Nokoyawa

Summary

Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and conducted reconnaissance. They later moved to a Domain Controller and performed network scans and file discovery, indicating their interest in sensitive data. After days of inactivity, the threat actors returned, downloaded external files, and continued lateral movement and discovery. The intrusion ultimately culminated in a ransomware attack, demanding $200,000 in Bitcoin. The entire incident spanned around six days.