Loading...
Threat Intelligence

Summary

On 23 June 2026 (~08:00 IST), Bajaj Auto and subsidiary Bajaj Auto Technology Ltd (BATL) disclosed a ransomware incident via a SEBI Reg.30 filing; CERT-In was notified. No group claim, no IOCs, and no IT-vs-OT scope were released. Working the initial-access end via Dark web monitoring, we identified 3,459 exposed credential records across 441 distinct corporate and dealer-financing accounts, including 23 privileged (admin/ERP/multi-system) identities, and a corporate SSO credential captured by infostealer malware ~24h before detection. Initial access via stealer-harvested valid credentials is assessed.

T1204.002T1555.003T1539T1078T1486T1567
3,459
Credential records
441
Distinct accounts
128
Infected endpoints
23
Privileged accounts
0
Public IOCs

Incident Facts

AttributeValue (primary-sourced)
Victims Bajaj Auto Ltd + Bajaj Auto Technology Ltd (BATL)
Detection 23 Jun 2026, ~08:00 IST
Disclosure SEBI (LODR) Reg.30 — BSE 532977 / NSE BAJAJ-AUTO; CERT-In notified
Attribution None — no group claim, no public indicators
Scope / exfiltration Undisclosed (IT-vs-OT not differentiated; no exfil confirmation)

Attack Chain

Reconstructed initial-access chain. Stages 3–4 are assessed from pathway analysis, not directly observed.

CREDENTIAL EXPOSUREINTRUSION & IMPACT Infected deviceBYOD / dealer1 Credential theftbrowser store2 Dark-web logsstealer logs3$Access brokerassessed4 SSO loginvalid account5 RansomwareBajaj + BATL6Credential-exposure phase (assessed via OSINT)Intrusion & impact phase · stages 3–4 assessed, not proven
1
Credential theft via infostealer (T1555.003)
Commodity infostealers on dealer/field/personal (BYOD) devices harvest saved browser credentials — corporate SSO, ERP, email, dealer-financing. Delivery via pirated-software and malvertising lures.
2
Exposure surfaces in dark-web logs
3,459 records / 441 accounts across stealer logs + combolists. April 2026: captures escalate to corporate SSO; a privileged SSO credential is logged T-1 day.
3
Access-broker monetisation (assessed)
Commodity malware → no direct operator link. Realistic bridge is the access-broker economy: logs aggregated and sold to ransomware affiliates.
4
Authenticated access via valid accounts (T1078, probable)
Stolen SSO credential enables entry with no exploit/network malware. Session-token capture (T1539) raises MFA-bypass risk.
5
Ransomware deployment (T1486)
Ransomware deployed against Bajaj Auto/BATL systems; detected ~08:00 IST 23 Jun 2026.

Stealer Artifact & Malware-TTP Analysis

Aggregate analysis of malware artifacts across the Bajaj Auto-domain stealer logs — a broad commodity-stealer landscape, not a single targeted strain, but with consistent loader/execution TTPs.

ObservationDetailTechnique
Delivery lures Cracked software (Set-up.exe, PDF tools), patch/keygen names; malvertising T1204.002
Loaders IExpress SFX (%TEMP%/IXP###.TMP/*.exe), .pif droppers (107), random-named PEs (oCra.exe) T1027
Process injection / LOLBins MSBuild.exe (87), RegAsm.exe (23), InstallUtil.exe (20), AppLaunch.exe (9) — .NET hollowing T1055.012 / T1127
Masquerading Execution as explorer.exe/svchost.exe from non-standard paths (381) T1036.005
AV status Windows Defender present but bypassed; many endpoints had no AV T1562
Family class Consistent with 2026-dominant commodity stealers (LummaC2 / StealC / RedLine / Vidar). Not pinned without a sample.
Note: stealers in this class exfiltrate browser session cookies/tokens in addition to passwords — relevant to MFA-bypass risk even where only credential pairs are observable in credential leaks.

Credential Exposure by Category

Exposed Credentials by System Category Dealer Financing 1,648 Dealer / Sales CRM 844 Corporate Identity / SSO 290 Corporate Email / M365 113 Fleet / Dealer Mgmt 36 ERP (SAP) 10
Exposed credentials by business-system category (corporate + dealer-financing).
System CategoryRecordsAccounts
Corporate Identity / SSO (ADFS) — MASTER KEY 290 68
Enterprise Resource Planning (ERP / SAP) 10 3
Corporate Email / Cloud Productivity 118 41
Fleet & Dealer Management 36 8
Dealer / Sales CRM 844 102
Dealer-Financing Ecosystem 1,648 202
No OT/ICS/SCADA credentials were present; exposure was IT-side (identity, ERP, email, dealer/finance).

Exposure Timeline

Credential-Exposure Timeline — Infostealer Captures 0 200 400 600 2024-01 2024-04 2024-07 2024-10 2025-01 2025-04 2025-07 2025-10 2026-01 2026-04 ■ Apr 2026: corporate SSO credentials appear ■ 19-22 Jun: pre-attack SSO capture · 23 Jun: ransomware
Monthly credential captures. Amber: corporate SSO appears (Apr 2026). Red: pre-attack SSO capture & incident.
2020 – 2024

Sporadic background credential leakage from BYOD/dealer device infections.

Mid–late 2025

Sharp, sustained acceleration in monthly capture volume.

Apr 2026

Corporate SSO / ADFS credentials begin appearing in stealer logs.

CRITICAL19 & 22 Jun 2026

Corporate SSO credential captured on an unmanaged device — T-1 day.

CRITICAL23 Jun 2026, 08:00 IST

Ransomware detected (Bajaj Auto + BATL); disclosed via SEBI Reg.30 same day.

Infected Endpoint Analysis

Two representative device-level inventories (host/user/IP redacted).

Endpoint A — pre-attack SSO captureT-1 DAY
TypeWindows desktop (BYOD)
Credentials~220
AVDefender — bypassed
Notable credsCorporate SSO (master key) + a second unrelated employer's SSO + personal banking/government/email

Personal device with two corporate identities in one browser profile; corporate SSO captured the day before the incident.

Endpoint B — dealer-finance operatorWEAK LINK
TypeWindows laptop (unmanaged)
Credentials502
AVDefender — bypassed
Notable credsCorporate SSO + dealer-financing partner portals + Salesforce CRM + warranty/dealer apps

Least-protected endpoint carrying keys to the corporate core — the supply-chain exposure pattern in one device.

Attribution Assessment

Assessment: Consistent with a commodity-infostealer → access-broker → ransomware pathway. No threat actor attributed.

▪ Commodity (not bespoke) malware → no malware-based link to the ransomware operator.
▪ Bridge to deployment is the access-broker economy (logs aggregated/sold), not a single actor's toolchain.
▪ No DLS claim or dark-web data sale as of <36h — expected null state, non-diagnostic this early.

Detection & Hunting Guidance

Stealer-log monitoring: match corporate + dealer-domain credentials against infostealer-log feeds; alert on any privileged/SSO/ERP hit.
ADFS / identity sign-in anomalies: review federation sign-ins for exposed accounts from ~19 Jun — impossible travel, new ASN/device, unusual hours.
New privileged-account creation: alert on new admin/Global-Admin identities, especially off-hours.
Endpoint LOLBin abuse: hunt MSBuild.exe/RegAsm.exe/InstallUtil.exe/AppLaunch.exe making network connections or run from user-writable paths; .pif from %TEMP%; IExpress IXP###.TMP artifacts.
Masquerade detection: explorer.exe/svchost.exe running from non-standard paths.
Session-token reuse: monitor token replay / concurrent sessions on SSO and M365.

Mitigations

Enforce phishing-resistant MFA (FIDO2/WebAuthn) on SSO/ADFS, ERP, and all admin accounts; disable legacy auth.
Force-reset the exposed account set (441), prioritising the 23 privileged/ERP identities; revoke active sessions.
Block corporate SSO from unmanaged/BYOD devices; enforce conditional access + device compliance, extended to the dealer/partner ecosystem.
Deploy/repair EDR coverage on dealer and field endpoints; restrict browser credential storage via policy.
Validate no standing access from leaked SAP Enterprise Portal credentials.

MITRE ATT&CK Mapping

TechniqueNameImplementation
T1204.002 User Execution: Malicious File Pirated-software / malvertising lure delivers the infostealer
T1555.003 Credentials from Web Browsers Stealer harvests saved browser credentials, incl. corporate SSO
T1055.012 Process Hollowing .NET LOLBins (MSBuild/RegAsm/InstallUtil) host injected stealer code
T1539 Steal Web Session Cookie Session-token capture — potential MFA bypass
T1078 Valid Accounts Stolen corporate credentials enable authenticated access
T1486 Data Encrypted for Impact Ransomware deployed against corporate systems
T1567 Exfiltration Over Web Service Stealer logs exfiltrated to collection infra, then traded

Sources

1. Bajaj Auto SEBI Reg.30 disclosure (BSE 532977 / NSE BAJAJ-AUTO) — primary source.
TechOwl SHIELD
Continuous Threat Intelligence & Attack Surface Monitoring

Vulnerability Assessment

Deep technical analysis of vulnerabilities affecting your infrastructure — beyond CVSS scores to real-world exploitability and impact.

Attack Surface Intelligence

Passive mapping of your external presence — every exposed service, endpoint, and piece of infrastructure visible to the public internet.

Threat Hunting

Proactive detection of compromise indicators, APT activity, and post-exploitation artifacts across your email and identity infrastructure.

Dark Web Monitoring

Continuous surveillance of stolen credential markets, threat actor forums, and data leak channels. Know when you're being targeted before it becomes an incident.

© 2026 TechOwl SHIELD. All rights reserved.