The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was “likely” developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.

According to a Cyfirma report on Feb. 28, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say they’re moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an “aggressive” marketing campaign.