BianLian threat actor [1] [4], as identified by researchers from GuidePoint Security, has recently shifted towards extortion activities [1] [4], targeting organizations in various industries [3].


They exploit vulnerabilities in the TeamCity continuous integration server for initial access into networks [2], using techniques like Runspace Pools and SSL streams [1] [4]. The group deploys a new PowerShell backdoor, winpty-agent.exe [1] [2] [4], and web.ps1 script for remote control [4], showcasing adaptability in their tactics. BianLian primarily targets healthcare [2], manufacturing [2], professional [2], and legal services sectors in the US and Europe [2], using data leak extortion tactics [2]. They gain initial access through stolen RDP credentials and known vulnerabilities like ProxyShell [2]. In a recent attack [2], BianLian exploited a TeamCity vulnerability to create new users and execute malicious commands on build servers [2]. The attackers leveraged winpty.dll to run commands and deploy the malicious PowerShell script [2], web.ps1 [1] [2] [4], which uses SSL streams and Runspace Pools for C2 communication to avoid detection by security products [2]. The ransomware group has shown adaptability in exploiting emerging vulnerabilities and is expected to continue evolving their tactics [3], especially for data exfiltration-focused ransomware attacks [3]. In January 2023 [3], a free decryptor for BianLian was released by Avast [3], indicating a potential shift in the group’s operations. GuidePoint’s Research and Intelligence Team (GRIT) has been monitoring BianLian’s operations closely [5], with an incident involving the exploitation of a TeamCity server leading to the deployment of a PowerShell implementation of BianLian’s GO backdoor [5]. GuidePoint advises preparedness measures like patching apps [1], incident response [1] [4], threat intel-informed pen tests to counter such threats [1].


The evolving tactics of BianLian pose a significant threat to organizations, especially in the healthcare, manufacturing [2], professional [2], and legal services sectors [2]. Mitigation measures such as patching vulnerabilities, incident response planning, and threat intelligence-informed penetration testing are crucial to counter these threats. The release of a free decryptor by Avast in January 2023 may indicate a shift in the group’s operations, but organizations should remain vigilant and prepared for future attacks.