Back
Back to Blog

Everest & the SAP SuccessFactors Campaign

On this page

Everest is an active ransomware and data extortion group that has been operating since 2020. The group initially focused on data theft, later shifted to ransomware, and has recently begun acting as an initial access broker. It has been linked to 156 incidents to date, with the latest recorded on June 12, 2025.

In May 2025, there was a noticeable increase in Everest-linked activity in the Middle East, likely tied to the compromise of an SAP integrator. VenariX has identified possible indications of access to several SAP SuccessFactors’ client environments.

Overview — Who Is Everest Group?

Everest is a financially motivated ransomware group first observed in December 2020. It started as a data exfiltration operation, but later expanded to include ransomware encryption and leak site operations. By late 2021, the group was also functioning as an initial access broker (IAB). IABs gain unauthorized access to victim environments and sell that access to other threat actors, often for use in ransomware operations. Everest’s leak site disappeared from the dark web after the Colonial Pipeline attack in 2021, but later reappeared, with increased IAB activity throughout 2023.

According to the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3), the group is linked to the EverBe 2.0 ransomware family and, more recently, to the Russia-based BlackByte group, based on technical overlap and campaign similarities. These links have been reported by multiple security researchers and are tracked by VenariX.

Our data indicates that Everest may be linked to at least 156 incidents to date. It has targeted a range of sectors, with healthcare being the most affected. Between December 2020 and June 2025, 42 healthcare-related incidents were recorded in our platform, the majority involving U.S.-based organizations, such as AdventHealth and MCNA Dental.

image 1.png
Screenshot from the VenariX platform showing Top Targeted Sectors by Everest

image 4.png
Screenshot from the VenariX platform showing Attack Distribution by Industry and Subindustry by Everest

We have observed that Everest experiences an average of three incidents per month. The group primarily uses the dark web for communication and data exposure. Among the 156 incidents tracked, the types of data leaks that have been confirmed or observed included the following:

  • First and last names

  • Dates of birth

  • Confidential business information

  • Identification numbers (i.e., driver’s license numbers, U.S. Social Security numbers)

  • Protected health information

  • Email addresses

The majority of victims are in the private sector, with the United States being the most affected country, accounting for 57.4% of cases.

See the image below for the profile of the threat actor Everest on the VenariX platform:

image 7.png
Screenshot from the VenariX platform showing Threat Actor Everest Profile

Attacks on Government Institutions

In May 2025, we analyzed Everest’s leak site and identified eight impacted entities in the Middle East. Each leak contained structured Human Resources (HR) data from SAP SuccessFactors.

Upon closer analysis, we observed a common denominator: five of the eight organizations appear to be clients of the same SAP integrator, INK IT Solutions. Based on the available evidence, initial access may have occurred through the integrator, enabling lateral movement into client environments. For the remaining three victims, we did not identify a clear connection to the SAP partner.

Data exposed across the incidents included:

  • Employee directories

  • Payroll and compensation records

  • Passport and ID scans

  • Internal HR and onboarding documentation

Identified victims include:

  • Department of Culture and Tourism — Abu Dhabi

  • Jordan Kuwait Bank

  • Mediclinic Group

  • Coca-Cola Al Ahlia Beverages

  • Jamjoom Pharma

  • Kaefer

  • Khidmah, LLC

  • PDI Health

0_nPSoGt6yXFAdzq3Z (1).webp
Suspected link between Everest and victims via a shared SAP integrator

Downstream Effects

One of the victims, the Department of Culture and Tourism — Abu Dhabi, may have exposed data belonging to other entities during the breach.

Downstream victims may include:

  • Abu Dhabi Arabic Language Centre

  • Al Ain Book Festival

  • Department of Municipalities and Transport

  • Al Qattara Arts Centre

  • Culture Summit Abu Dhabi

  • Louvre Abu Dhabi

  • Manarat Al Saadiyat

See the screenshot below for details:

image 12.png
Screenshot from the VenariX platform showing the incident report for the Department of Culture and Tourism incident

Inside the Everest Playbook: MITRE ATT&CK Tactics and Techniques

Everest uses a combination of commodity tools and stealthy procedures throughout all phases of an attack. Below is a mapped breakdown based on the MITRE ATT&CK.

  • Initial Access: T1133 (External Remote Services) — Exploiting insecure external services

  • Execution: T1059.001 (PowerShell) and T1059.003 (Windows Command Shell) — Using legitimate tools for malicious purposes

  • Lateral Movement: T1021.001 (Remote Services: RDP) — Using RDP to move across the network

  • Persistence: T1543.003 (Windows Service) — Installing remote desktop tools as services

  • Credential Access: T1003.001 (LSASS Memory) and T1003.003 (NTDS) — Dumping credentials from memory and databases

  • Defense Evasion: T1070.004 (File Deletion) — Removing activity traces

  • Discovery: T1046 (Network Service Discovery) — Scanning the network

  • Collection: T1560.001 (Archive via Utility) — Archiving data with WinRAR

  • Command and Control: T1071.001 (Web Protocols) and T1219 (Remote Access Software) — Using Cobalt Strike and similar tools

  • Exfiltration: T1041 (Over C2 Channel) — Exfiltrating data via Splashtop

  • Impact: T1486 (Data Encrypted for Impact) — Encrypting data

Tools Frequently Leveraged

According to the Everest threat profile, the group repurposes legitimate software in its campaigns. Key tools include:

  • ProcDump — Dumps credentials from LSASS

  • SoftPerfect Network Scanner — Discovery and lateral movement

  • WinRAR — Archives files pre-exfiltration

  • Cobalt Strike — C2 communications via HTTPS

  • AnyDesk, Splashtop, Atera — Used to maintain access

Everest actors typically remove logs and tools after use, which limits post-incident forensic visibility.

Typical preventions against Everest include:

Everest relies on initial access brokers and stealthy post-exploitation. Mitigation requires a combination of access restrictions, activity monitoring, and response preparedness.

Key recommendations include:

  • Disable unused RDP ports and audit remote access logs

  • Use multi-factor authentication for admin access

  • Monitor scheduled tasks and PowerShell activity

  • Regularly patch endpoints, update antivirus/EDR, and back up systems offline

  • Segment networks and apply least privilege principles

  • Apply IOC detection rules for Splashtop, Cobalt Strike, and WinRAR behaviors

  • Monitor unusual file collection and archiving activity

  • Use the VenariX platform to understand how these groups operate, their reach, and recurring patterns across campaigns.

Conclusion

As observed on the VenariX platform, recent Everest activity shows a shift toward supply chain compromise and third-party SaaS targeting, particularly through platforms such as SAP SuccessFactors. The group relies on remote access tools and credential-based lateral movement to limit detection.

Organizations with exposed remote services, HR SaaS integrations, or third-party-managed infrastructure (e.g., IT Managed Service Providers) should consider Everest a current and relevant threat. VenariX users can monitor Everest-related activity through:

  • Filtering incidents by threat actor using the Everest tag

  • Real-time visibility into new Everest claims via platform integrations and API access.

  • Correlation of CVEs with incidents linked to Everest activity.

VenariX

Every security decision,
backed by real data.

Start with a free plan or try Pro free for one week.