BianLian, a relatively new threat actor involved in distributing ransomware, now has 20 alleged victims, mostly in Australia, North America and the UK, according to the Redacted cybersecurity firm. BianLian uses its own custom toolkit, including self-made encryptors, encryption backdoors and command-and-control (C2) software, to remain undetected and counter Endpoint Detection and Response (EDR) protections during the encryption phase. All of its tools are written in Golang.

Infrastructure associated with the BianLian group first appeared online in December 2021 and the group tripled its C2 infrastructure in August 2022, suggesting a possible acceleration in pace.


The list of the group's victims has grown since first seen. The most observed attack vector used by BianLian targets the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), SonicWall VPN devices, and servers that provide remote network access via solutions such as Remote Desktop. The group also uses living off the land (LotL) tactics to reduce detection while the network is mapped. The group does operate a TOR site.

DXC perspective

DXC has been monitoring BianLian target activity since July 2022. A secured infrastructure and robust cyber defense program can help protect environments from ransomware attacks.