduled Task (WindowsSensor15)	Scheduled task named WindowsSensor15 - a task name reused from a leaked Conti playbook - established for persistence.
Lateral Movement	T1021.001 / T1047	RDP + WMIC	RDP and WMIC remote process creation used to move to 9+ hosts. d.bat dropped to enable RDP in the registry and open the firewall. Cobalt Strike used in earlier incidents.
Defence Evasion	T1562.001	Disable MFA + EDR Killer	Three attempts to uninstall Duo MFA (WMIC call uninstall; scheduled task under SYSTEM; msiexec /X). EDR-killer ("EDR Sandblaster") deployed.
	T1562.004	Modify Firewall	netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes used to open the host firewall for discovery and movement.
Impact	T1489	Service Stop	Security and backup services stopped before encryption - including Veeam, Acronis, Ivanti, McAfee, and Symantec services.
Exfiltration	T1048 / T1567.002	Exfiltration to Cloud / FTP	~868 GB exfiltrated via GoodSync to Backblaze in the Q1 2025 case; historically the Wput FTP client to an attacker-controlled FTP server.
Defence Evasion	T1610	QEMU-for-Evasion (Ecosystem)	QEMU virtual-machine evasion is now observed across multiple actors (e.g., PayoutsKing/STAC4713; STAC3725 exploiting CitrixBleed-2 CVE-2025-5777) - shared tradecraft, not exclusive to 3AM.
Impact	T1486	Encryption Algorithm (Ecosystem)	No public 3AM sample analysis confirms AES/RSA specifics. BlackSuit/Royal lineage uses OpenSSL AES with intermittent/partial encryption; the 3AM -s offset parameter is consistent with this. Treat as inherited, not confirmed.

The 3AM encryptor is human-operated and accepts the following confirmed command-line parameters, which closely resemble Conti arguments:

• -k - 32 Base64-character "access key" referenced in the ransom note (the ransomware portal access key).
• -p - target path or network share to encrypt.
• -h and -m - mutually exclusive mode parameters with values "local" or "net".
• -s - offsets within files controlling encryption speed (expressed as decimal digits), consistent with intermittent/partial encryption.

Attack Lifecycle - Step-by-step

RECONNAISSANCE - Target and IT-Contact Profiling

The operator harvests employee email addresses and, critically, the organisation internal IT-department telephone number - the linchpin of the subsequent impersonation. Public-facing staff directories, breach data, and infostealer logs feed this stage.

INITIAL ACCESS (1) - Email Bombing

The target is subscribed to numerous mailing lists, flooding the inbox - 24 unsolicited emails within a three-minute window in the documented case. This serves as the pretext for the follow-on call and creates urgency and confusion.

INITIAL ACCESS (2) - Spoofed-IT Vishing

The operator calls the user via VoIP, spoofing the genuine IT-department number, and uses the email flood as the pretext ("we are seeing a problem with your account"). The matching caller ID is what makes the request credible.

INITIAL ACCESS (2) - Spoofed-IT Vishing

The operator calls the user via VoIP, spoofing the genuine IT-department number, and uses the email flood as the pretext ("we are seeing a problem with your account"). The matching caller ID is what makes the request credible.

EXECUTION - Quick Assist + QEMU VM Delivery

The caller persuades the user to grant access via Microsoft Quick Assist (Ctrl+Win+Q). The operator then delivers a payload - historically via a spoofed link redirecting to a cloud-hosted ZIP (UpdatePackage_excic.zip) extracted to \ProgramData\UpdatePackage_exic\ - and launches Update.vbs, which starts a QEMU Windows 7 virtual machine pre-loaded with the QDoor backdoor.

The QEMU launch command observed:

wexe -m 4096 -hda Update_excic.acow2 -netdev user,id=mynet0 -device e1000,netdev=mynet0 -cpu max -display none.  

COMMAND & CONTROL - QDoor Backdoor

QDoor (a Qt-based networking tunneler) binds to the host network interface and beacons to its hardcoded C2 at 88.118.167[.]239:443. Secondary QDoor copies named vol.exe and svchost.exe beacon to 172.86.121[.]134. Because the backdoor runs inside the QEMU guest, host-based endpoint protection has limited visibility. The Quick Assist session is then terminated.

DISCOVERY & CREDENTIAL ACCESS - Domain Enumeration

The operator enumerates the domain using gpresult, whoami /all, nltest /DOMAIN_TRUSTS, nltest /dclist:, quser, net group "domain Admins" /domain, net view, and wmic product get name,version. A domain services account is compromised first, then a domain administrator account.

LATERAL MOVEMENT - RDP, WMIC, RMM

Using harvested credentials, the operator moves to nine or more hosts via RDP and WMIC remote process creation. A batch script (d.bat) enables RDP in the registry and opens the firewall. Commercial RMM tools (XEOXRemote, Syncro Live Agent) are installed for resilient access.

DEFENCE EVASION - MFA Uninstall + EDR Killer

The operator attempts to uninstall multi-factor authentication (Duo) three ways: WMIC ... call uninstall; a scheduled task running under SYSTEM; and msiexec /X. An EDR-killer ("EDR Sandblaster") is deployed, and security/backup services (Veeam, Acronis, Ivanti, McAfee, Symantec) are stopped.  

EXFILTRATION - Cloud / FTP Staging

Approximately 868 GB of data is staged and exfiltrated via GoodSync to Backblaze cloud storage in the documented case; historically the Wput FTP client is used to push data to an attacker-controlled FTP server. A nine-day dwell preceded encryption.

IMPACT - Encryption + Extortion

Volume Shadow Copies and system-state backups are deleted.
vssadmin; wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet

Encryption is launched, including remotely via
start 1l L.exe -k [key] -s 10 -m net -p \\[host IP]\c$
applying the “.threeamtime” extension and 0x666 marker. RECOVER-FILES.txt is dropped in every scanned folder.

Extortion follows via the Tor leak site, with a novel name-and-shame tactic using automated X (Twitter) bots to drive followers to the site. 
 

Indicators Of Compromise (IOCs)

Host-Based Indicators - Files and Markers

Type	Indicator / Value	Description
File Extension	.threeamtime	Extension appended to all files encrypted by 3AM.
File Marker	0x666	Marker string written to encrypted files.
Ransom Note	RECOVER-FILES.txt	Ransom note dropped in every scanned folder.
Encryptor	L.exe / 1l	Remote-encryption binary invoked with -k / -s / -m / -p parameters.
Backdoor	QDoor (vol.exe / svchost.exe)	Qt-based networking tunneler; secondary copies masquerade as vol.exe / svchost.exe.
Batch Script	d.bat	Enables RDP in the registry and opens the host firewall for lateral movement.
Scheduled Task	WindowsSensor15	Persistence task; name reused from a leaked Conti playbook.
VM Image	Update_excic.acow2 / UpdatePackage_excic.zip	QEMU disk image and delivery archive extracted to \ProgramData\UpdatePackage_exic\.
EDR Killer	EDR Sandblaster	EDR-killer tool deployed to disable endpoint protection.

RECOVER-FILES.txt

Data Leaks

Chat server

Network Indicators

Type	Indicator / Value	Description
C2 IP	88.118.167[.]239:443	Primary QDoor backdoor C2 (Lithuania) - Q1 2025 incident.
C2 IP	172.86.121[.]134	Secondary QDoor C2 (vol.exe / svchost.exe beacons).
Infra IP	185.202.0[.]111	Network indicator tied to ecosystem infrastructure (original Symantec/ecosystem reporting).
Delivery	msquick[.]link -> 1ty[.]me -> Google Drive	Spoofed Quick Assist link chain redirecting to a cloud-hosted payload ZIP.
Leak Site	threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion	3AM Tor leak site (embedded in 12 June 2026 leak-detail URLs).
Leak Site	threeam7fj33rv5twe5ll7gcrp3kkyyt6ez5stssixnuwh4v3csxdwqd.onion	Second known 3AM Tor leak-site address.

Confirmed Command-Line Parameters

Type	Indicator / Value	Description
Parameter	-k [32 Base64 chars]	Ransomware portal access key referenced in the ransom note.
Parameter	-p \\[host]\c$	Target path or network share to encrypt.
Parameter	-h / -m (local|net)	Mutually exclusive mode parameters resembling Conti arguments.
Parameter	-s [digits]	In-file offsets controlling encryption speed (intermittent encryption).

Confirmed Command Strings

Type	Indicator / Value	Description
Command	wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet	System-state backup deletion prior to encryption.
Command	vssadmin (delete shadows)	Volume Shadow Copy deletion.
Command	netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes	Opens firewall for discovery and lateral movement.
Command	net1 user ... /add; net1 localgroup Administrators ... /add	New local administrator account creation.
Command	start 1l L.exe -k [key] -s 10 -m net -p \\[IP]\c$	Remote-encryption execution command.

Mitigation - Crystal Eye 5.5 Controls

CE Email Security / Anti-phishing

Deploy CE Email Security and anti-phishing to detect email-bombing and subscription-flood patterns (high inbound volume to a single recipient in a short window). Brief staff on exactly how IT support will contact them and which remote tools are legitimately used, so spoofed-IT vishing is recognised and reported.

CEASR - Application Allowlisting

Use CEASR application allowlisting to restrict or remove Microsoft Quick Assist on endpoints that do not require it, and to block unauthorised virtualisation and RMM tooling - QEMU, XEOXRemote, Syncro Live Agent, GoodSync, and the Wput FTP client.

CE DNS Banned Domains + ForceField

Add confirmed C2 indicators (88.118.167[.]239, 172.86.121[.]134, 185.202.0[.]111) and the known 3AM leak-site onion addresses to CE DNS Banned Domains and ForceField reputation/ban lists. ForceField auto-blocks external IPs after repeated authentication failures and applies threat-context reputation blocking. Ref: ForceField; DNS Banned Domains.

CEASR + CE MDR

CEASR application, DLL, and driver allowlisting blocks EDR-killer driver loading and unauthorised MFA-agent uninstall tooling, and applies LSASS-access restriction to defeat credential dumping.

CE MDR + CESOC SIEM

Forward CE MDR endpoint telemetry to CESOC SIEM to correlate bursts of built-in discovery commands (nltest, net group, quser), creation of the WindowsSensor15 scheduled task, new local-admin account creation, and anomalous lsass.exe access.

CESOC 24x7 + Crystal AI

CESOC 24x7 monitoring correlates the cross-stage signal - email-volume spike, Quick Assist session, QEMU execution, QDoor C2, MFA-uninstall attempts, and shadow-copy deletion - into a single incident for rapid response.