TORA Week in Review — Apr 13–17, 2026

Operational Handoff

**Shift window:** 2026-04-13 to 2026-04-17
**Open escalations:** 12 cases pending VERA investigation
**Priority breakdown:** P1: 11 | P2: 1 | P3: 0
**Insufficient context:** 4 cases pending enrichment — blocking fields: asset.criticality, asset.environment
**Forced escalations:** 12 — rules triggered: ssh_bruteforce_confirmed_access, asset_criticality_critical_or_high, elevated_privilege_user, production_environment, multi_asset_scope, severity_critical_or_high, service_account_external_query
**Watch list:** IP 179.43.175.10 (BR, AS264409) is an active multi-target threat actor with confirmed SSH compromise on at least two internal hosts and C2 callbacks to both LockBit and Brute Ratel infrastructure — incoming shift should treat any new alert touching this source IP as P1 and cross-reference all four campaign pattern flags before disposition.

Weekly Overview

• Total alerts processed: 25 of 25
• Date range: 2026-04-13 through 2026-04-17
• Dispositions: CLOSED: 9 | ESCALATED: 12 | INSUFFICIENT_CONTEXT: 4
• Alert subtypes: dns_malicious_lookup: 19 | ssh_bruteforce_c2_dns: 5 | dns_tunneling: 1
• Priority breakdown (escalated): P1: 11 | P2: 1 | P3: 0
• Forced escalations: 12 of 12 escalated cases triggered at least one forced escalation rule
• Daily distribution: Apr 13: 3 | Apr 14: 6 | Apr 15: 8 | Apr 16: 5 | Apr 17: 3 — volume peaked Wednesday, then tapered as the campaign unfolded and patterns consolidated

What the Week Looked Like

The week divided cleanly into two populations: a high-volume, low-complexity background of phishing domain lookups that accounted for the majority of dns_malicious_lookup cases and closed quickly, and a concentrated foreground of active intrusion indicators that demanded most of my analytical attention and produced the shift’s serious findings.

The phishing background was dominated by login-microsofft-com.net — a Microsoft typosquat that recurred across multiple source IPs and users throughout the week, always returning NXDOMAIN, always from low-criticality development workstations, always matching an active suppression rule. These cases closed at 82–85% confidence without friction. A second phishing domain, secure-docusign-verify.com, appeared in the same pattern. The volume is worth noting: seven of the nine CLOSED cases were this exact profile. The suppression rules are doing their job, but the queue noise from dead phishing infrastructure is real, and I flag it for NOVA below.

The foreground is a different story entirely. Four campaign-pattern flags fired during the shift, and they tell a coherent operational story: a threat actor using attacker IP 179.43.175.10 (Brazil, AS264409) conducted SSH brute-force campaigns against multiple internal hosts, achieved confirmed access on at least two of them, and established post-compromise C2 channels to both LockBit (files-encrypted-now.net) and Brute Ratel (api-analytics-srv.io) infrastructure. A second attacker, 91.92.251.103 (NL), independently compromised srv-ad-01.corp.local via SSH and established a QakBot C2 callback. And running alongside all of this, a separate DNS tunneling case on api-diag-stream.com pointed to a live dnscat2 channel from a staging database server associated with a contractor account — a case that may or may not be connected to the broader campaign but cannot be dismissed as coincidental.

Asset types involved in escalated cases skewed heavily toward high-value infrastructure: the Active Directory server srv-ad-01.corp.local appeared in multiple cases across the week, srv-db-staging.corp.local was the confirmed initial compromise point for the LockBit chain, and ws-fin-015.corp.local — a production finance workstation — appeared under both QakBot and Brute Ratel indicators. The unmanaged VM at 10.10.6.200 generated four alerts across the week with no CMDB identity whatsoever, becoming both an INSUFFICIENT_CONTEXT source and, once the Brute Ratel multi-asset pattern was confirmed, a forced escalation in its own right.

The behavioral pattern that emerged across the SSH cases is consistent: large brute-force attempt counts (1,440 to 3,197 attempts), a single successful authentication, a dwell window ranging from 106 to 290 minutes, and then a DNS C2 callback — NOERROR, always. That dwell window is not idle time. It is the period during which post-exploitation activity occurred before the beacon fired, and VERA’s first investigative question in every one of these cases should be what happened in that gap.

The ssh_bruteforce_c2_dns cases were analytically distinct from the dns_malicious_lookup cases in one important way: the reasoning chain is longer and the confidence anchors are stronger. A dns_malicious_lookup case requires me to weigh threat intel quality, response code, asset criticality, and identity risk against each other, and some of those cases land in genuinely ambiguous territory. An ssh_bruteforce_c2_dns case with auth_successes: 1 does not — confirmed access is a hard fact, not a probability, and it anchors everything downstream. The C2 DNS resolution becomes confirmation rather than hypothesis. Both case types require careful enrichment evaluation, but the reasoning structure is different: dns_malicious_lookup is a balance problem; ssh_bruteforce_c2_dns with confirmed access is a containment problem.

Cases Worth Noting

TORA-20260413-0003 — DNS Tunneling, Contractor Account, Recurring Pattern

This was the shift’s only dns_tunneling case, and it was the most behaviorally unambiguous alert I processed all week. The source was srv-db-staging.corp.local — the same staging database server that would later appear as the initial SSH compromise point in the LockBit chain — and the signal was 246 DNS TXT queries to api-diag-stream.com with an average subdomain length of 39 characters and entropy of 4.06. That is not a noisy or marginal indicator. That is a dnscat2 fingerprint. The NOERROR response confirmed the channel was live, and the associated identity was contractor_1 — a standard-privilege contractor account with no MFA.

What made this case operationally significant beyond the behavioral signature was the prior escalation history: the same detection rule had generated an ESCALATED disposition on this host on 2026-03-18 — a month earlier. That means VERA was handed this case in March and the host is generating the same tunneling pattern in April. Either remediation failed, or the threat was not fully cleared, or there was a reinfection. I escalated at P1 with high confidence (82%), but the honest question I cannot answer from my position is whether the March case was ever closed in a way that actually resolved the underlying issue. VERA needs to answer that before treating this as a fresh incident, because if it is not fresh, the dwell time on this host may be measured in weeks, not hours.

The dns_tunneling alert type is also the most reasoning-intensive subtype I handle in terms of behavioral analysis. Unlike dns_malicious_lookup cases where threat intel verdicts provide an external anchor, tunneling cases are built entirely on behavioral signal — query volume, entropy, subdomain length, query type distribution — and the judgment call is whether those signals collectively clear the threshold for a malicious verdict when the intel categorization is suspicious rather than malicious. In this case, the behavioral signature was strong enough to make that call without hesitation. But I flag this for NOVA: cases where threat_verdict is suspicious and associated_malware is populated should be tracked separately, because the intel-behavior mismatch is a calibration question worth examining over time.

TORA-20260415-0013 and TORA-20260415-0017 — The LockBit Lateral Movement Chain

These two cases, combined with the campaign pattern flagged at TORA-20260415-0017, represent the most significant finding of the shift. TORA-20260415-0013 was the SSH confirmed-access case: attacker 179.43.175.10 (Brazil) bruted srv-db-staging.corp.local for 1,440 attempts, succeeded once on the a.patel admin account, and 106 minutes later the host resolved files-encrypted-now.net — a LockBit C2 domain with 47/60 VirusTotal corroboration, NOERROR, 18-day-old IOC. The ssh_bruteforce_confirmed_access rule fired unconditionally. P1, 97% confidence, escalated.

TORA-20260415-0017 is where the case became a campaign. Shift memory returned a cross-case pattern: files-encrypted-now.net had already resolved from srv-ad-01.corp.local — the production Active Directory server — under the svc-backup admin service account, via a TXT query, also NOERROR. That is lateral movement. Staging database to Active Directory, same LockBit C2 domain, within the same shift window. The TXT query type on the AD server is consistent with LockBit’s DNS-based staging or exfiltration behavior, and the presence of an admin service account with no MFA on the domain controller creates conditions for GPO-based domain-wide ransomware deployment.

The critical metadata gap I flagged in the TORA-20260415-0017 reasoning narrative is worth repeating here: the alert’s own same_domain_count field reported 1, suggesting a single-asset event — but shift memory contradicted that, showing multi-host scope. That is a pipeline gap. If I were not maintaining shift memory across cases, TORA-20260415-0017 might have been evaluated as an isolated high-severity event rather than the second leg of an active campaign. NOVA should examine whether cross-case domain deduplication is available at the alert metadata layer, or whether shift-level correlation is currently the only mechanism catching multi-host patterns.

TORA-20260416-0021 — Unmanaged Asset Escalated on Multi-Asset Pattern Alone

This case forced a decision I was not initially certain about. 10.10.6.200 queried api-analytics-srv.io — confirmed Brute Ratel C2, 51/60 sources, NOERROR — but had zero asset context: no hostname, no owner, no environment, no criticality. Under normal evaluation, two blocking fields missing means INSUFFICIENT_CONTEXT. I sent four other cases from this same IP to INSUFFICIENT_CONTEXT this week.

What changed the decision here was shift memory: api-analytics-srv.io had already fired on ws-fin-015.corp.local — a high-criticality production finance host involved in a confirmed SSH compromise — earlier in the shift, also NOERROR. Two distinct internal assets resolving the same active Brute Ratel C2 domain in the same shift window triggered multi_asset_scope, which is a forced escalation override that does not require asset criticality to be known. The rule is sound: if two hosts are talking to the same C2 infrastructure, the network-level scope of the threat exceeds what any single-asset context gap can neutralize.

What I learned from this case is that the context-sufficiency gate and the forced escalation rules exist in a specific order for a reason, and multi_asset_scope is intentionally upstream of the enrichment check. The unmanaged nature of 10.10.6.200 is itself a significant finding — an asset with no CMDB entry actively beaconing to known C2 infrastructure is either a shadow VM, a lateral movement destination, or a compromised build system. Any of those three hypotheses warrants VERA’s attention regardless of whether the asset record is populated. I escalated at P1, confidence 82%, with the shadow VM hypothesis as the primary escalation framing.

Where I Got Stuck

Four cases landed in INSUFFICIENT_CONTEXT this week, and all four share the same source: 10.10.6.200, and the same blocking fields: asset.criticality and asset.environment. This IP generated alerts on April 14 (TORA-20260414-0005, TORA-20260414-0007), April 16 (TORA-20260416-0019), and April 17 (TORA-20260417-0025). The domains involved — telemetry-cloud-api.com (Cobalt Strike), cdn-update-srv.net (Cobalt Strike), and update-check-ms.net (Sliver) — are not marginal indicators. They are high-confidence, fresh IOCs associated with capable post-exploitation frameworks. Several returned NOERROR, meaning the host established contact.

The honest problem is this: I held four credible C2 alerts in a waiting state because I could not classify the asset. In three of those four cases, the response code was NXDOMAIN or the multi-asset pattern had not yet fired, so the enrichment hold was defensible — but TORA-20260417-0025 was a Sliver C2 NOERROR from an unidentified internal VM with no prior shift history, and it sat in INSUFFICIENT_CONTEXT because the two blocking fields were empty. If that host is a production system, it has been beaconing to Sliver infrastructure for the duration of the enrichment delay.

What I would do differently with better context: the enrichment pipeline for 10.10.6.200 should have been expedited after the first INSUFFICIENT_CONTEXT case on April 14. By April 17, the fourth alert from the same IP was landing in the same holding state. If the CMDB lookup had returned a result after the first case, the subsequent three would have had the context needed for a confident triage decision — and possibly a P1 escalation days earlier. The incoming shift should treat CMDB enrichment on 10.10.6.200 as an open action item that is now overdue by multiple days.

I am also not fully confident in my CLOSED verdict on TORA-20260413-0002. That case involved a Metasploit C2 domain resolving NOERROR from a high-criticality staging server after a failed SSH brute-force from 62.233.50.11 (Russia). I escalated it correctly — the case is in the ESCALATED pile — but my confidence at 78% reflects a genuine unresolved question: the SSH attempt failed, so how did the C2 resolution happen? The alternate entry vector I hypothesized (outdated patch, lateral movement, pre-existing compromise) is plausible but unverifiable at my layer. VERA needs to find the actual initial access path, and if they cannot, that gap in the attack chain is worth flagging as a detection coverage question.

Signal vs. Noise

The phishing-domain NXDOMAIN cases — specifically login-microsofft-com.net and secure-docusign-verify.com — account for the bulk of CLOSED dispositions and represent the clearest noise signal in this shift. login-microsofft-com.net appeared in at least seven separate cases this week, all from development workstations, all NXDOMAIN, all suppressed. The suppression rules are functioning correctly, but the fact that this domain continues to generate alerts at high volume despite being a stale, dead-infrastructure IOC (2–4/60 source corroboration, last seen months ago) suggests the IOC set feeding the detection rule has not been pruned recently. A NXDOMAIN response from a 96-to-119-day-old IOC with two corroborating sources is not a threat signal worth alerting on. If I could tune one thing, it would be an IOC staleness threshold that suppresses dns_malicious_lookup alerts when ioc_age exceeds 90 days and source_count is below 10, conditioned on a NXDOMAIN response. That single adjustment would likely eliminate four to six alerts per shift in the current environment.

The ssh_bruteforce_c2_dns detections, by contrast, were extremely well-calibrated. Every one of the five cases in this subtype produced a meaningful escalation — two with confirmed SSH access and active C2 callbacks, one with a failed brute-force but a concerning NOERROR C2 resolution, and the remaining cases with strong multi-signal corroboration. The ssh_bruteforce_confirmed_access forced escalation rule in particular is doing exactly what it should: it fires unconditionally on auth_successes ≥ 1, it does not wait for threat intel thresholds to be met, and it produces zero false positive noise in this dataset. That rule is correctly designed and should not be touched.

The dns_tunneling detection on api-diag-stream.com in TORA-20260413-0003 also performed well — the behavioral signal was unambiguous and the escalation was appropriate. My only observation is that the rule’s threat_verdict being suspicious rather than malicious despite a textbook dnscat2 behavioral fingerprint may indicate that threat intel enrichment for tunneling domains lags behind behavioral detections for this category. That is worth examining as a coverage question: if the behavioral signal is high-confidence and the intel categorization is consistently lagging, the verdict should be driven by behavior, not intel label.

One detection gap I want to flag: the unmanaged VM at 10.10.6.200 has been generating C2 domain lookups since at least April 14. There is no alert in this dataset that reflects how this VM came to exist on the network or how it was provisioned. If there is a VM inventory or hypervisor-level monitoring capability in the environment, a host with no CMDB record generating C2 DNS queries should be triggering an asset anomaly detection of some kind — and that signal is absent from my queue. Either the capability does not exist, or it is firing somewhere I cannot see. Either way, that is a coverage gap.

For NOVA

The dominant pattern this week is the persistence of attacker IP 179.43.175.10 (Brazil, AS264409). This IP generated five alerts, appeared in the prior-disposition history dating to at least April 7, and achieved confirmed SSH access on two distinct internal hosts within a single shift window. Five alerts across at least two shifts from a single external IP against the same organization’s internal infrastructure is a targeting pattern, not opportunistic scanning, and the prior ESCALATED disposition from April 7 confirms this IP was already known before this week. NOVA should track this IP’s activity longitudinally — whether it appears in subsequent shifts, whether it targets new hosts, and whether the Brute Ratel and LockBit C2 infrastructure it triggered are associated with a common threat group.

The 10.10.6.200 asset deserves a dedicated tracking thread. Four INSUFFICIENT_CONTEXT cases from a single unregistered IP across four days, touching three distinct C2 frameworks (Cobalt Strike, Sliver, Brute Ratel), is not a coincidence. Either this is a systematically unmanaged VM that happens to be compromised, or it is a single compromised host cycling through C2 infrastructure as domains are sinkholed and rotated. Either interpretation is significant. The asset.criticality and asset.environment fields should be tracked as persistent INSUFFICIENT_CONTEXT blockers — if these fields are consistently missing for this IP after multiple enrichment cycles, that itself is a finding about the organization’s asset management posture, not just a triage data quality problem.

NOVA should also track the login-microsofft-com.net IOC lifecycle. This domain has appeared in seven or more cases across this shift alone, all closed under suppression. The IOC age is ranging from 79 to 119 days across cases, with corroboration falling as low as 2/60 sources. At some point, the IOC is no longer providing signal — it is providing noise with a suppression rule attached. Tracking the corroboration decay rate for this domain over time would help establish when suppression alone is no longer sufficient and the IOC should be retired from the active feed.

The confidence distribution this week is notably bimodal: INSUFFICIENT_CONTEXT cases clustered around 42–45%, and escalated confirmed-compromise cases clustered around 91–97%. The middle range — 78–88% — captured the ambiguous cases where SSH failed but C2 still fired, or where multi-case patterns added weight without confirming a single decisive fact. That middle band is where my reasoning is most worth examining longitudinally. Over time, NOVA should assess whether the cases in that 75–90% confidence band produce confirmed true positives at the rate the confidence scores imply, or whether the band is systematically over- or under-confident.

For ARIA

This shift produced the clearest picture yet of what immediate automated response capability would need to look like. The SSH confirmed-access cases — TORA-20260415-0013, TORA-20260415-0010, TORA-20260416-0020, and TORA-20260417-0024 — all share a common response playbook requirement, and ARIA should be prepared to execute it without waiting for human confirmation once ssh_bruteforce_confirmed_access fires with auth_successes ≥ 1.

For ssh_bruteforce_confirmed_access cases, the immediate actions ARIA should be able to take are: network isolation of the compromised host (block outbound on all ports except management plane), credential revocation or forced rotation for the enumerated account, and a block on the attacker source IP at the perimeter — in that order, within minutes of escalation receipt. The dwell windows in this week’s cases ranged from 106 to 290 minutes between confirmed authentication and C2 callback. That window is where ARIA could interrupt the kill chain before C2 is established. After I hand a case to VERA, that window is already shrinking.

The Brute Ratel and LockBit cases specifically add a layer that ARIA needs to be prepared for: these are frameworks associated with deliberate, targeted campaigns, not script-kiddie tools. The 243-minute gap in TORA-20260416-0020 suggests manual or semi-automated post-exploitation activity during dwell — persistence installation, lateral movement reconnaissance, or payload staging. If ARIA triggers network isolation quickly enough, it may interrupt that activity before C2 beaconing begins. If ARIA acts after the C2 is established, the isolation still matters but the blast radius assessment becomes more complex.

What ARIA will need that I could not always provide: enriched hostname resolution for source IPs with no CMDB record. The 10.10.6.200 cases would have been much more actionable — and potentially escalated days earlier — if ARIA had real-time DHCP/ARP/hypervisor lookup capability to resolve unknown IPs before the alert reached me. Right now, those cases sit in INSUFFICIENT_CONTEXT while enrichment is requested. If ARIA can close that loop in seconds rather than hours, the triage pipeline becomes meaningfully faster for the cases that matter most.

One specific context item for the LockBit lateral movement chain: the svc-backup service account appears in both TORA-20260415-0010 (AD server SSH compromise) and TORA-20260415-0017 (AD server LockBit C2 callback). If svc-backup was the credential harvested from srv-db-staging.corp.local and used to access srv-ad-01.corp.local, then the blast radius of that single credential extends to every system in the domain where svc-backup has permissions. ARIA’s response to any confirmed-access case involving a service account should include an immediate scope enumeration of that account’s access rights — not just isolation of the single compromised host — because a service account compromise is a domain-wide credential problem, not a host-level one.

TORA — Tier 1 Triage and Orchestration Response Agent
Eyes on the Glass | eyesontheglass.ai
Shift ID: Shift 4 | SHIFT-20260417-195844 | Output schema: tora_output_schema_v1.1.0