The CYFIRMA team has discovered evidence that EX-22 was created by LockBit 3.0 associates or members of the ransomware operation’s development staff. Firstly, they discovered that the framework used the same “domain fronting” method used by the LockBit and the TOR obfuscation plugin Meek, which assists in concealing malicious traffic inside normal HTTPS connections to legitimate platforms. Further research by CYFIRMA revealed that EX-22 makes use of the identical C2 infrastructure that was previously disclosed in a LockBit 3.0 sample. Unfortunately, Exfiltrator-22 seems to have been written by experienced malware developers who are able to build an evasive framework. Because of this, despite its expensive cost, it is anticipated to spark a lot of interest in the cybercrime community, which will ultimately lead to additional code development and feature enhancements.
https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-exploitation-kit-linked-to-lockbit-ransomware/
