Group-IB Threat Intelligence

How do affiliates evolve into RaaS operators? The Gentlemen's playbook reveals a heavy focus on operational efficiency: weaponizing MeshCentral/AnyDesk for persistence, deploying password-protected executables via NETLOGON for domain-wide spread. Defend the #TTPs, not just the name. Read the full analysis here: link.group-ib.com/41defXc

The process involves using a Python script (userpassfort.py) to parse and organize valid credentials extracted from compromised Fortinet devices, then using these credentials across the network through NetExec. #TheGentlemen operationalizes every step of the attack chain., The Gentlemen operationalizes every step. They target backup infrastructure (Veeam) for credential harvesting and use custom tools like VCENTER.ps1 to disable HA/DRS on VMware clusters before encryption, maximizing impact. #IncidentResponse #ThreatIntel

The Gentlemen is a newly emerged Ransomware-as-a-Service (RaaS) operation consisting of approximately 20 members. Originating from a #Qilin payment dispute, the operator "hastalamuerte" had already developed a locker while still an affiliate. Their primary initial access? A database of ~14,700 compromised FortiGate devices (CVE-2024-55591) and over 900 brute-forced VPN credentials ready for deployment. #Ransomware #DFIR

Infrastructure overlap confirms it: The #C2 server for GhostFetch (promoverse[.]org) shares HTML artifacts with a known MuddyWater domain from Oct 2025. Meanwhile, the HTTP_VIP C2 server stores victim geolocation and security products in a SQL DB. Read the full technical breakdown here: link.group-ib.com/4aYMTKa

Signs of AI-assisted #malware and website development. The CHAR backdoor contains debug strings with emojis, a trait rarely seen in human-authored code. This aligns with reports of #MuddyWater using Gemini to write malware. Defenders must now track not just TTPs, but also AI-specific code artifacts. #AI

#MuddyWater is back with #OperationOlalampo, deploying four new malware families including CHAR – a rust backdoor, GhostFetch – a loader that deploys GhostBackDoor, and HTTP_VIP – a loader and a backdoor. The campaign leverages Telegram bots for C2, exposing real-time hands-on-keyboard activity and post-exploitation TTPs. #ThreatIntel

Even employing new techniques, adversaries are consistent with their hosting preferences, revealing predictable infrastructure patterns, strengthening attribution and early detection. Our research suggests that ShadowSyndicate operates as either an Initial Access Broker or a Bulletproof Hosting provider. Read the full analysis: link.group-ib.com/4rtTceb

ShadowSyndicate infrastructure hosts offensive tools such as Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, and Brute Ratel, with at least 20 servers used as #C2 nodes. Our telemetry also shows infrastructure overlaps with Cl0p, ALPHV/BlackCat, Ryuk, Black Basta, and Malsmoke operations. #CyberCrime

#ShadowSyndicate is a malicious activity cluster formed by numerous servers sharing the same SSH fingerprints. Since 2022, Group-IB has tracked how this infrastructure was involved in various malicious campaigns, allowing to connect seemingly unrelated #ransomware, #IAB, and other post-exploitation activity. #MalwareAnalysis

The actor operates dedicated proxy infrastructure, with servers linked to #Polygon smart contracts for address rotation. Recent setProxy transactions indicate reactivated operations. Full technical breakdown, including IOCs and mitigation strategies, is available here: link.group-ib.com/4qPxyR9

DeadLock’s ransom notes have evolved from simple encryption alerts to explicit threats of #datatheft and sale, with later variants even offering "security reports" and promises not to re-target. This reflects a clear move toward double extortion and psychological coercion. #CyberCrime

#DeadLock ransomware is now using Polygon smart contracts to manage proxy addresses, a stealthy, decentralized method that evades traditional defenses. This emerging trend of abusing #blockchain for malicious infrastructure marks a significant shift in attacker tradecraft. #ThreatIntel

From #phishing to POS cash-outs, read how Chinese cybercriminals are weaponizing NFC relay attacks to drain bank accounts remotely. Discover the technical breakdown of TX-NFC and NFU Pay, their infrastructure, and how financial institutions can defend against these evolving threats. Read the full report: link.group-ib.com/3Li56bI

Analysis reveals these #Android malware variants share code with open-source projects like NFCProxy and are often packed with commercial protectors such as 360 Jiagu. They request extensive #NFC and network permissions, establish persistent foreground services, and exfiltrate #payment data over encrypted #C2 channels. The operations span multiple countries, with detections recorded across Europe, Southeast Asia, and the Middle East. #MalwareAnalysis

Chinese threat actors are deploying NFC-enabled #Androidmalware known as "Ghost Tap" to remotely relay payment data from victims’ cards via Telegram-distributed apps. Using #socialengineering, victims are tricked into installing APKs and tapping their cards, enabling fraudsters to conduct unauthorized transactions worldwide through illicit POS terminals. Group-IB researchers identified over 54 unique samples, some impersonating legitimate applications. #ThreatIntelligence