BlackNevas, a group utilizing a rebranding of Trigona, identified since November 2024, has proved its capacity to infiltrate infrastructure using numerous vulnerabilities. We recently discovered that several companies hosted by an infrastructure service provider were impacted by the hacking of a virtualized hosting infrastructure. We had to deal with a lot of configuration problems as a grieving process, but we gained a lot of knowledge, particularly about how the malware works, which helped us restore particular components.

In this session, we will discuss the incident's handling, the organization's challenges and misunderstandings that hindered the investigation but created opportunities, and the threat analysis that helped us comprehend how it operated and identify procedures that offered chances for recovery and additional research.