Real-world intrusions—whether driven by ransomware and extortion groups or documented through government threat advisories—unfold across a full attack lifecycle, placing simultaneous pressure on prevention, detection, and response capabilities.

This release expands your ability to validate ransomware readiness in practice by delivering 25 new adversary emulation packages in AttackIQ Flex, spanning ransomware and extortion activity, post-compromise intrusion behavior, and advisory-driven emulation aligned to government reporting from organizations such as CISA.

Flex Packages are modular adversary emulation scenarios designed to validate security controls using real-world operator tradecraft in a repeatable, evidence-based way.

Ransomware and Extortion Emulation Packages

What this group covers

This release set significantly expands ransomware emulation coverage by aligning scenarios to attacker tradecraft observed across multiple active ransomware and extortion-focused families. Many of the new packages map directly to the Ransom Tales initiative, which translates real-world ransomware TTPs into repeatable adversary emulations defenders can operationalize.

How This Strengthens Defenses

• Stress-test prevention and detection controls against realistic ransomware playbooks (initial access, execution, persistence, discovery, lateral movement, and impact).
• Validate incident response readiness, including alerting fidelity, containment, isolation, and recovery workflows under ransomware-like pressure.
• Establish a repeatable baseline and then expand into family-specific behaviors to identify control gaps and measure improvement over time.

New Ransomware Emulation Packages

• Ransom Tales – Volume I: BlackLock, Embargo, Mamona
• Ransom Tales – Volume II: Gunra, Anubis, DevMan
• Ransom Tales – Volume III:INC, Lynx, SafePay
• Ransom Tales – Volume IV: Rhysida, Charon, Dire Wolf

Additional ransomware packages released in this cycle: Warlock, Interlock, DragonForce, VanHelsing, Termite, Cuba, Underground, Industrial Spy

Notes:

• The Warlock emulation aligns to threat activity targeting unpatched SharePoint via the ToolShell exploit chain.
• The Interlock emulation aligns to the CISA advisory content and supporting reporting referenced by AttackIQ.

Post-Compromise and Hybrid Intrusion Emulation Packages

What this group covers

These emulations replicate what happens after an attacker has already gained access, where most breaches escalate and most controls quietly fail. They focus on post-compromise behaviors that frequently evade traditional control validation because they rely on stealth, living-off-the-land, and staged payload execution.

How This Strengthens Defenses

• Validate visibility and detection across credential access, persistence, internal reconnaissance, and data movement.
• Pressure-test threat hunting and triage workflows against activity that resembles real espionage and hybrid intrusion chains.
• Test segmentation and identity controls under conditions where the adversary already has a foothold.

New Post-Compromise Emulation Packages

Salt Typhoon

Post-compromise activity aligned to SparrowDoor and ShadowPad campaigns

Background: AttackIQ published an emulation focused on Salt Typhoon post-compromise TTPs, and separately notes an update including a SparrowDoor and ShadowPad campaign emulation.

RomCom

Emulation of the intrusion chain from MeltingClaw downloader via ShadyHammock backdoor to RomCom deployment

Background: AttackIQ research highlights RomCom’s evolution and the broader espionage-to-ransomware convergence trend.

Advisory-Driven Emulation Packages

What this group covers

These packages translate CISA advisories into practical, testable emulation content allowing teams to validate controls against the specific TTPs and operational lessons documented in government-led incident reporting.

How This Strengthens Defenses

• Quickly turn advisory guidance into measurable security validation runs.
• Reinforce disciplined fundamentals, including rapid patching, centralized logging, and rehearsed incident response procedures.
• Validate that detection and response pipelines identify the behaviors emphasized in the advisories, not just generic malware signals.

New Advisory Driven Emulation Packages

CISA AA25-141A

Russian GRU targeting Western logistics entities and technology companies

Background: AttackIQ released an assessment template aligned to AA25-141A and the reported GRU Unit 26165 activity.

CISA AA25-266A

Lessons learned from an incident response engagement (Windows)

Background: CISA emphasizes prompt patching and preparedness (IR planning and centralized logging), which this template helps teams validate in practice.

CISA AA24-016A

Androxgh0st malware indicators of compromise

Background: AttackIQ notes the template covers multiple malware samples associated with Androxgh0st activity observed since December 2022.

Practical Implications for Security Teams

Effective defense depends on understanding how adversaries operate across complete intrusion chains, not just whether individual controls trigger.

These adversary emulation packages allow security teams to:

• Validate defenses using real-world operator tradecraft
• Measure readiness across ransomware intrusion lifecycles
• Operationalize advisory guidance through repeatable testing
• Identify concrete detection and response gaps using evidence-based validation

Getting Started in AttackIQ Flex

These adversary emulation packages are available in AttackIQ Flex. Teams can sign up for free to begin testing.