cmdev
Technical Analysis

ByteToBreach: Anatomy of a Threat Actor Campaign

cmdev10 min read
ByteToBreach: Anatomy of a Threat Actor Campaign
Share
~16 min

Key takeaways

  • ByteToBreach chained CVE-2025-55182, Metasploit, and Sliver C2 into a nine-day dwell at Sterling Bank, then pivoted to Remita via plaintext credentials in Git and a misconfigured S3 bucket. The exploit chain is commodity; the gap is deployment of defences.
  • Exfiltration totals: 900,000 Sterling customer accounts, T24 core banking access, 3 TB from Remita including 46 HSM keys, and 25 million CAC files (~750 GB) via JWT enumeration and sequential ID IDOR.
  • The 46 HSM keys potentially undermine the cryptographic trust model of the Nigerian interbank settlement system — forged signatures, decrypted communications, and identity attacks against multiple major banks.
  • Every kill-chain stage had detection opportunities: WAF virtual patching, JA3/JA3S fingerprinting for Sliver, GitLeaks and TruffleHog for credentials, AWS Config rules for S3, network segmentation between Sterling and Remita, and volume-based DLP for 3 TB egress.
  • ByteToBreach is not an exceptionally sophisticated actor. Commodity tooling, well-documented techniques, numerous detection opportunities. The real vulnerability is the gap between available defences and their actual deployment across Nigerian infrastructure.

Who is ByteToBreach

ByteToBreach emerged as a named threat actor in March 2026, conducting a coordinated campaign against Nigerian financial and government infrastructure. The actor demonstrated capabilities consistent with an experienced intrusion operator — not a script kiddie, but not a nation-state APT either.

Activity timeline:

Date Target Action
Early March 2026 Sterling Bank Initial access via CVE-2025-55182, Sliver C2 deployment
Mid-March 2026 Remita (SystemSpecs) Lateral movement from Sterling, data exfiltration
Late March 2026 Corporate Affairs Commission JWT enumeration, mass data exfiltration
April 2026 Data brokerage Exfiltrated data offered for sale on dark web forums

The actor is notable for three characteristics: the ability to chain exploits across organizational boundaries, patience (nine-day dwell time at Sterling), and a monetization model based on bulk data sales rather than ransomware.

Sterling Bank: the attack chain

Initial access — CVE-2025-55182

The campaign started with the exploitation of CVE-2025-55182, a vulnerability in Sterling Bank's internet banking application. ByteToBreach used Metasploit Framework to deliver the initial exploit payload.

MITRE ATT&CK: T1190 — Exploit Public-Facing Application

The choice of Metasploit for initial access is significant. Metasploit is commodity tooling — widely available, well-documented, and detected by most modern EDR solutions. The fact that the initial exploit succeeded and was not immediately contained suggests either:

  • The internet banking application was not behind a WAF with virtual patching capability
  • Endpoint detection was not deployed on the target system
  • The CVE was recently disclosed and the patch window had not closed

Persistence — Sliver C2

After gaining initial access, ByteToBreach replaced the Metasploit session with Sliver, an open-source adversary emulation framework. Sliver is increasingly popular among real-world threat actors because it is harder to detect than Cobalt Strike (whose signatures are now well-known to most EDR vendors).

MITRE ATT&CK: T1571 — Non-Standard Port (Sliver supports mTLS, WireGuard, DNS, and HTTP/S for C2)

Sliver provides:

  • Encrypted C2 channels over multiple protocols
  • In-memory payload execution
  • Built-in pivoting capabilities
  • Session management for multi-target operations

The switch from Metasploit (initial exploitation) to Sliver (persistent access) indicates operational maturity — using the right tool for each phase rather than relying on a single framework.

Credential access and lateral movement

With persistent access inside Sterling's network, ByteToBreach began credential harvesting. The specific techniques are not publicly documented, but the subsequent lateral movement to Remita was enabled by plaintext credentials found in Git repositories — suggesting the attacker either:

  • Accessed an internal GitLab/GitHub Enterprise instance and searched for secrets
  • Found developer workstations with cloned repositories containing hardcoded credentials

MITRE ATT&CK:

  • T1552.001 — Unsecured Credentials: Credentials in Files
  • T1021 — Remote Services (lateral movement to Remita infrastructure)

Data exfiltration from Sterling

Before pivoting to Remita, ByteToBreach exfiltrated Sterling Bank's core data:

  • 900,000 customer account records including BVNs and NINs
  • Source code from internal repositories
  • API keys and service credentials
  • Access to the T24 core banking system (Temenos)

MITRE ATT&CK: T1041 — Exfiltration Over C2 Channel

The exfiltration of T24 access credentials is particularly concerning. Temenos T24 is the core banking system used by Sterling and many other Nigerian banks. Access to T24 means visibility into real-time balances, transaction processing, and customer data at the most privileged level.

Lateral movement to Remita

The pivot from Sterling to Remita represents the most consequential phase of the campaign. Remita, operated by SystemSpecs, is the payment platform that processes:

  • Federal and state government salary payments
  • Interbank settlement transactions
  • Tax collections and government revenue

The bridge: Git credentials and S3 misconfiguration

The lateral movement was enabled by two failures:

  1. Plaintext credentials in Git — Service account passwords or API keys stored in source code repositories, accessible from Sterling's network
  2. Misconfigured Amazon S3 bucket — A storage bucket with overly permissive access policies, likely containing shared configuration or data exchange files between Sterling and Remita

MITRE ATT&CK:

  • T1078 — Valid Accounts (using harvested credentials)
  • T1530 — Data from Cloud Storage Object

This is not a sophisticated exploit chain. It is credential reuse and cloud misconfiguration — two of the most common and preventable attack vectors in existence.

Remita exfiltration

Once inside Remita's infrastructure, ByteToBreach exfiltrated:

  • 3 TB of data including over 800 GB of KYC (Know Your Customer) documents
  • Transaction logs for government salary disbursements
  • 46 Hardware Security Module (HSM) keys

MITRE ATT&CK: T1005 — Data from Local System, T1039 — Data from Network Shared Drive

The HSM keys require special attention. Hardware Security Modules store the cryptographic keys used to sign and verify financial transactions. With 46 HSM keys from multiple major banks, ByteToBreach potentially gained the ability to:

  • Forge transaction signatures that would appear legitimate
  • Decrypt protected financial communications
  • Undermine the cryptographic trust model of the Nigerian interbank settlement system

Whether these keys were actively used for financial fraud has not been publicly confirmed.

CAC: a different vector, same actor

The Corporate Affairs Commission breach used a different initial access method but was attributed to the same actor.

JWT enumeration

ByteToBreach targeted the CAC's web application using JSON Web Token (JWT) enumeration — systematically testing JWT tokens to identify valid sessions or bypass authentication.

MITRE ATT&CK: T1550.001 — Use Alternate Authentication Material: Application Access Token

Sequential user IDs

The CAC system used sequential (predictable) user IDs, allowing the attacker to enumerate all user accounts by incrementing the ID parameter. This is a textbook Insecure Direct Object Reference (IDOR) vulnerability.

MITRE ATT&CK: T1087.002 — Account Discovery: Domain Account

Privilege escalation

The investigation revealed 474 accounts with self-assigned administrator privileges. Whether these were created by ByteToBreach during the intrusion or existed prior (indicating a long-running compromise or broken access controls) is not clear from public reporting.

MITRE ATT&CK: T1078.001 — Valid Accounts: Default Accounts

Mass exfiltration

With admin access, ByteToBreach exfiltrated 25 million files (~750 GB):

  • National identity cards
  • Company registration documents
  • Shareholder records and board resolutions
  • Internal password repositories

MITRE ATT&CK: T1005 — Data from Local System, T1567 — Exfiltration Over Web Service

Full TTP mapping

Phase Technique MITRE ID Tool/Method
Reconnaissance Scanning for CVEs T1595.002 Unknown scanner
Initial Access Exploit public-facing app T1190 Metasploit (Sterling)
Initial Access JWT enumeration T1550.001 Custom tooling (CAC)
Execution Command and scripting T1059 Sliver implant
Persistence C2 implant T1571 Sliver (mTLS/HTTP)
Credential Access Credentials in files T1552.001 Git repository scraping
Discovery Account enumeration T1087.002 Sequential ID brute force
Lateral Movement Valid accounts T1078 Harvested credentials
Collection Data from local system T1005 Bulk file access
Collection Data from cloud storage T1530 S3 bucket access
Exfiltration Over C2 channel T1041 Sliver C2
Exfiltration Over web service T1567 Direct download (CAC)

Detection opportunities

Every phase of this campaign had detection opportunities that, if implemented, could have interrupted the kill chain:

At initial access

  • WAF with virtual patching for CVE-2025-55182 would have blocked the initial exploit
  • Anomalous authentication patterns on the CAC web application (sequential token testing) should trigger rate limiting and alerting

At persistence

  • Sliver C2 network signatures — While Sliver is harder to detect than Cobalt Strike, its mTLS and HTTP beacon patterns can be identified through JA3/JA3S fingerprinting and beacon interval analysis
  • Process behavior monitoring — Sliver implants execute in-memory, but the parent process chain (web server spawning unexpected child processes) is detectable

At credential access

  • Git secret scanning — Automated tools (GitLeaks, TruffleHog) can identify plaintext credentials in repositories before an attacker does
  • S3 bucket auditing — AWS Config rules can flag publicly accessible or overly permissive bucket policies

At lateral movement

  • Network segmentation — Sterling and Remita should not have shared credential paths. Segmentation between banking infrastructure and payment platforms would have contained the breach to Sterling
  • Anomalous service account usage — Service accounts authenticating from unexpected sources should trigger immediate alerts

At exfiltration

  • Data Loss Prevention (DLP) — 3 TB of data leaving Remita's network should trigger volume-based alerts
  • Unusual database query patterns — Bulk extraction of customer records (900K accounts, 25M files) generates query patterns distinct from normal application behavior

Defensive recommendations

For organizations in the Nigerian financial sector and government:

Immediate (0–30 days):

  1. Scan all internet-facing applications for CVE-2025-55182 and apply patches
  2. Run GitLeaks or TruffleHog against all internal Git repositories — remediate any discovered secrets
  3. Audit all S3 buckets and cloud storage for public or overly permissive access
  4. Review all admin accounts — remove any that cannot be attributed to a named individual with a documented business need
  5. Deploy or verify JA3/JA3S fingerprinting on network monitoring to detect Sliver C2

Short-term (30–90 days):

  1. Implement network segmentation between critical systems — core banking, payment platforms, and government interfaces should not share credential stores or network paths
  2. Deploy SIEM rules for the TTPs described above — prioritize credential access, lateral movement, and bulk data access patterns
  3. Conduct a tabletop exercise using the ByteToBreach scenario as the basis
  4. Establish or join a sector-specific threat intelligence sharing group

Ongoing:

  1. Continuous vulnerability management with SLA-driven patching (critical CVEs patched within 72 hours)
  2. Regular penetration testing by independent parties, scoped to include lateral movement scenarios
  3. Purple team exercises testing detection capabilities against the specific TTPs used by ByteToBreach
  4. Incident response plan testing with GAID 72-hour notification workflows

ByteToBreach is not an exceptionally sophisticated actor. The tooling is commodity (Metasploit, Sliver), the techniques are well-documented (credential harvesting, IDOR, cloud misconfiguration), and the detection opportunities are numerous. What made this campaign successful was the gap between available defenses and their actual deployment across Nigerian infrastructure.

That gap is the real vulnerability.

FAQs

Why did ByteToBreach swap Metasploit for Sliver after initial access?

Operational maturity — use the right tool for each phase. Metasploit gets initial exploitation done cheaply but is widely signatured by EDR. Sliver is increasingly used by real-world actors because its mTLS, WireGuard, DNS, and HTTP/S C2 channels are harder to detect than Cobalt Strike, whose signatures are well-known. The switch indicates an operator who understands tooling, not someone running a single framework end-to-end.

How significant is the theft of 46 HSM keys from Remita?

Hardware Security Modules store the cryptographic keys used to sign and verify financial transactions. With 46 HSM keys from multiple major banks, ByteToBreach potentially gained the ability to forge transaction signatures that would appear legitimate, decrypt protected financial communications, and undermine the cryptographic trust model of the Nigerian interbank settlement system. Whether the keys were actively used for fraud has not been publicly confirmed.

What exactly was the CAC vulnerability that exposed 25 million files?

JWT enumeration combined with sequential user IDs — a textbook Insecure Direct Object Reference (IDOR). The CAC web application issued predictable IDs, so incrementing the ID parameter let the attacker walk every account. The investigation also surfaced 474 accounts with self-assigned administrator privileges; whether ByteToBreach created them during the intrusion or they existed prior was not made clear in public reporting.

How would JA3/JA3S fingerprinting actually catch Sliver C2?

JA3 hashes the TLS client hello's cipher suites, extensions, and elliptic curves; JA3S does the same for the server hello. Sliver's mTLS and HTTP beacons have characteristic JA3/JA3S signatures distinct from common browser and SaaS traffic. Network monitoring tuned to flag known-bad fingerprints, combined with beacon-interval analysis, catches the C2 channel even when the implant runs in-memory and avoids host-based detection.

What does network segmentation between Sterling and Remita look like in practice?

Different credential stores, different network paths, no shared service accounts, no plaintext secrets crossing the boundary in Git or S3. Core banking infrastructure and payment platforms should authenticate to each other through scoped service accounts with mTLS, rotated regularly, and never share an administrative trust domain. The Sterling-to-Remita pivot was enabled by exactly the failures segmentation is supposed to prevent.

Sources: Technext24, Nairametrics, Businessday, Security Intelligence Substack, MITRE ATT&CK Framework v14, CBN circulars.

nigeriathreat-actormitre-attackincident-responsetechnical-analysisbytetobreach

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousOpenClaw in Practice: AI Agents Across Law, Insurance, and E-CommerceNext →B2C AI Wrappers Will Disappear. The Real Opportunity Is in the Enterprise.