cmdev
Technical Analysis

ByteToBreach: Anatomy of a Threat Actor Campaign

cmdev8 min read
ByteToBreach: Anatomy of a Threat Actor Campaign
Share
~12 min

Who is ByteToBreach

ByteToBreach emerged as a named threat actor in March 2026, conducting a coordinated campaign against Nigerian financial and government infrastructure. The actor demonstrated capabilities consistent with an experienced intrusion operator — not a script kiddie, but not a nation-state APT either.

Activity timeline:

Date Target Action
Early March 2026 Sterling Bank Initial access via CVE-2025-55182, Sliver C2 deployment
Mid-March 2026 Remita (SystemSpecs) Lateral movement from Sterling, data exfiltration
Late March 2026 Corporate Affairs Commission JWT enumeration, mass data exfiltration
April 2026 Data brokerage Exfiltrated data offered for sale on dark web forums

The actor is notable for three characteristics: the ability to chain exploits across organizational boundaries, patience (nine-day dwell time at Sterling), and a monetization model based on bulk data sales rather than ransomware.

Sterling Bank: the attack chain

Initial access — CVE-2025-55182

The campaign started with the exploitation of CVE-2025-55182, a vulnerability in Sterling Bank's internet banking application. ByteToBreach used Metasploit Framework to deliver the initial exploit payload.

MITRE ATT&CK: T1190 — Exploit Public-Facing Application

The choice of Metasploit for initial access is significant. Metasploit is commodity tooling — widely available, well-documented, and detected by most modern EDR solutions. The fact that the initial exploit succeeded and was not immediately contained suggests either:

  • The internet banking application was not behind a WAF with virtual patching capability
  • Endpoint detection was not deployed on the target system
  • The CVE was recently disclosed and the patch window had not closed

Persistence — Sliver C2

After gaining initial access, ByteToBreach replaced the Metasploit session with Sliver, an open-source adversary emulation framework. Sliver is increasingly popular among real-world threat actors because it is harder to detect than Cobalt Strike (whose signatures are now well-known to most EDR vendors).

MITRE ATT&CK: T1571 — Non-Standard Port (Sliver supports mTLS, WireGuard, DNS, and HTTP/S for C2)

Sliver provides:

  • Encrypted C2 channels over multiple protocols
  • In-memory payload execution
  • Built-in pivoting capabilities
  • Session management for multi-target operations

The switch from Metasploit (initial exploitation) to Sliver (persistent access) indicates operational maturity — using the right tool for each phase rather than relying on a single framework.

Credential access and lateral movement

With persistent access inside Sterling's network, ByteToBreach began credential harvesting. The specific techniques are not publicly documented, but the subsequent lateral movement to Remita was enabled by plaintext credentials found in Git repositories — suggesting the attacker either:

  • Accessed an internal GitLab/GitHub Enterprise instance and searched for secrets
  • Found developer workstations with cloned repositories containing hardcoded credentials

MITRE ATT&CK:

  • T1552.001 — Unsecured Credentials: Credentials in Files
  • T1021 — Remote Services (lateral movement to Remita infrastructure)

Data exfiltration from Sterling

Before pivoting to Remita, ByteToBreach exfiltrated Sterling Bank's core data:

  • 900,000 customer account records including BVNs and NINs
  • Source code from internal repositories
  • API keys and service credentials
  • Access to the T24 core banking system (Temenos)

MITRE ATT&CK: T1041 — Exfiltration Over C2 Channel

The exfiltration of T24 access credentials is particularly concerning. Temenos T24 is the core banking system used by Sterling and many other Nigerian banks. Access to T24 means visibility into real-time balances, transaction processing, and customer data at the most privileged level.

Lateral movement to Remita

The pivot from Sterling to Remita represents the most consequential phase of the campaign. Remita, operated by SystemSpecs, is the payment platform that processes:

  • Federal and state government salary payments
  • Interbank settlement transactions
  • Tax collections and government revenue

The bridge: Git credentials and S3 misconfiguration

The lateral movement was enabled by two failures:

  1. Plaintext credentials in Git — Service account passwords or API keys stored in source code repositories, accessible from Sterling's network
  2. Misconfigured Amazon S3 bucket — A storage bucket with overly permissive access policies, likely containing shared configuration or data exchange files between Sterling and Remita

MITRE ATT&CK:

  • T1078 — Valid Accounts (using harvested credentials)
  • T1530 — Data from Cloud Storage Object

This is not a sophisticated exploit chain. It is credential reuse and cloud misconfiguration — two of the most common and preventable attack vectors in existence.

Remita exfiltration

Once inside Remita's infrastructure, ByteToBreach exfiltrated:

  • 3 TB of data including over 800 GB of KYC (Know Your Customer) documents
  • Transaction logs for government salary disbursements
  • 46 Hardware Security Module (HSM) keys

MITRE ATT&CK: T1005 — Data from Local System, T1039 — Data from Network Shared Drive

The HSM keys require special attention. Hardware Security Modules store the cryptographic keys used to sign and verify financial transactions. With 46 HSM keys from multiple major banks, ByteToBreach potentially gained the ability to:

  • Forge transaction signatures that would appear legitimate
  • Decrypt protected financial communications
  • Undermine the cryptographic trust model of the Nigerian interbank settlement system

Whether these keys were actively used for financial fraud has not been publicly confirmed.

CAC: a different vector, same actor

The Corporate Affairs Commission breach used a different initial access method but was attributed to the same actor.

JWT enumeration

ByteToBreach targeted the CAC's web application using JSON Web Token (JWT) enumeration — systematically testing JWT tokens to identify valid sessions or bypass authentication.

MITRE ATT&CK: T1550.001 — Use Alternate Authentication Material: Application Access Token

Sequential user IDs

The CAC system used sequential (predictable) user IDs, allowing the attacker to enumerate all user accounts by incrementing the ID parameter. This is a textbook Insecure Direct Object Reference (IDOR) vulnerability.

MITRE ATT&CK: T1087.002 — Account Discovery: Domain Account

Privilege escalation

The investigation revealed 474 accounts with self-assigned administrator privileges. Whether these were created by ByteToBreach during the intrusion or existed prior (indicating a long-running compromise or broken access controls) is not clear from public reporting.

MITRE ATT&CK: T1078.001 — Valid Accounts: Default Accounts

Mass exfiltration

With admin access, ByteToBreach exfiltrated 25 million files (~750 GB):

  • National identity cards
  • Company registration documents
  • Shareholder records and board resolutions
  • Internal password repositories

MITRE ATT&CK: T1005 — Data from Local System, T1567 — Exfiltration Over Web Service

Full TTP mapping

Phase Technique MITRE ID Tool/Method
Reconnaissance Scanning for CVEs T1595.002 Unknown scanner
Initial Access Exploit public-facing app T1190 Metasploit (Sterling)
Initial Access JWT enumeration T1550.001 Custom tooling (CAC)
Execution Command and scripting T1059 Sliver implant
Persistence C2 implant T1571 Sliver (mTLS/HTTP)
Credential Access Credentials in files T1552.001 Git repository scraping
Discovery Account enumeration T1087.002 Sequential ID brute force
Lateral Movement Valid accounts T1078 Harvested credentials
Collection Data from local system T1005 Bulk file access
Collection Data from cloud storage T1530 S3 bucket access
Exfiltration Over C2 channel T1041 Sliver C2
Exfiltration Over web service T1567 Direct download (CAC)

Detection opportunities

Every phase of this campaign had detection opportunities that, if implemented, could have interrupted the kill chain:

At initial access

  • WAF with virtual patching for CVE-2025-55182 would have blocked the initial exploit
  • Anomalous authentication patterns on the CAC web application (sequential token testing) should trigger rate limiting and alerting

At persistence

  • Sliver C2 network signatures — While Sliver is harder to detect than Cobalt Strike, its mTLS and HTTP beacon patterns can be identified through JA3/JA3S fingerprinting and beacon interval analysis
  • Process behavior monitoring — Sliver implants execute in-memory, but the parent process chain (web server spawning unexpected child processes) is detectable

At credential access

  • Git secret scanning — Automated tools (GitLeaks, TruffleHog) can identify plaintext credentials in repositories before an attacker does
  • S3 bucket auditing — AWS Config rules can flag publicly accessible or overly permissive bucket policies

At lateral movement

  • Network segmentation — Sterling and Remita should not have shared credential paths. Segmentation between banking infrastructure and payment platforms would have contained the breach to Sterling
  • Anomalous service account usage — Service accounts authenticating from unexpected sources should trigger immediate alerts

At exfiltration

  • Data Loss Prevention (DLP) — 3 TB of data leaving Remita's network should trigger volume-based alerts
  • Unusual database query patterns — Bulk extraction of customer records (900K accounts, 25M files) generates query patterns distinct from normal application behavior

Defensive recommendations

For organizations in the Nigerian financial sector and government:

Immediate (0–30 days):

  1. Scan all internet-facing applications for CVE-2025-55182 and apply patches
  2. Run GitLeaks or TruffleHog against all internal Git repositories — remediate any discovered secrets
  3. Audit all S3 buckets and cloud storage for public or overly permissive access
  4. Review all admin accounts — remove any that cannot be attributed to a named individual with a documented business need
  5. Deploy or verify JA3/JA3S fingerprinting on network monitoring to detect Sliver C2

Short-term (30–90 days):

  1. Implement network segmentation between critical systems — core banking, payment platforms, and government interfaces should not share credential stores or network paths
  2. Deploy SIEM rules for the TTPs described above — prioritize credential access, lateral movement, and bulk data access patterns
  3. Conduct a tabletop exercise using the ByteToBreach scenario as the basis
  4. Establish or join a sector-specific threat intelligence sharing group

Ongoing:

  1. Continuous vulnerability management with SLA-driven patching (critical CVEs patched within 72 hours)
  2. Regular penetration testing by independent parties, scoped to include lateral movement scenarios
  3. Purple team exercises testing detection capabilities against the specific TTPs used by ByteToBreach
  4. Incident response plan testing with GAID 72-hour notification workflows

ByteToBreach is not an exceptionally sophisticated actor. The tooling is commodity (Metasploit, Sliver), the techniques are well-documented (credential harvesting, IDOR, cloud misconfiguration), and the detection opportunities are numerous. What made this campaign successful was the gap between available defenses and their actual deployment across Nigerian infrastructure.

That gap is the real vulnerability.

Sources: Technext24, Nairametrics, Businessday, Security Intelligence Substack, MITRE ATT&CK Framework v14, CBN circulars.

nigeriathreat-actormitre-attackincident-responsetechnical-analysisbytetobreach

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousOpenClaw in Practice: AI Agents Across Law, Insurance, and E-CommerceNext →B2C AI Wrappers Will Disappear. The Real Opportunity Is in the Enterprise.