Defeating BLOCKADE SPIDER: Stopping Cross-Domain Attacks

Cross-domain attacks are an example of adversaries’ desire for speed and stealth. In these attacks, threat actors navigate multiple domains such as endpoints, cloud, and identity systems to maximize their reach and impact. Their goal is to exploit vulnerabilities in organizations’ fast-growing and complex environments.

The Blockade Spider is one of the most elusive cross-domain adversaries. This financially motivated e-crime competitor, active since at least April 2024, commonly uses cross-domain techniques in its ransomware campaigns. They gain access through unmanaged systems, dump credentials, and move into virtualized infrastructure to remotely encrypt files with the Embargo ransomware. They have also demonstrated the ability to target cloud environments.

They are not alone. Competitors spanning all geographies and motivations are using cross-domain technologies to accelerate their operations in hybrid environments. They target unmanaged hosts and gain entry by taking advantage of misconfigurations, and then navigate the system with legitimate credentials without triggering traditional security.

Here, we examine a case study in which CrowdStrike Overwatch threat hunters identified and disrupted the Blockade Spider’s cross-domain activity, and discuss how organizations can protect themselves from these emerging threats.

blockade spider disrupting

CrowdStrike Overwatch identified that BLOCKADE SPIDER accessed a victim’s network through an unmanaged VPN device in early 2025. The adversary subsequently moved into several managed systems, where they carried out activities typically seen in big game hunting activity, including attempting to dump credentials from the configuration database and deleting backup files.

Blockade Spider made multiple attempts to interfere with CrowdStrike Falcon® sensors. Although these efforts failed, the opponents were not deterred and rapidly adapted their tactics. This required additional data sources to quickly track and destroy the adversary, where cross-domain data from identity sources and CrowdStrike Falcon® Next-Gen SIEM was critical.

CrowdStrike Overwatch used CrowdStrike Falcon® Identity Threat Protection data to trace the VPN service account as the initial source of the activity. Using this Stronghold account, BLOCKADE SPIDER used the credential dumping technique DCSync to recover more account credentials and began adding the compromised accounts to new Active Directory groups. CrowdStrike was able to follow this activity through Overwatch identity data and monitor further malicious activity using these newly compromised accounts.

By leveraging log data from an identity and access management (IAM) solution included in Falcon Next-Gen SIEM, more actionable insights on the blockade spider’s interest in Active Directory manipulation became immediately available. CrowdStrike Overwatch threat hunters were also able to continuously monitor and alert on an adversary’s activities as they moved between unmanaged on-premises systems and cloud environments. Finally, threat hunters observed that Blockade Spider successfully bypassed multifactor authentication (MFA) requirements to access a victim’s IAM environment and deploy a rogue Active Directory agent.

Despite embedding itself deeply in the victim’s on-premises and cloud infrastructure, Falcon Next-Gen SIEM Data provided threat hunters with the ability to track Blockade Spider’s activities through a variety of data sources. The customer was ultimately able to shut down BLOCKADE SPIDER’s access to its network.