Threat Actor Profile
High APT
Description

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

Confidence Score
90%
Known Aliases
EXOTIC LILY
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (15)
T1102 - Web Service
Command and Control
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1589.002 - Email Addresses
Reconnaissance
T1593.001 - Social Media
Reconnaissance
T1594 - Search Victim-Owned Websites
Reconnaissance
T1597 - Search Closed Sources
Reconnaissance
T1583.001 - Domains
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['EXOTIC LILY'],
 'created': '2022-08-18T15:25:59.689Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a '
                'financially motivated group that has been closely linked with '
                '[Wizard Spider](https://attack.mitre.org/groups/G0102) and '
                'the deployment of ransomware including '
                '[Conti](https://attack.mitre.org/software/S0575) and '
                '[Diavol](https://attack.mitre.org/software/S0659). [EXOTIC '
                'LILY](https://attack.mitre.org/groups/G1011) may be acting as '
                'an initial access broker for other malicious actors, and has '
                'targeted a wide range of industries including IT, '
                'cybersecurity, and healthcare since at least September '
                '2021.(Citation: Google EXOTIC LILY March 2022)',
 'external_references': [{'external_id': 'G1011',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1011'},
                         {'description': 'Stolyarov, V. (2022, March 17). '
                                         'Exposing initial access broker with '
                                         'ties to Conti. Retrieved August 18, '
                                         '2022.',
                          'source_name': 'Google EXOTIC LILY March 2022',
                          'url': 'https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/'}],
 'id': 'intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af',
 'modified': '2025-04-16T20:37:34.060Z',
 'name': 'EXOTIC LILY',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Phill Taylor, BT Security'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (15)
Web Service
Command and Control
Exploitation for Client Execu…
Execution
Malicious Link
Execution
Malicious File
Execution
Spearphishing Attachment
Initial Access
View All 15 TTPs
Back to Threat Actors
Dashboard Home