This article walks through how Elastic Security's Attack Discovery, combined with Workflows and Agent Builder, can automatically detect, correlate, and confirm APT-level attacks like Chrysalis while reducing analyst response time from hours to minutes.

The threat: Chrysalis backdoor by Lotus Blossom

Threat actor profile

Campaign overview

Chrysalis backdoor capabilities

Attack chain

MITRE ATT&CK mapping

The Challenge: Speed vs. Accuracy

The Solution: Attack Discovery + Workflows + Agent Builder

Agents & Workflows: Two entry points, one composable architecture

Our Flow

Step 1: Attack Discovery surfaces the threat

The alert queue: Needle in a haystack

What Attack Discovery found

Step 2: Scheduled discovery triggers the workflow

Workflow definition

Why this workflow is so short

Under the hood: How we extended the Threat Hunting Agent

What we added

The Agent's reasoning chain

Why this matters

Step 3: Automated incident response

1. Creates an incident Case

2. Notifies the SOC

3. Enables Response Actions

Time-to-confirmation: Before and after

The other path: Just ask the Agent

Scenario: You read about the threat first

Why this changes the game for analysts

Key takeaways

Speeding APT Attack Confirmation with Attack Discovery, Workflows, and Agent Builder

Elastic Security verifies new destructive malware targeting Ukraine: Operation Bleeding Bear

Key Takeaways

Overview

Stage 1: WhisperGate MBR payload

Malware analysis breakdown (Stages 1-4)

Stage 2/3: Discord downloader and injector

Final stage: File corruptor

MBR protection with Elastic Security

Observing WhisperGate in Elastic Security

Alert breakdown and defensive recommendations

Endpoint Security Integration Alerts

Stage 1 - MBR Wiper

Stage 2 - Downloader

Stage 3 + Stage 4 - Injector/File Corruptor

Prebuilt Detection Engine Alerts

Hunting queries

MITRE ATT&CK

Summary

Indicators

Artifacts

Operation Bleeding Bear

Author

James Spiteri

Articles

Speeding APT Attack Confirmation with Attack Discovery, Workflows, and Agent Builder

Operation Bleeding Bear