![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
Cross-domain attacks exemplify adversaries’ drive for speed and stealth. In these attacks, threat actors navigate multiple domains such as endpoint, cloud, and identity systems to maximize their reach and impact. Their goal is to exploit the weaknesses in organizations’ fast-growing and complex environments.
BLOCKADE SPIDER is among the most elusive cross-domain adversaries. This financially motivated eCrime adversary, active since at least April 2024, commonly uses cross-domain techniques in its ransomware campaigns. They gain access through unmanaged systems, dump credentials, and move laterally to virtualized infrastructure to remotely encrypt files with Embargo ransomware. They’ve also demonstrated the ability to target cloud environments.
They aren’t alone. Adversaries spanning all geographies and motivations are using cross-domain techniques to accelerate their operations across hybrid environments. They target unmanaged hosts and leverage misconfigurations to break in, and then navigate systems with valid credentials, all without triggering traditional defenses.
Here, we examine a case study in which CrowdStrike OverWatch threat hunters identified and disrupted BLOCKADE SPIDER’s cross-domain activity, and discuss how organizations can protect themselves from these evolving threats.
Disrupting BLOCKADE SPIDER
CrowdStrike OverWatch identified that BLOCKADE SPIDER had accessed a victim’s network via an unmanaged VPN appliance in early 2025. The adversary moved laterally to several managed systems, where they performed actions typically observed in big game hunting activity, including attempting to dump credentials from a configuration database and delete backup files.
BLOCKADE SPIDER made several attempts to interfere with the CrowdStrike Falcon® sensor. While these attempts failed, the adversary was not deterred, and they rapidly adapted their strategy. Tracking and disrupting this adversary quickly required additional data sources, which is where cross-domain data from identity sources and CrowdStrike Falcon® Next-Gen SIEM were critical.
CrowdStrike OverWatch used CrowdStrike Falcon® Identity Threat Protection data to trace a VPN service account as the initial source of activity. Using this bastion account, BLOCKADE SPIDER used the credential dumping technique DCSync to retrieve more account credentials and began adding compromised accounts to new Active Directory groups. CrowdStrike OverWatch was able to follow this activity through identity data and monitor for further malicious activity using these newly compromised accounts.
By leveraging log data from an identity and access management (IAM) solution ingested into Falcon Next-Gen SIEM, more actionable insights on BLOCKADE SPIDER’s interest in Active Directory manipulation quickly became available. CrowdStrike OverWatch threat hunters were also able to continuously follow and alert on the adversary’s activities as they pivoted between unmanaged on-premises systems and cloud environments. Finally, threat hunters observed BLOCKADE SPIDER successfully bypass multifactor authentication (MFA) requirements to access the victim’s IAM environment and deploy a rogue Active Directory agent.
Despite the adversary embedding themselves deeply in the victim’s on-premises and cloud infrastructure, Falcon Next-Gen SIEM data provided threat hunters with the capability to track BLOCKADE SPIDER’s activities through various data sources. The customer was ultimately able to shut down BLOCKADE SPIDER’s access to its network.
