Step 1: Initial Access and Dwell Time
Initial compromise is achieved predominantly through credential abuse. PEAR Team operators systematically harvest or purchase valid VPN and RDP credentials. These credentials are acquired from public breaches, credential stuffing lists, or active infostealer logs distributed on the dark web. Secondary access pathways include targeted spear-phishing campaigns designed to execute loaders that bypass standard perimeter controls.
Step 2: Living off the Land and RMM Abuse
To avoid triggering endpoint detection and response (EDR) platforms, the attackers minimize the use of custom compiled malware. Instead, they rely on Living off the Land (LotL) techniques, running administrative utilities already present on the host system. They use PowerShell and PsExec for local execution and lateral movement across the internal domain.
Persistence is maintained through the unauthorized installation of legitimate, commercial Remote Monitoring and Management (RMM) software. Specifically, PEAR installs AteraAgent and Splashtop Remote Service. Because IT administrators widely use these applications, security operation centers often whitelist them, allowing PEAR to establish persistent, redundant command and control (C2) channels without generating security incidents.
Step 3: Targeted Discovery and Data Collection
Once persistence is secured, PEAR conducts targeted internal reconnaissance. The threat actors systematically query active directory domains to locate file servers, domain controllers, and cloud-synced backups. They run local script searches for specific file types and keywords, focusing on database platforms like Sage and QuickBooks, which contain core corporate ledger and transaction details. Data is then staged in hidden directories and compressed using standard utility binaries like 7-Zip or WinRAR.
Step 4: Stealthy Exfiltration via Renamed Binaries
The compressed files are transferred off-network using robust command-line tools like RClone or WinSCP. To evade network traffic monitoring and command-line detection rules, PEAR regularly renames these utility binaries to mimic legitimate Windows system processes. The files are streamed to external hosting servers managed by the threat actors via encrypted protocols, making deep packet inspection difficult without active TLS decryption.
Enterprise Security and Compliance Risks
The leak of 1.8 TB of financial and operational databases poses severe security and regulatory risks. When accounting database structures like Sage and QuickBooks are exposed, malicious actors gain access to client transaction histories, vendor bank details, tax documents, and business-critical operational structures. This data provides downstream attackers with the exact intelligence required to execute convincing vendor-impersonation and business email compromise (BEC) campaigns.
Furthermore, because the compromise includes PII, PHI, and sensitive corporate records, affected entities face severe regulatory scrutiny. Organizations operating internationally or processing data across jurisdictions must maintain rigorous visibility over their digital assets. In the GCC region, strict regulatory frameworks require enterprises to implement proactive threat hunting and continuous visibility over their internet-facing assets.
To evaluate if your outward-facing configurations are vulnerable, utilizing Attack Surface Management can help discover exposed remote access portals, out-of-date VPN gateways, and unpatched assets before threat groups discover them.