A new extortion campaign utilizing the Yurei ransomware toolkit has been identified by Team Cymru. The threat actors, active since September 2025, are notable for their use of tools named after characters and themes from the popular television series Stranger Things, HackRead reports.The Yurei campaign employs a modular toolkit assembled from readily available resources, lowering the barrier to entry for cybercriminals. Initial access is often gained by purchasing stolen credentials from criminal marketplaces. Once inside, attackers use tools like SoftPerfect NetScan and NetExec for network reconnaissance and data discovery. They escalate privileges using Rubeus to achieve administrator control and maintain persistence by installing legitimate remote desktop software like AnyDesk, which often evades security detection.A key component is the PowerShell script “Vecna.ps1,” which acts as a trigger for the “StrangerThings.exe” ransomware upon user login. The ransomware itself is based on the open-source Prince Ransomware. Before encryption, the attackers disable Windows Defender features and use SDelete to wipe shadow copies, ensuring data is irrecoverable.Source:HackRead
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
