G1011: EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]
Analyst context for executives and security teams
EXOTIC LILY is material because MITRE describes it as a financially motivated group that may operate as an initial access broker and has been linked to ransomware deployments such as Conti and Diavol. For leaders, the practical issue is not just phishing risk; it is whether the organization can detect and contain early access before it becomes a ransomware or data-theft incident handled by another actor.
Executive priority
Prioritize EXOTIC LILY as an access-to-ransomware readiness scenario. Executives should ask whether email, endpoint, web, DNS, identity, and incident response evidence can connect a suspicious message or link to endpoint execution, downloader activity, and outbound command-and-control. This is especially relevant to sectors named in the ATT&CK description, including IT, cybersecurity, healthcare, professional services, manufacturing, logistics, travel, and other organizations where downtime or third-party access could affect business continuity.
Technical view
The supplied relationships frame EXOTIC LILY around reconnaissance, resource development, spearphishing, user execution, client-side exploitation, malware upload, web-service command-and-control, and use of Windows malware families Bazar and Bumblebee. SOC and IR teams should validate coverage across the full chain: exposed employee/contact data, suspicious sender infrastructure, spearphishing attachments and links, third-party service messages, user execution from documents or downloaded files, client application exploit behavior, downloader/backdoor execution, and outbound traffic to legitimate web services that could blend into normal activity. The group object itself has no official ATT&CK detection text and no group-level platforms or tactics, so detection engineering should be driven by the related techniques and software rather than by a single group signature.
Likely telemetry
- Email security gateway and mailbox audit logs for attachments, links, sender domains, and delivery outcomes
- Third-party messaging or collaboration service logs where phishing via service could occur
- Endpoint detection telemetry for file creation, process execution, child processes from browsers or office/PDF applications, and downloaded payload execution
- Web proxy, DNS, TLS, and firewall logs for newly seen domains, payload hosting, and outbound web-service communications
- Identity provider and office suite audit logs for link-based access attempts and suspicious user interaction context
Detection direction
- Build detections that correlate spearphishing delivery with user click/open events and subsequent endpoint execution, rather than treating the email alert in isolation.
- Tune for suspicious attachment and link behavior, including files launched from email, browsers, archives, disk images, or document readers, while accounting for legitimate business document workflows.
- Monitor for client-application exploitation indicators where browsers, office applications, or document viewers spawn unusual processes or write executables.
- Validate detection for downloader/backdoor behavior associated with the related Windows software Bazar and Bumblebee, but avoid relying only on malware names or static indicators.
- Review outbound traffic to legitimate web services for command-and-control-like patterns, because T1102 indicates that normal cloud or web services may be abused as cover.
Mitigation priorities
- Start with exposure reduction: limit unnecessary publication of employee email addresses, roles, and operational details on websites and social media where feasible.
- Harden phishing controls for both attachments and links, including filtering, detonation/sandboxing, URL inspection, and user reporting workflows.
- Keep client applications patched and prioritized for rapid remediation where exploitation for client execution is a concern.
- Restrict risky file execution paths and reduce unnecessary script, macro, or executable launch behavior from email and browser-delivered content where business operations allow.
- Strengthen endpoint monitoring and response for downloader and backdoor activity, especially on Windows systems given the related Bazar and Bumblebee software.
Analyst notes and limits
This take is based only on the official ATT&CK G1011 description, the cited Google reference, and supplied relationships. The most decision-relevant pattern is early access enablement: reconnaissance and persona/resource setup, phishing delivery, user execution or client exploitation, downloader/backdoor use, and possible web-service C2. Treat this as a coverage validation scenario across teams, not as proof of current targeting in any specific environment.
MITRE provides no official detection text, no group-level platforms, and no group-level tactics for this object. Relationship-derived platforms and tactics are useful for defensive planning but do not prove every EXOTIC LILY activity will use every listed technique, platform, or software. Local telemetry, incident evidence, and threat intelligence are required to assess exposure or confirm activity.
EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | EXOTIC LILY has established social media profiles to mimic employees of targeted companies.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | EXOTIC LILY conducted an e-mail thread-hijacking campaign with malicious ISO attachments.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1203 | Exploitation for Client Execution | EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.CitationGoogle EXOTIC LILY March 2022CitationProofpoint Bumblebee April 2022 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | EXOTIC LILY has created e-mail accounts to spoof targeted organizations.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1102 | Web Service | EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1594 | Search Victim-Owned Websites | EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | EXOTIC LILY has used malicious links to lure users into executing malicious payloads.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1597 | Search Closed Sources | EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1583.001 | Domains Sub-technique | EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1593.001 | Social Media Sub-technique | EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.CitationGoogle EXOTIC LILY March 2022 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.CitationGoogle EXOTIC LILY March 2022 |
Groups, software, and campaigns
S0534: Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]
S1039: Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f5051e4a051a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google EXOTIC LILY March 2022
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
Open source URL -
[2]
mitre-attack G1011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.