The “Scattered Lapsus$ Hunters” collective exploited a third-party vendor to breach Discord’s systems, stealing high-risk data including government IDs and internal network details like ‘SLHM’. This sophisticated attack bypassed MFA, highlighting a critical supply chain vulnerability and the group’s use of targeted extortion.

SLHM is the alleged internal network name exposed by the “Scattered Lapsus$ Hunters” group, serving as an Indicator of Compromise that confirmed their deep access within Discord’s environment.

Discord confirmed the security incident on October 3, 2025, but was quick to note that its core systems were not directly breached. The attack leveraged a supply chain vulnerability, successfully compromising a third-party customer service provider (T1199).

The Hackers’ Goal: Financial Extortion

The objective of the unauthorized party was purely financial, focused on demanding a significant ransom payment from Discord. Discord’s immediate response was to execute its own TTP: revoking the vendor’s access to the ticketing system.

The Data Haul: High-Risk PII

The breach exposed PII, including names, emails, Discord usernames, and limited billing fragments, such as the last four credit card digits. Crucially, the hackers obtained a small number of government-issued IDs submitted for age verification appeals.

Criticality of Exposed Data

Stealing these high-fidelity documents—passports or driver’s licenses—vastly increases the risk of severe identity theft for users. These documents are often the master key needed for high-security account takeovers and credential resets.

Table : Exposed Data Classification and Risk Profile

The Threat Group: Scattered Lapsus$ Hunters

The collective known as Scattered Lapsus$ Hunters (SLH) publicly claimed responsibility for the cyber attack. This is an alliance combining the expertise of Scattered Spider, LAPSUS$, and ShinyHunters, uniting for maximum impact.

SLH Strategy: Unified Chaos

SLH’s model is efficient: Scattered Spider handles initial access (TA0001), ShinyHunters manages bulk data theft (TA0010), and LAPSUS$ drives the public extortion (T1491). This team operates as a sophisticated ecosystem, often linked through the criminal community “The Com”.

TTPs: Initial Access and Evasion

TTP: Identity-Centric Intrusion

SLH’s core TTP is “log in, not hack in,” focusing on compromising a legitimate user identity rather than exploiting network vulnerabilities. This strategy circumvents traditional network perimeter defenses, disguising malicious activity as authorized traffic.

TTP: Vishing and Phishing (T1566)

Initial access was gained by compromising a single support agent account at the vendor through social engineering tactics. The Scattered Spider faction specializes in sophisticated Vishing (voice phishing) calls to impersonate IT helpdesk staff (T1566.004).

Credential Harvesting and Brokerage (T1552)

They use advanced phishing kits like Evilginx to steal both credentials and active session cookies, which are essential for bypassing MFA. The LAPSUS$ component is known for purchasing pre-stolen corporate credentials or paying malicious insiders for access (T1552).

TTP: MFA Bypass and Okta Exploitation (T1621)

SLH publicly mocked Discord’s defense efforts, specifically stating that disabling Okta and Kolide logins would not prevent their intrusion. This points to the exploitation of a known vulnerability in Okta’s Classic sign-on policy (T1621).

Technical Evasion: The User-Agent Artifact

The exploitation required the attackers to use a valid username/password while submitting the login request with an “unknown” user-agent string (like a custom script). This TTP allowed them to bypass application-specific policies requiring MFA or device checks.

IOCs: Reconnaissance and Lateral Movement

IOC: Internal Network Artifact

A critical Indicator of Compromise (IOC) was the group revealing the alleged internal Discord network identifier “SLHM” in their public posts. This artifact confirms successful internal reconnaissance (TA0007) beyond the initial third-party entry point.

Targeting Administrative Resources

Screenshots shared by the group confirmed access to Discord’s internal administrative tools, including data privacy dashboards. Targeting these dashboards confirms deliberate lateral movement to locate the most damaging, highly regulated information, like the government photo IDs.

Table : Observed Indicators of Compromise (IOCs) and Artifacts

TTPs: Extortion and Impact

TTP: Data Exfiltration (TA0010) and Theft

The ShinyHunters faction is primarily responsible for the bulk data theft and monetization, stealing chat logs, PII, payment fragments, and high-risk IDs. The sheer volume indicates a large-scale, rapid exfiltration event.

TTP: Double Extortion via DLS (T1486)

The attackers used their Telegram channel as a Command and Control (C2) platform to broadcast their success and demand a financial ransom (T1491). They explicitly threatened to publish additional stolen material on their Dedicated Leak Site (DLS) (T1486).

Leveraging Shame

Threatening to leak sensitive government IDs on a DLS maximizes the regulatory exposure and reputational damage to Discord. This tactic replaces file encryption, establishing double extortion as the primary coercion mechanism.

Mitigation and Defense Recommendations

To defeat credential harvesting, companies must mandate phishing-resistant MFA, like FIDO2 tokens, for all support staff (T1562.001). Also, organizations must actively log and block login attempts using “unknown” user-agent strings to counter the Okta bypass technique.

To counter social engineering, security teams must implement strict challenge-response protocols for help desk staff processing account reset requests. Furthermore, monitoring internal channels is crucial to detect malicious insider recruitment, a documented LAPSUS$ TTP (T1547.001).

Crucially, organizations must strictly prohibit third-party systems from storing high-risk PII like scanned government ID images. All vendor access must adhere to a Zero Trust architecture, strictly limiting access and monitoring all vendor activity.

Table : SLH Tactics, Techniques, and Procedures (TTPs) Mapping

Key Analysis from the Logs:

• Victim Profile Insights: The compromised data points to an individual likely based in Massachusetts, USA, with ties to education (e.g., teacher resource platforms and school portals) and domain trading (multiple registrar and marketplace accounts). There’s also evidence of family-related access, including student accounts, highlighting how personal infections can ripple into broader risks.
• Stolen Data Scope: Credentials harvested from multiple browsers (Chrome, Edge, and even niche ones like CryptoTab) across 100+ sites. This includes: Email and communication services. Social media platforms (e.g., professional networks, microblogging sites). Financial institutions (banking, investment, and trading apps). E-commerce and shopping portals. Domain management tools, raising concerns about potential hijacking or resale of digital assets.
• Notable Patterns: Heavy password reuse with slight variations (e.g., common bases appended with numbers or symbols), making lateral movement trivial for attackers. The logs also show exfiltration of session details, which could enable fraud, espionage, or further network compromise.

What’s Particularly Alarming?

• Distribution Trends: Recent reports (from sources like Elastic Security Labs and The Hacker News) link SectopRAT to sophisticated chains involving tools like Shellter (abused via leaked licenses), Lumma Stealer, Latrodectus, and GHOSTPULSE. Infections often start with fake downloads (e.g., gaming sites or app installers) and escalate to persistent remote access.
• Real-World Impact: This isn’t just data theft – it’s a gateway to financial loss, identity fraud, and even domain ecosystem disruption. With underground markets on Telegram sharing these logs (e.g., channels peddling stolen info), the barrier to exploitation is low.
• Timeline Context: Indexed just days ago on August 5, 2025, this underscores the malware’s ongoing relevance amid rising ClickFix and malvertising attacks.

Lessons for All of Us:

• Password Hygiene: Ditch reuse! Adopt managers like LastPass or Bitwarden for unique, complex creds.
• MFA Everywhere: Enable it on all accounts – it’s a simple barrier against credential stuffing.
• Browser Security: Regularly clear caches, use extensions like uBlock Origin, and avoid unverified downloads.
• Detection Tips: Monitor for unusual processes (e.g., PowerShell → URL → EXE chains) and leverage Sigma rules for threats like ClickFix deliveries.
• Proactive Defense: For organizations, emphasize employee training on phishing and implement endpoint detection for RAT behaviors.

If you’re in threat intel, incident response, or just passionate about #CyberSecurity, what’s your take on combating infostealers like this? Have you encountered SectopRAT in the wild? Let’s discuss in the comments!

#ThreatIntelligence #MalwareAnalysis #InfoSec #RAT #CyberThreats #PasswordSecurity

First observed in the wild in September 2025, the group, which also refers to itself as “The Desolated Collective,” is actively recruiting affiliates from the cybercrime underworld. Their targets of choice: penetration testers, initial access brokers, and social engineering specialists, who are tasked with breaching corporate networks. In return, Desolator’s core operators provide the malware, infrastructure, and negotiation platform, creating a streamlined and scalable criminal enterprise.

High-Value Targets in Their Sights

Desolator has a clear focus on “big game hunting,” targeting high-value enterprises with the financial capacity to meet substantial ransom demands. To date, four victims have been publicly listed on the group’s Tor-based leak site, including:

• Construction and engineering firms in Latin America and Southern Europe.
• A technology and software development company in Southeast Asia.

This diverse targeting across multiple continents and industries showcases the group’s global reach and operational flexibility.

Modus Operandi: A Textbook Attack Chain

Desolator’s attack methodology is a multi-stage process designed for maximum impact and evasion:

1. Initial Compromise: The attack begins with carefully crafted phishing emails, masquerading as legitimate correspondence. These emails contain malicious attachments or links that, when clicked, execute the initial payload.
2. Execution and Persistence: Once inside the network, Desolator leverages command-line interpreters for execution. To ensure its foothold remains even after a system reboot, the ransomware establishes persistence through modifications to the Run key and Winlogon registry keys.
3. Discovery and Credential Access: The malware then begins to map out the compromised environment. It conducts system and network share enumeration to identify valuable data repositories. It also harvests data from web browsers and executes registry queries to gather credentials and other sensitive information.
4. Impact and Extortion: Desolator employs a double-extortion strategy.
5. Inhibiting Recovery: To further pressure victims into paying, Desolator actively sabotages recovery efforts by deleting shadow copies and backup catalogs. In some cases, the group may also selectively destroy data.

Evasion Techniques: Cloak and Dagger

Desolator employs a variety of obfuscation techniques to evade detection by security solutions:

• Stack String Obfuscation: This technique is used to conceal malicious code by dynamically constructing strings in memory, making it difficult for static analysis tools to identify malicious functions or commands.
• XOR-Encoded Configurations: The ransomware’s configuration data, including command-and-control (C2) server details, is encoded using XOR operations. This prevents straightforward analysis of the malware’s capabilities and infrastructure.
• Masquerading Binaries: Desolator renames its malicious executables and places them in directories that mimic legitimate system processes, helping it to blend in with normal system activity and evade detection by endpoint security solutions.

Further Reading and Resources:

• Broadcom Security Center: Desolator Ransomware
• Brinztech Breach Alert
• MonThreat on X

The attacks span numerous countries, with victims identified in the United States, India, Brazil, the United Kingdom, Saudi Arabia, Australia, and the European Union, among others. The group’s motives appear to be a mix of hacktivism and financial gain, as some of the breached data is listed for sale with ransom demands ranging from thousands to hundreds of thousands of euros.

High-Profile and Critical Infrastructure Targets

Among the most alarming targets are major government and industrial entities whose disruption could have significant consequences. Notable victims include:

• Royal Saudi Air Force: A major military institution, with the hackers demanding a ransom of €350,000.
• Government of Brazil: The breach of a national government entity highlights the group’s capability and audacity.
• PT Pertamina: Indonesia’s massive state-owned oil and natural gas corporation, classifying this as an attack on critical infrastructure.
• Fortis Healthcare: One of India’s largest healthcare providers, putting sensitive patient data at severe risk.
• Cayman National Bank: A significant financial institution in the Caribbean.

The sheer geographic diversity of the victims underscores the global reach of KillSec’s operations. This is not a localized campaign but a worldwide series of coordinated breaches.

A Multi-Sector Assault

An analysis of the victim list shows that no industry is safe. The group’s targeting strategy appears opportunistic and widespread, affecting a diverse range of sectors.

• Healthcare and Pharmaceuticals: This sector was hit particularly hard, with victims like Lupin Limited (a global pharma company), US BioTek Laboratories, SPARSH Hospital (India), and Suiza Lab (Peru). Breaches in this area are especially concerning due to the highly sensitive and personal nature of medical records.
• Finance and Insurance: Financial firms such as Princeps Credit Systems (Nigeria), Skyward Specialty Insurance (US), Lendco (UK), and the fintech platform Buddy Loan (India) were listed, threatening the financial data of countless customers.
• Technology: Tech companies, including IT service providers and software platforms like GPS Trackit (US), Kyocera Document Solutions (Europe), and Accolent ERP Software (US), were also compromised.
• Public and Educational Sector: Beyond major government bodies, the list includes smaller public entities like the Novi Community School District in Michigan, USA, and the National Institute of Administration in Romania, showing that even local institutions are in the crosshairs.

Modus Operandi: Data Theft and Extortion

KillSec’s operational model aligns with modern data extortion tactics. The process involves:

1. Infiltration: Breaching the network of a target organization.
2. Data Exfiltration: Stealing sensitive corporate, employee, and customer data.
3. Extortion: Listing the victim on their leak site, often with a sample of the stolen data as proof. A ransom demand is frequently posted, payable in cryptocurrency, to prevent the public release of the full dataset.

For many of the organizations on the list, the status is marked as “Published” or “Disclosures 1/1,” suggesting that negotiations may have failed or were never initiated, leading KillSec to leak the compromised information. This campaign serves as a stark reminder of the vulnerability of digital infrastructure worldwide and the evolving tactics of cybercriminal groups that blend ideology with profit.

Threat Actor Profile

• Group: LunaLock
• Actor Type: Organized Crime; operates as a ransomware-as-a-service (RaaS) or a closed group, currently unconfirmed.
• Origin: Unknown. Analysis of their communications indicates native English fluency and high operational competency.
• Primary Target Industry: Media
• Identified Victimology: One confirmed victim, a U.S.-based arts company.

Operational Analysis: TTPs

LunaLock’s modus operandi focuses on external-facing infrastructure, rapid execution, and psychological pressure.

Initial Access:

• The primary observed initial access vector is the compromise of public-facing web applications. The group exploits vulnerabilities in web infrastructure to gain an initial foothold.

Execution & Encryption:

• Post-compromise, the actor deploys a crypto-ransomware payload to encrypt files on the target network. The specific cryptographic libraries and encryption algorithms used by the LunaLock payload are still under analysis.
• The group has not demonstrated the use of persistent access mechanisms in the observed incident, suggesting a focus on achieving objectives quickly and minimizing their forensic footprint.

Command & Control / Extortion Communication:

• LunaLock deviates from standard T1486 ransom note delivery (e.g., .txt files). Instead, they embed a custom HTML page directly into the victim’s compromised website. This page functions as their primary communication and extortion platform.
• The embedded page features dynamic elements, including a countdown timer, an interactive FAQ, and a direct web chat function for negotiation, effectively turning the victim’s own infrastructure into a C2 channel for the extortion phase. It also links to their Tor-based data leak portal.

Data Exfiltration:

• Prior to encryption, LunaLock performs data exfiltration. Confirmed exfiltrated data types include:

Case File: Artists&Clients Breach (September 2025)

The attack against the U.S. firm Artists&Clients is the sole publicly attributed LunaLock incident.

• Attack Vector: Compromise of the company’s primary web application, followed by website defacement and ransomware deployment.
• Ransom Demand: $50,000, payable in Monero (XMR) or Bitcoin (BTC).
• Extortion Levers: LunaLock employed four distinct pressure tactics:

Impact Assessment

A successful LunaLock intrusion results in a range of significant impacts:

• Data Theft: Unauthorized exfiltration of sensitive corporate, user, and intellectual property data.
• Financial Loss: Direct costs associated with ransom payments, incident response, and system recovery.
• Operational Disruption: Significant downtime caused by data encryption and the defacement of web services.
• Brand and Reputational Damage: Public disclosure of the breach, exacerbated by website defacement.
• Unauthorized System Access: The initial compromise of network and application integrity.

Conclusion

LunaLock represents a significant emerging threat, notable for its operational efficiency and its evolution of extortion tactics. The group’s use of a victim’s web infrastructure for ransom communication and the introduction of the AI training data threat demonstrate a sophisticated understanding of psychological leverage. While currently limited in known operational tempo, their unique TTPs warrant close monitoring by security professionals, particularly those responsible for securing public-facing web applications in high-value intellectual property sectors.

Source References

• WatchGuard: LunaLock Ransomware Tracker
• Cyber Daily: New LunaLock ransomware group emerges with unique extortion tactic
• X (formerly Twitter): MonThreat on LunaLock
• Ransomware.live: LunaLock Group

The coordinated disclosure, disseminated across various cybercrime monitoring channels on Telegram, signals a brazen and targeted campaign against Switzerland’s high-precision industrial base.

The Breach Details: Data Exfiltration Claims

According to Akira’s posts on their Tor-based leak site, the group claims to have exfiltrated a substantial volume of data from both victims. The specificity of their claims suggests deep network penetration.

• For Vardeco SA, a specialist in high-precision bar turning, the group boasts of exfiltrating 138 GB of corporate data. The threatened leak includes highly sensitive information such as:
• For Keller Laser AG, a leading supplier in industrial sheet metal processing, Akira threatens to release 42 GB of data. The list of compromised assets is equally alarming and includes:

Cyber threat intelligence feeds first picked up the activity around 13:48 UTC on September 8, with automated alerts from sources like ransomfeed.it and Ransomware.live confirming the new listings within hours.

A History of Exposure: The Attack Surface Analysis

While the ransomware event is the immediate crisis, the provided intelligence reveals a long history of prior data exposure for both firms, highlighting a potentially porous attack surface that threat actors could have exploited for initial access.

The primary avenues of exposure appear to be third-party breaches and credential leaks:

1. Employee PII in Third-Party Breaches: Data from numerous past breaches, including a large-scale Facebook Scrape (Feb 2025), a Switzerland Citizen Database Leak (Aug 2024), and a 20M French Personal Information Database Leak (Aug 2025), contained personal details of individuals who listed Keller Laser AG and Vardeco as their employers. This type of publicly available information is a goldmine for threat actors crafting sophisticated spear-phishing campaigns—a common initial access vector for ransomware groups.
2. Credential Stuffing Lists: Multiple entries for “Vardeco” appeared in combolists from August and July 2025. These lists contain username/password pairs harvested from other breaches. This suggests that employees may have been reusing corporate passwords on other sites, providing a direct path for attackers to test these credentials against the company’s network infrastructure.
3. Corporate Data Brokers: Keller Laser AG was explicitly mentioned in breaches at data-centric firms like Dnb.com (July 2025) and Netprospex.com. This type of exposure provides attackers with organizational charts, contact details, and revenue information, allowing for more effective and targeted social engineering attacks.

The Akira Modus Operandi and Implications

The Akira ransomware group, known for its aggressive tactics, operates a sophisticated Ransomware-as-a-Service (RaaS) model. Their TTPs (Tactics, Techniques, and Procedures) typically involve exploiting known vulnerabilities in public-facing services (like VPNs without multi-factor authentication) and leveraging compromised credentials for initial access.

Once inside a network, they move laterally to exfiltrate high-value data before deploying their encryptor. The subsequent listing on a public leak site is designed to maximize pressure on the victim to pay the ransom, fearing regulatory fines, loss of intellectual property, and severe reputational damage.

For Keller Laser and Vardeco, the immediate priorities for their incident response teams will be to:

• Contain the breach and prevent further lateral movement.
• Assess the full scope of the data exfiltration claimed by Akira.
• Activate business continuity plans to restore encrypted systems from backups.
• Prepare for data breach notification obligations under Swiss and European privacy laws.

Joe Shenouda

Over the past few weeks, Play’s leak site has claimed successful attacks against:

• Baum Precision Machining
• Anderson Aluminum
• Energy Fishing & Rental Services
• Celtic Engineering
• Edwards Interiors
• Promark Partners

Their attack chain is consistent, effective, and entirely preventable. Here’s their playbook, stripped of the jargon:

HOW THEY GET IN: They aren’t using secret zero-days. Play is relentlessly exploiting old Fortinet SSL-VPN flaws (like CVE-2018-13379) and the ProxyNotShell vulnerabilities in Microsoft Exchange. Your unpatched edge infrastructure is their open front door.

HOW THEY TAKE OVER: Once inside, it’s a race to become Domain Admin. They dump credentials from memory (LSASS) using tools like Mimikatz and go after your Active Directory database (NTDS.dit) for offline password cracking. They use tools like AdFind to map your entire domain structure in minutes.

HOW THEY SPREAD: With admin credentials in hand, they live off the land. They use standard admin tools like PsExec and RDP to move laterally across your network, deploying tools and seeking high-value data while looking like any other system administrator.

HOW THEY STEAL & ENCRYPT: Before deploying the final payload, they steal your crown jewels. Using tools like WinSCP, they exfiltrate gigabytes of your sensitive data to their own servers. This is the setup for their double-extortion threat. Only then do they deploy the encryptor, adding the .play extension and leaving a ransom note designed to create confusion and pressure.

This isn’t magic; it’s a methodology that preys on security gaps. Here’s how you counter their playbook:

• PATCH YOUR SYSTEMS. Yesterday. Especially internet-facing Fortinet and Exchange servers. This is step one and the most critical.
• MONITOR FOR CREDENTIAL THEFT. Tune your EDR to detect and block LSASS memory dumping and alert on suspicious reconnaissance activity from tools like AdFind.
• SEGMENT YOUR NETWORK. Don’t let a single breach give an attacker the keys to the entire kingdom. Restrict server-to-server communication.
• WATCH YOUR DATA EGRESS. A large, unexpected outbound data transfer is a massive red flag for exfiltration. Know what normal looks like and alert on deviations.

APT Play is winning by exploiting the basics. Don’t let them win on your network.

#CyberSecurity #ThreatIntel #Ransomware #PlayRansomware #InfoSec #CyberAttack #VulnerabilityManagement #Fortinet #MicrosoftExchange #BlueTeam #DFIR #CISO

Description and Modus Operandi

D4RK 4RMY is a newly emerged group that focuses exclusively on data extortion. Unlike traditional ransomware operators who encrypt victim systems, D4RK 4RMY’s operations are centered entirely on data exfiltration.

Their method is as follows:

1. The group gains unauthorized access to a target’s network.
2. They then exfiltrate significant volumes of sensitive business information.
3. Following the theft, they threaten to publish the stolen data unless a ransom is paid.

There is currently no evidence to suggest that D4RK 4RMY uses any encryption software (ransomware). Their tactics are limited to non-encrypting extortion, a strategy increasingly observed among modern cybercriminal syndicates.

To apply pressure, the group maintains a dedicated leak site on the dark web via a .onion domain. This platform is used to list and shame its victims as part of its coercion tactics. As of the latest available information, the site features eight victims, including two universities in the United States, a Taiwan-based information technology firm, and two metals and mining companies located in South Africa and Thailand, respectively.

Description

Yurie is a newly identified ransomware group, named after Yūrei, a spirit in Japanese folklore. Despite the cultural reference suggesting a Japanese origin, cybersecurity researchers assess that the group is more likely based in Morocco, where the earliest ransomware samples were traced.

The group employs a double extortion model:

1. Encryption: The victim’s files are encrypted using ransomware.
2. Data Exfiltration: Sensitive data is stolen before encryption. The group then threatens to publish this data on their dedicated .onion leak site if the ransom is not fulfilled.

At present, Yurie’s leak site lists three confirmed victims across the industrial, food supply, and retail sectors, located in India, Sri Lanka, and Nigeria. The emergence of Yurie highlights how readily threat actors can weaponize publicly available ransomware source code with minimal modifications. This significantly lowers the barrier to entry, enabling relatively low-skilled actors to establish themselves in the ransomware ecosystem without substantial technical expertise or resource investment.

Modus Operandi (Technical Details)

Yurie ransomware operates using a codebase largely derived from the open-source “Prince” ransomware project, available on GitHub. The code is written in the Go programming language, which offers benefits such as cross-platform compatibility and certain detection challenges for antivirus vendors.

Encryption Process:

• Upon execution, the malware enumerates all available drives and initiates parallel encryption processes.
• Affected files are appended with the .Yurei extension.
• The encryption algorithm used is ChaCha20. A unique key and nonce are generated per file.
• This key and nonce are then encrypted using ECIES with the attacker’s public key.
• The malware also monitors for newly attached network drives and adds them to its encryption queue.

Key Weakness:

A notable shortcoming that underscores its relative lack of sophistication is that the ransomware does not delete Volume Shadow Copies. This omission leaves victims with potential recovery options through Windows’ built-in snapshot functionality.

Their lack of a manifesto or stated motive makes their actions purely malicious. Here’s a breakdown of their modus operandi for defense teams:

Key TTPs (Tactics, Techniques & Procedures):

• Initial Access: Exploiting compromised credentials and vulnerable internet-facing services (perimeter appliances are a key vector).
• Reconnaissance: Deploys tools like Advanced IP Scanner and Nmap for internal topology mapping. Heavy focus on Active Directory enumeration to find privileged accounts (e.g., itgateadmin).
• Lateral Movement: Utilizes living-off-the-land (LotL) tools like PsExec for remote command execution.
• Defense Evasion & Weakening: This is where they excel.
• Deployment & Exfiltration: Abuses Group Policy Objects (GPOs) and the NETLOGON share for domain-wide ransomware distribution. Data is exfiltrated via legitimate, encrypted channels using tools like WinSCP.
• Persistence: Establishes C2 channels using remote access tools like AnyDesk.

Potential IOCs & Hunting Queries:

• Look for the execution of Advanced IP Scanner, Nmap, PsExec, PowerRun.exe, AnyDesk, WinSCP.
• Monitor for the presence of files like All.exe, ThrottleBlood.sys, Allpatch2.exe.
• Hunt for batch scripts (1.bat) performing mass account enumeration.
• Watch for unusual activity from the NETLOGON share across multiple hosts.

This group’s ability to adapt its methods to bypass enterprise-grade defenses makes them a significant threat.

#ThreatHunting #CyberSecurity #DFIR #InfoSec #TTPs #IOCs #Ransomware #SOC #Gentlemen

Intelligence confirms Radar is a rebrand of the “Dispossessor” ransomware operation, which was active until a law enforcement takedown in August 2024. The group’s core leadership and methods have remained the same, showing a resilient adversary.

Led by an individual known as “Brain,” the group operates a Ransomware-as-a-Service (RaaS) model, providing its tools to affiliates for a share of the profits. They consistently target small-to-mid-sized businesses by exploiting weak credentials and a lack of multi-factor authentication.

Implications

The group’s rapid re-emergence as Radar after a major law enforcement takedown shows the resilience of organized cybercrime. Infrastructure-focused disruptions are often only temporary setbacks when the core leadership is not apprehended.

The Dispossessor group acted as an opportunistic predator, reposting data stolen by other defunct gangs like LockBit to build its reputation. This tactic allowed them to attract new affiliates and potentially re-extort victims with minimal effort.

The group’s focus on small-to-mid-sized businesses in sectors like transportation and finance is a calculated strategy. These organizations are ideal targets because they are sensitive to disruption but often lack robust cyber defenses.

The group’s attack methodology is a refined and effective playbook. It involves a systematic progression from exploiting weak credentials to deleting backups and forensic evidence to pressure victims.

Attribution

The FBI and other sources confirm that Radar and Dispossessor are the same group, led by a threat actor known as “Brain”. The rebranding to Radar was a direct result of the August 2024 law enforcement disruption, a common tactic for such groups to evade scrutiny.

Summary

The group began as Dispossessor in August 2023, initially targeting U.S. businesses before expanding globally. By the time of its disruption, the FBI had identified at least 43 victims worldwide.

Operating a RaaS model under the leader “Brain,” Dispossessor’s early strategy involved mimicking the notorious LockBit ransomware gang. Its data leak site was nearly identical to LockBit’s in layout and design.

This mimicry was a calculated strategy, as Dispossessor began reposting data from former LockBit victims after that group was disrupted. This allowed them to appear highly successful, attract new affiliates, and potentially re-extort victims.

Takedown

The group’s growing notoriety led to a coordinated international law enforcement operation on August 12, 2024, which dismantled its core infrastructure. The operation was led by the FBI in collaboration with agencies in the U.K. and Germany.

The operation seized 24 servers across the U.S., U.K., and Germany, and took nine criminal domains offline. However, its long-term impact was limited because the group’s leader, “Brain,” and other core members were not apprehended.

Relaunch

The takedown proved to be only a temporary setback, a classic example of the “hydra effect” in cybercrime enforcement. With the core leadership and resources intact, the criminal organization was able to regenerate and improve its operations.

Just one month after the takedown, in September 2025, the group re-emerged under the new name “Radar” with a new data leak site. The new operation showed clear continuity with its predecessor, immediately listing new victims and demonstrating that infrastructure takedowns without arrests are often only a temporary disruption.

Attack

The Radar/Dispossessor group uses a systematic attack chain with common but effective techniques to compromise networks and evade detection. This analysis maps their TTPs to the MITRE ATT&CK framework.

MITRE Map

Access

The group’s primary initial access method is exploiting weak passwords and the absence of multi-factor authentication (MFA). This simple but effective approach has a high success rate against their target demographic of SMBs.

Persistence

After gaining access, operators establish persistence by manipulating the Image File Execution Options (IFEO) registry key (T1546.012). This involves abusing a legitimate Windows feature for malicious purposes, a sign of a mature threat actor.

The IFEO feature allows a developer to attach a debugger to an application, but an adversary can abuse this by pointing the ‘Debugger’ value to their own malware. This causes the malicious payload to execute whenever the legitimate application is launched, providing a stealthy persistence mechanism.

This technique is strategically chosen over more common methods because it abuses a legitimate system feature, making it harder for security tools to detect. This “living-off-the-land” approach helps the malware blend in with normal system activity and avoid suspicion.

Evasion

Radar uses a layered defense evasion strategy to frustrate both automated security tools and human analysts. This approach is critical for giving them enough time to steal data and deploy their ransomware.

A key part of their strategy is anti-analysis, where the ransomware checks if it’s running in a sandbox or being debugged. If an analysis environment is detected, the malware will shut down or change its behavior to avoid being studied.

The group also works to impair defenses by disabling or modifying security tools like antivirus on compromised systems. This allows the attackers to operate more freely without triggering security alerts.

Finally, the actors cover their tracks by deleting forensic artifacts and diagnostic logs, such as the file C:$SysReset\Logs\Timestamp.xml. This removal of evidence makes it much harder for incident responders to investigate the attack.

Impact

The final stage of a Radar attack is designed to create a crisis for the victim and compel them to pay the ransom. This is done through a combination of data encryption, preventing recovery, and applying psychological pressure.

A critical step for the attackers is to inhibit system recovery by deleting all Volume Shadow Copies (VSS) before encrypting files. By using tools like vssadmin.exe to wipe these backups, they remove the victim’s primary recovery option and increase their leverage.

The core of the attack is encrypting the victim’s data, making files inaccessible and adding a random eight-character extension. A ransom note named README_FOR_DECRYPT.txt is then left in directories with instructions for the victim.

This is combined with financial extortion, as the ransom note states that data has also been stolen and will be published if the ransom isn’t paid. The group increases pressure by calling and emailing employees with proof of the data theft to create a sense of panic.

Victims

The Radar/Dispossessor group consistently targets a diverse range of industries. The most frequent victims are in transportation, construction, financial services, and hospitality.

Other impacted sectors include manufacturing, software development, education, and healthcare.

This targeting is a calculated strategy, focusing on organizations that are highly sensitive to disruption but may have weaker cyber defenses. Industries like transportation and construction rely on real-time data, making them more likely to pay a ransom to restore operations quickly.

Profile

The group’s campaigns primarily focus on victims in the United States and Europe. As Dispossessor, their reach was even broader, affecting organizations on multiple continents.

A key characteristic of their targeting is a focus on small to mid-sized businesses (SMBs). These organizations are a strategic sweet spot, as they are large enough to pay a ransom but often lack the robust security of larger corporations.

Case study

The September 2025 attack on Virginia-based engineering firm Robert G. Dashiell Jr. PE Inc. is a compelling case study of Radar’s methods and impact.

Attackers exfiltrated approximately 500 GB of the company’s most sensitive data, including internal documents, client contracts, and employee PII. The stolen information also contained financial records like bank statements and tax documents.

This precise data theft shows a sophisticated understanding of how to maximize leverage, creating threats to the company’s competitive standing and business relationships. The theft of employee PII adds another layer of pressure, creating significant legal and regulatory liabilities for the victim organization.

Known victims

The following table consolidates publicly identified victims of the Radar ransomware group since its emergence in September 2025, illustrating the group’s targeting patterns.

Defense

Based on the group’s TTPs and targeting strategy, the following recommendations can help organizations defend against this threat. These are divided into strategic considerations for leadership and tactical mitigations for security practitioners.

Strategy

Since the group’s primary access vector is weak credentials and no MFA, leadership must prioritize enforcing strong password policies and mandatory MFA. Special attention should be given to securing remote access solutions like VPNs and RDP.

Organizations should adopt an “assumed breach” strategy, as determined threat actors can return even after law enforcement action. This means prioritizing rapid response and recovery, including investing in immutable or air-gapped backup solutions.

Regular tabletop exercises simulating a ransomware attack should be conducted to validate incident response preparedness. These exercises are crucial for testing the effectiveness of response plans and decision-making processes under pressure.

Tactics

Security practitioners should implement robust access control by enforcing the principle of least privilege and using network segmentation to limit lateral movement. Access to administrative tools and credentials must be tightly controlled and monitored.

Given Radar’s use of IFEO for persistence, security teams must actively monitor for changes to the Image File Execution Options registry key. EDR and SIEM solutions should be configured to alert on any modifications to the ‘Debugger’ value in this path, especially for common system executables.

Security policies should be deployed to protect Volume Shadow Copies from unauthorized deletion, starting in an audit mode before moving to a block mode. It is also critical to ensure primary data backups are immutable and stored in a location inaccessible from the production network.

Security teams should proactively hunt for Radar’s known Indicators of Compromise and behaviors mapped to the MITRE ATT&CK framework. This includes searching for evidence of VSS deletion, IFEO hijacking, and the removal of specific forensic artifacts.

IoCs

The following table contains specific indicators associated with the Radar/Dispossessor operation. These can be used in security tools to detect and block related activity.

Conclusion

The Radar ransomware group, an evolution of the Dispossessor operation, is a persistent and adaptive threat, especially to small and mid-sized businesses. Its ability to quickly re-emerge after a law enforcement disruption highlights the resilience of modern cybercrime.

An analysis of their TTPs shows a methodical approach focused on stealth and disabling recovery capabilities. Their use of IFEO for persistence and the deletion of Volume Shadow Copies demonstrates a sophistication aimed at maximizing impact.

Defending against Radar requires a multi-layered strategy that includes prioritizing security hygiene like MFA and focusing on resilience through immutable backups and validated response plans. Security teams must understand the group’s specific TTPs to develop effective detection and hunting strategies.