Weekly Intelligence Report – 10 April 2026

Published On : 2026-04-10

Ransomware In Focus

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows Systems, Network Shares, Mapped Drives, Enterprise File Storage Systems, Backup Repositories, Remote Access Services (RDP)

Introduction:
CYFIRMA Research and Advisory Team has found BASANAI Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

BASANAI Ransomware
BASANAI ransomware has been identified as a MedusaLocker-family file-encrypting malware variant that prevents access to victim data by encrypting files and appending a distinct extension associated with the BASANAI strain. Upon execution, the malware systematically encrypts files across the infected system and drops a ransom note, typically named “README.txt”, informing victims of the compromise. Analysis indicates that the ransomware leverages strong cryptographic algorithms (commonly AES combined with RSA, consistent with MedusaLocker variants) to ensure that files cannot be decrypted without attacker-controlled keys. The operators claim that not only local files but also network shares and potentially backups may be impacted, increasing operational disruption. In addition to encryption, the threat actors assert that sensitive data may have been exfiltrated, introducing a double extortion element where victims face both data loss and potential public exposure. Victims are instructed to contact the attackers via the provided communication channels to negotiate payment, typically in cryptocurrency. At present, no confirmed public decryption tool is available for this variant, and recovery without attacker cooperation remains unlikely.

Screenshot: File encrypted by the ransomware (Source: Surface Web)

The ransom note associated with BASANAI ransomware, usually delivered as “README.txt”, explicitly informs victims that their files have been encrypted using robust encryption mechanisms and are no longer accessible. The message states that only the attackers possess the unique private key required for decryption, and strongly discourages victims from attempting recovery through third-party tools or by modifying encrypted files, warning that such actions may result in irreversible data corruption. The note typically includes instructions for contacting the attackers via email addresses or TOR-based communication channels, along with a unique victim ID to facilitate negotiation. It further reinforces pressure by indicating that sensitive data may have been stolen during the attack, and threatens public release or sale of this data if the ransom is not paid. The language used follows standard MedusaLocker-style coercion tactics, combining technical intimidation (irreversible encryption claims) with psychological pressure (data leakage threats), while offering no verifiable assurance that payment will lead to successful data recovery.

Screenshot: The appearance of the BASANAI’s Ransom Note (Source: Surface Web)

The following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• Persistence: The malware establishes persistence through the creation of Run registry keys (e.g., “…CurrentVersionRunBabyLockerKZ”), ensuring execution upon system startup and maintaining continued access to the infected host.
• Configuration Storage: The use of custom registry paths, such as “HKCUSOFTWAREPAIDMEMES” (PRIVATE and PUBLIC subkeys) indicates storage of internal configuration data or execution state, supporting ransomware operations.
• Defense Evasion: Interaction with Internet Settings zones and system policy registry paths suggests potential modification of security configurations to weaken defenses or bypass protections.
• Execution Control: References to Command Processor registry paths indicate possible command-line execution capabilities leveraged during infection or encryption stages.
• Process Termination: The presence of taskkill.exe-related registry entries implies the malware may terminate processes or services (e.g., security tools or open applications) to prevent interference with encryption.
• File Handling Management: The use of Microsoft Restart Manager registry keys suggests the malware tracks or manages file locks and system processes to ensure the successful encryption of targeted files.
• Environment Interaction: Modifications to Internet Settings cache-related registry keys (Cookies and History CachePrefix) indicate interaction with user environment data, though the exact purpose remains unclear.
• Cleanup / Anti-Forensics: Deletion of Restart Manager session-related registry keys indicates efforts to remove execution traces and hinder forensic analysis post- encryption.

ETLM Assessment:
CYFIRMA’s analytical assessment indicates that BASANAI ransomware is likely to continue operating as part of the MedusaLocker ecosystem, with future developments expected to focus on incremental operational improvements rather than novel innovation. Based on observed behavior, operators may enhance encryption efficiency, propagation across networked environments, and reliability of payload execution to maximize impact. There is a strong likelihood of continued and more structured use of double extortion tactics, particularly emphasizing data exfiltration to increase victim pressure and payment rates. Future campaigns may also refine initial access vectors, potentially leveraging exposed RDP services, phishing campaigns, or exploitation of unpatched vulnerabilities common entry points associated with this ransomware family. However, there is currently no evidence suggesting advancement into highly sophisticated or targeted attack methodologies, indicating that BASANAI will likely remain aligned with commodity ransomware operations, focusing on scalable, opportunistic attacks rather than highly specialized intrusions.

Sigma rule:
title: Files With System Process Name In Unsuspected Locations tags:
– attack.defense-evasion
– attack.t1036.005 logsource:
category: file_event product: windows
detection: selection:
TargetFilename|endswith:
– ‘AtBroker.exe’
– ‘audiodg.exe’
– ‘backgroundTaskHost.exe’
– ‘bcdedit.exe’
– ‘bitsadmin.exe’
– ‘cmdl32.exe’
– ‘cmstp.exe’
– ‘conhost.exe’
– ‘csrss.exe’
– ‘dasHost.exe’
– ‘dfrgui.exe’
– ‘dllhost.exe’
– ‘dwm.exe’
– ‘eventcreate.exe’
– ‘eventvwr.exe’
– ‘explorer.exe’
– ‘extrac32.exe’
– ‘fontdrvhost.exe’
– ‘fsquirt.exe’ # was seen used by sidewinder APT – https://securelist.com/sidewinder-apt/114089/
– ‘ipconfig.exe’
– ‘iscsicli.exe’
– ‘iscsicpl.exe’
– ‘logman.exe’
– ‘LogonUI.exe’
– ‘LsaIso.exe’
– ‘lsass.exe’
– ‘lsm.exe’
– ‘msiexec.exe’
– ‘msinfo32.exe’
– ‘mstsc.exe’
– ‘nbtstat.exe’
– ‘odbcconf.exe’
– ‘powershell.exe’
– ‘pwsh.exe’
– ‘regini.exe’
– ‘regsvr32.exe’
– ‘rundll32.exe’
– ‘RuntimeBroker.exe’
– ‘schtasks.exe’
– ‘SearchFilterHost.exe’
– ‘SearchIndexer.exe’
– ‘SearchProtocolHost.exe’
– ‘SecurityHealthService.exe’
– ‘SecurityHealthSystray.exe’
– ‘services.exe’
– ‘ShellAppRuntime.exe’
– ‘sihost.exe’
– ‘smartscreen.exe’
– ‘smss.exe’
– ‘spoolsv.exe’
– ‘svchost.exe’
– ‘SystemSettingsBroker.exe’
– ‘taskhost.exe’
– ‘taskhostw.exe’
– ‘Taskmgr.exe’
– ‘TiWorker.exe’
– ‘vssadmin.exe’
– ‘w32tm.exe’
– ‘WerFault.exe’
– ‘WerFaultSecure.exe’
– ‘wermgr.exe’
– ‘wevtutil.exe’
– ‘wininit.exe’
– ‘winlogon.exe’
– ‘winrshost.exe’
– ‘WinRTNetMUAHostServer.exe’
– ‘wlanext.exe’
– ‘wlrmdr.exe’
– ‘WmiPrvSE.exe’
– ‘wslhost.exe’
– ‘WSReset.exe’
– ‘WUDFHost.exe’
– ‘WWAHost.exe’ filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# – ‘SystemRootSystem32’
– ‘C:$WINDOWS.~BT’
– ‘C:$WinREAgent’
– ‘C:WindowsSoftwareDistribution’
– ‘C:WindowsSystem32’
– ‘C:WindowsSysWOW64’
– ‘C:WindowsWinSxS’
– ‘C:Windowsuus’ filter_main_tiworker:
Image|endswith:
– ‘TiWorker.exe’
– ‘wuaucltcore.exe’ TargetFilename|startswith: ‘C:WindowsTemp’
filter_main_svchost: Image|endswith:
– ‘C:Windowssystem32svchost.exe’
– ‘C:WindowsSysWOW64svchost.exe’ TargetFilename|contains:
– ‘C:Program FilesWindowsApps’
– ‘C:Program Files (x86)WindowsApps’
– ‘AppDataLocalMicrosoftWindowsApps’ filter_main_wuauclt:
Image:
– ‘C:WindowsSystem32wuauclt.exe’
– ‘C:WindowsSysWOW64wuauclt.exe’
– ‘C:WindowsUUSarm64wuaucltcore.exe’ filter_main_explorer:
TargetFilename|endswith: ‘C:Windowsexplorer.exe’ filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec. Image|endswith:
– ‘C:WINDOWSsystem32msiexec.exe’
– ‘C:WINDOWSSysWOW64msiexec.exe’
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
– ‘C:Program FilesPowerShell7pwsh.exe’
– ‘C:Program FilesPowerShell7-previewpwsh.exe’
– ‘C:Program FilesWindowsAppsMicrosoft.PowerShellPreview’ filter_main_healtray:
TargetFilename|contains: ‘C:WindowsSystem32SecurityHealth’ TargetFilename|endswith: ‘SecurityHealthSystray.exe’ Image|endswith: ‘SecurityHealthSetup.exe’
condition: selection and not 1 of filter_main_* falsepositives:
– System processes copied outside their default folders for testing purposes
– Third party software naming their software with the same names as the processes mentioned here
level: medium (Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained, which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

• A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Implement a zero-trust security model alongside multifactor authentication (MFA) to reduce the risk of credential compromise.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Sigma rule for threat detection and monitoring, which will help to detect anomalies in log events, identify and monitor suspicious activities.
• Establish and implement protective controls by actively monitoring and blocking identified indicators of compromise (IoCs) and reinforcing defensive measures based on the provided tactical intelligence.

Active Malware of the Week

Type: Backdoor| Objectives: Persistence | Target Technology: Windows OS | Target Geography: Global

CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week, the “RodexRMM” malware is in focus.

Overview of Operation RodexRMM Malware
The analysed sample, identified as RodexRMM, demonstrates a structured and stealth- oriented set of behaviours indicative of a controlled malicious operation. Its activity suggests a clear intention to establish persistence within the infected environment while operating in a manner that closely mimics legitimate system processes. By utilizing standard system paths and interacting with core components, the malware attempts to remain inconspicuous and avoid raising immediate suspicion. Additionally, it gathers key system information, likely to assess the environment and prepare for subsequent actions.

Furthermore, RodexRMM exhibits multiple defense evasion characteristics, including the use of obfuscation and strategic interaction with system configurations and registry settings. These actions may contribute to weakening security visibility or bypassing detection mechanisms. The observed behaviour also indicates an awareness of analysis environments, suggesting that the malware may actively attempt to evade sandboxing or monitoring tools, thereby prolonging its presence on the compromised system.

The communication patterns associated with RodexRMM reveal outbound connections to external services, potentially to obtain system-related information such as public IP data. This, combined with its capability to execute processes and manage system activities, suggests the presence of a command-and-control mechanism. Overall, the malware reflects a level of sophistication consistent with threats designed for persistence, reconnaissance, and remote control, posing a notable risk in both targeted and opportunistic attack scenarios.

Attack Method
The attack methodology associated with RodexRMM demonstrates a structured and methodical approach aimed at establishing persistence, escalating privileges, and maintaining sustained access within a compromised environment. Malware achieves persistence by creating or modifying system-level processes, ensuring that it continues to execute even after system restarts. In addition, similar process manipulation techniques are employed to facilitate privilege escalation, allowing the malware to operate with elevated permissions and gain broader control over system resources.

To minimize the likelihood of detection, RodexRMM incorporates multiple defense evasion mechanisms. These include the use of obfuscation and software packing techniques to conceal its internal structure and hinder analysis by security solutions. The malware also interacts with critical system registry configurations, potentially altering execution flows or bypassing monitoring controls. Furthermore, its behaviour indicates an awareness of analysis environments, suggesting that it may actively attempt to evade sandboxing and security inspection mechanisms.

The malware further engages in systematic reconnaissance to assess the characteristics of the infected system. It performs process enumeration, collects system-level information, and identifies the presence of security software. This information-gathering phase enables the malware to adapt its operations based on the environment, thereby improving its ability to remain undetected and execute subsequent actions effectively.

In terms of communication, RodexRMM utilizes standard web-based protocols to establish contact with external infrastructure. It connects to publicly available services to obtain information such as the system’s external IP address, which can assist in identifying and managing compromised hosts. By leveraging commonly used communication channels and legitimate services, the malware effectively obscures its network activity within normal traffic patterns, complicating detection and response efforts.

The following are the TTPs based on the MITRE Attack Framework for Enterprise

INSIGHTS

• A significant characteristic of RodexRMM is its deliberate effort to integrate seamlessly with normal system operations rather than exhibiting overtly disruptive behaviour. The malware functions in a controlled and unobtrusive manner, indicating that its primary objective is to maintain a stable presence within the compromised environment. This measured approach reflects a strategic design where persistence and continuity of access are prioritized over immediate or visible impact.
• Another important observation is its alignment with trusted system components and commonly used external services. By operating within the boundaries of typical system and network activity, the malware reduces the likelihood of raising suspicion. This behaviour demonstrates a calculated effort to remain indistinguishable from legitimate processes, thereby complicating detection through conventional monitoring mechanisms.
• Furthermore, the structural composition of RodexRMM suggests a level of adaptability in its operation. Its behaviour indicates that it can function across different system environments without requiring substantial modification. This adaptability highlights its utility in diverse scenarios, reinforcing the notion that it is designed to operate effectively under varying conditions while maintaining its core functionality.

ETLM ASSESSMENT
From an ETLM perspective, the progression of threats such as RodexRMM reflects a broader shift toward highly discreet and persistent attack models that align closely with legitimate business operations. This evolution is likely to complicate organizational visibility, making it increasingly challenging to differentiate between normal activities and malicious behaviour across enterprise environments. As a result, organizations may experience growing exposure to undetected, low-profile intrusions, while employees through routine system interactions may unknowingly contribute to the expansion of the attack surface. Collectively, these developments point toward a more complex and less transparent threat landscape, where understanding and managing risk will become progressively more challenging due to the subtle and integrated nature of emerging threats.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)

YARA Rules
rule RodexRMM_String_IOCs

meta:
description = “Detects RodexRMM using string-based IOCs (hash artifacts and C2 indicator)”
author = “CYFIRMA” date = “2026-04-07

strings:
/* Malware Sample Hash artifacts as strings */
$hash_md5 = “1e6acadabf333d7caf8b66e234af3a31”
$hash_sha1 = “432860ca09217e8e48455a7471c107ab81aaf778”
$hash_sha256 =
“34a774a9f08253a41a215b9ec6022e9f3911f2ba15d5c453cf7ef329120c8c65”

condition:
any of ($hash_*)

Recommendations

Strategic Recommendations
These are high-level, long-term initiatives to strengthen organizational cybersecurity posture:

• Establish a risk-driven cybersecurity strategy that prioritizes visibility into low-noise and persistent threats operating within enterprise environments.
• Integrate cyber threat intelligence into organizational decision-making to improve awareness of evolving threat patterns and adversary behaviours.
• Promote a zero-trust security model to reduce implicit trust in internal systems and applications.
• Strengthening governance around third-party tools and software usage to minimize exposure to threats masquerading as legitimate utilities.
• Invest in continuous security maturity assessments to align defenses with the evolving threat landscape.

Management Recommendations
These focus on policies, procedures, and governance to ensure proper oversight and risk mitigation:

• Enhance security awareness programs to ensure employees can recognize subtle and deceptive threats embedded in routine workflows.
• Implement strict access control policies, ensuring users only have permissions necessary for their roles.
• Establish clear incident response frameworks to enable timely detection, reporting, and containment of suspicious activities.
• Encourage cross-team collaboration between IT, security, and leadership to maintain a unified approach to threat management.
• Regularly review and audit system usage, software installations, and user behaviour to identify anomalies.

Tactical Recommendations
These are immediate, actionable steps to prevent, detect, and respond to malware at the operational level:

• Deploy endpoint detection and response (EDR) solutions to monitor process behaviour and detect abnormal activity patterns.
• Monitor registry modifications and process creation events for signs of unauthorized persistence mechanisms.
• Inspect outbound network traffic for connections to uncommon or suspicious external services.
• Utilize behavioural analytics to detect deviations from normal system and user activity.
• Maintain updated threat intelligence feeds and integrate them into security tools for real-time detection.
• Implement proactive security controls by monitoring and blocking identified IOCs, leveraging YARA rules for detection, and strengthening defenses based on actionable tactical intelligence.

CYFIRMA’s Weekly Insights

1. Weekly Attack Types and Trends

Key Intelligence Signals:

• Attack Type: Ransomware Attacks, Spear-Phishing, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – NightSpire Ransomware, The Gentlemen Ransomware| Malware – RodexRMM
• NightSpire Ransomware – One of the ransomware groups.
• The Gentlemen Ransomware – One of the ransomware groups.
  Please refer to the trending malware advisory for details on the following:
• Malware – RodexRMM
  Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Chinese Threat Actor Silver Fox Expanding footprints in APAC

• Threat Actor: Silver Fox aka Void Arachne
• Attack Type: Domain Impersonation, Malware Implant, SEO Poisoning, Spear-Phishing, Bring your own device (BYOD), Exploitation of Vulnerabilities, Social Engineering.
• Objective: Monetary Benefits, Cyber espionage, Identity theft, Credential Compromise
• Suspected Target Technology: Sogou AI, Telegram, WPS Office, Youdao, and DeepSeek, Browsers, Social Media, Google Chrome, WatchDog, Anti-malware, Windows, Zemana Anti-Malware SDK.
• Suspected Target Geography: Brunei, Cambodia, China, East Timor, Hong Kong, India, Indonesia, Japan, Laos, Malaysia, Myanmar, Philippines, Singapore, Taiwan, Thailand, Vietnam
• Suspected Target Industries: Critical Infrastructure, Defense, Education, Finance, Government, Manufacturing, Research, Telecommunications
• Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage.

About the Threat Actor
Silver Fox aka Void Arachne – suspected Chinese threat actor, is assessed to have been active since at least 2019–2020, demonstrating continuous evolution in its tooling and targeting capabilities while maintaining an aggressive posture toward organizations. The group has expanded its operational footprint and digital presence across multiple countries in the APAC region.

TTPs based on MITRE ATT&CK Framewor

Latest Developments Observed
The threat actor is suspected of targeting organizations across India, Japan, and Southeast Asia through a large-scale cyber campaign leveraging Remote Access Trojan (RAT) malware. The campaign involves the creation of fraudulent websites designed to mimic trusted software platforms such as Zoom, Telegram, and VPN services. The primary objective appears to be the exfiltration of sensitive information, along with establishing persistent access to monitor user activity over extended periods.

ETLM Insights
Void Arachne (aka Silver Fox) is a financially driven cybercriminal group focused on large-scale intrusion and extortion operations, where scalable access, persistent monitoring, and data exfiltration underpin its revenue generation model. The group’s campaigns demonstrate a strong dependence on deception-based access methods and mass distribution strategies, allowing it to compromise a wide range of targets across the APAC region while maintaining prolonged access within affected systems.

Operationally, the actor prioritizes persistence, stealth, and scalability to support continuous intelligence collection and monetization. Its increasing adoption of AI- driven capabilities signals a shift toward more adaptive and psychologically oriented operations, enhancing targeting accuracy, automation, and evasion. Looking ahead, Void Arachne is likely to further advance its AI-enabled tradecraft, broaden its operational footprint, and refine high-volume campaigns to achieve greater efficiency and lower detection rates.

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)

YARA Rules
rule SilverFox_RAT_IP_Based_Detection

meta:
description = “Detects potential Silver Fox (Void Arachne) related Win32 executable communicating with known IP”
author = “CYFIRMA” date = “2026-04-07”
threat_actor = “Void Arachne / Silver Fox” type = “RAT / Win32 EXE”
strings:
$ip1 = “27.124.3.175” ascii
condition:
(uint16(0) == 0x5A4D) and
$ip1

Recommendations

Strategic Recommendations

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
• Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
• Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management Recommendations

• Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in- line prompts to help educate users.
• Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical Recommendations

• For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
• Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
• Apply security measures to detect unauthorized activities, protect sensitive production, and process control systems from cyberattacks.
• Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events, and identify and monitor suspicious activities.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

3. Major Geopolitical Developments in Cybersecurity

North Korean threat actor compromises popular JavaScript library
A North Korean threat actor yesterday inserted a malicious dependency into two npm releases for axios, the most popular JavaScript library for making HTTP requests, according to researchers. The affected versions – axios 1.14.1 (typically over 100 million weekly downloads) and axios 0.30.4 (around 83 million weekly downloads) – were live for roughly two to three hours on March 31, 2026, before being removed by npm. The malicious change involved adding a hidden dependency ([email protected]) that acted as an obfuscated dropper. This dropper deployed the WAVESHAPER.V2 backdoor, a cross-platform remote access trojan capable of running on Windows, macOS, and Linux. The backdoor is designed to collect system information, enumerate directories, and execute additional payloads, potentially enabling credential theft and further compromise. Researchers attribute the attack to UNC1069 (also known as Sapphire Sleet or linked to groups like CryptoCore/MASAN), a financially motivated North Korean-nexus threat actor active since at least 2018.

ETLM Assessment:
UNC1069, a financially motivated North Korean-linked threat actor (also tracked as Sapphire Sleet, CryptoCore, and MASAN), has been active since at least 2018 and primarily focuses on generating revenue for the North Korean regime through cyber theft. The group typically targets the cryptocurrency and Web3 ecosystem—including centralized exchanges, cryptocurrency startups, software developers in fintech, high- technology companies, and venture capital firms—using sophisticated social engineering tactics such as spear-phishing, fake job offers, impersonation of investors or recruiters on platforms like Telegram and LinkedIn, deepfake-powered Zoom meetings, and AI-enhanced lures. Once initial access is gained, they deploy custom malware (including backdoors like WAVESHAPER and downloaders) to harvest credentials, browser data, session tokens, and cryptocurrency wallets, enabling large- scale financial theft and occasionally supply-chain compromises to broaden their reach. Their ultimate goal is to steal funds that help bypass international sanctions and support the regime’s priorities – as reported in this CYFIRMA paper.

Major Incident in FBI Networks
The Federal Bureau of Investigation has formally classified last month’s intrusion into the networks used to manage wiretaps and other sensitive surveillance operations as a “major incident,” underscoring the seriousness of the breach that has already triggered a criminal investigation and prompted efforts to strengthen the agency’s cybersecurity.

According to a Justice Department notification to Congress, the FBI opened an inquiry into anomalous activity on the compromised network on February 17. The affected system contains highly sensitive law enforcement data, including information from electronic surveillance, pen registers, trap-and-trace devices, and personally identifiable information on subjects of FBI investigations. On March 23, it was determined that the intrusion met the threshold of a “major incident” – a designation reserved for breaches likely to cause significant harm to national security or expose large amounts of sensitive personal data.

ETLM Assessment:
An earlier notification to lawmakers in March described the threat actor’s techniques as “sophisticated,” noting that the intruders exploited a commercial Internet Service Provider vendor’s infrastructure to bypass FBI network security controls. The notices did not identify the suspected perpetrator or specify the full scope of data that may have been accessed or exfiltrated. The breach is suspected by researchers to have been carried out by China-linked hackers (likely the Salt Typhoon group or another actor affiliated with China’s Ministry of State Security), who used sophisticated supply-chain techniques via a commercial ISP vendor to gain access. The primary goal appears to be espionage: identifying who the FBI is actively surveilling, mapping U.S. intelligence and law enforcement targets, exposing phone numbers and metadata of monitored individuals, and gaining counterintelligence advantages against American operations.

4. Rise in Malware/Ransomware and Phishing

NightSpire Ransomware Impacts the GMP Group
Attack Type: Ransomware
Target Industry: Recruitment & Staffing (Human Resources)
Target Geography: Singapore
Ransomware: NightSpire Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed in an underground forum that a company from Singapore, The GMP Group (https[:]//www[.]gmprecruit[.]com/), was compromised by NightSpire Ransomware. The GMP Group has established itself as a pioneer in Singapore’s recruitment industry, dedicated to connecting Asia’s top talent with leading organizations. With a strong presence across Southeast Asia, the company offers specialized recruitment services across a wide range of industries, positioning itself as a one-stop solution for all recruitment needs. The compromised dataset includes financial documents, salary records, and candidates’ PII, along with resumes, CVs, and other sensitive and confidential information.

Source: Dark Web

Relevancy & Insights:

• NightSpire employs strong encryption algorithms like AES-256 combined with RSA encryption for key protection, aligning with modern ransomware sophistication.
• The NightSpire Ransomware group primarily targets countries such as the United States of America, Spain, France, Turkey, and India.
• The NightSpire Ransomware group primarily targets industries, including Consumer Goods & Services, Professional Goods & Services, Information Technology, Manufacturing, and Healthcare.
• Based on the NightSpire Ransomware victims list from 1st Jan 2025 to 07th April 2026, the top 5 Target Countries are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, NightSpire is a ransomware group that emerged in early 2025, marking itself as a formidable player in the rapidly evolving ransomware landscape. Despite its recent appearance, NightSpire has already gained attention for its aggressive tactics and well-structured operations

The Gentlemen Ransomware Impacts Equity Life

• Attack Type: Ransomware
• Target Industry: Financial Services
• Target Geography: Indonesia
• Ransomware: The Gentlemen Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary: CYFIRMA observed in an underground forum that a company from Indonesia, Equity Life(https[:]//www[.]equity[.]co[.]id/), was compromised by the Gentlemen Ransomware. Equity Life Indonesia offers a range of life and health insurance solutions tailored for individual clients, corporate employee benefits, and retail insurance through various distribution channels. Their services include professional agency support, bancassurance partnerships, and customizable employee benefit programs to ensure the safety and well-being of employees. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

• The Gentlemen is a relatively highly sophisticated ransomware-as-a-service (RaaS) group that emerged in mid-2025.
• The Gentlemen Ransomware group primarily targets countries such as the United States of America, Brazil, Thailand, France, and Spain.
• The Gentlemen Ransomware group primarily targets industries, including Consumer Goods & Services, Manufacturing, Materials, Professional Goods & Services, and Information Technology.
• Based on the Gentlemen Ransomware victims list from 1st July 2025 to 07th April 2026, the top 5 Target Countries are as follows:
  
• The Top 10 Industries most affected by the Gentlemen Ransomware victims list from 1st July 2025 to 07th April 2026 are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.

5. Vulnerabilities and Exploits

Vulnerability in Cisco Nexus Dashboard

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Network Management / Enterprise Applications
• Vulnerability: CVE-2026-20042
• CVSS Base Score: 6.5 Source
• Vulnerability Type: Sensitive Data Exposure (Storing passwords in recoverable format)
• Summary: The vulnerability allows a remote user to escalate privileges on the system.

Relevancy & Insights:
The vulnerability exists because authentication details are included in the encrypted backup files.

Impact:
A remote user with a valid backup file and encryption password from an affected device can decrypt the backup file and use the authentication details in the backup file to access internal-only APIs on the affected device.

Successful exploitation of the vulnerability may allow code execution as root.

Affected Products:
https[:]//sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdv isory/cisco-sa-nd-cbid-5YqkOSHu

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in the Cisco Nexus Dashboard introduces significant risks to enterprise environments that rely on centralized network and infrastructure management platforms. As the Nexus Dashboard is widely used for managing data center operations and network resources, exploitation of this vulnerability could expose sensitive credentials and enable unauthorized access across interconnected systems. Organizations leveraging such management platforms must ensure secure credential storage practices and implement strict access controls to mitigate potential risks. Addressing this vulnerability is essential to maintaining the confidentiality of sensitive data and protecting enterprise network infrastructure across industries and regions.

6. Latest Cyber-Attacks, Incidents, and Breaches

Everest Ransomware attacked and published the data of PT Brantas Abipraya

• Threat Actor: Everest Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Applications
• Target Industry: Construction
• Target Geography: Indonesia
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that Everest Ransomware attacked and published the data of PT Brantas Abipraya(https[:]//www[.]brantas-abipraya[.]co[.]id/) on its dark web website. PT Brantas Abipraya is an Indonesian state-owned enterprise (SOE) primarily engaged in the construction and infrastructure sector. The data leak includes detailed personal information of employees and their families, such as identity documents, photos, national ID numbers, addresses, phone numbers, and medical data, along with confidential HR records, competency and certification data, payroll and bank details, and sensitive information related to strategic project staff; it also exposes classified evaluations and psychological profiles of senior management and executives, internal HR and training materials, financial reports and budgets, insider personal files, and a large collection of corporate video and audio recordings of meetings and training sessions. The Total size of data compromised is approximately 236.58 GB.

Source: Dark Web

Relevancy & Insights:
Everest is a “double extortion” ransomware gang: attackers first exfiltrate data, then encrypt systems, and finally threaten to leak or sell the stolen information unless a ransom is paid.

ETLM Assessment:
According to CYFIRMA’s assessment, Everest ransomware continues to pose a persistent and evolving cyber threat. The group is actively broadening its targeting across new sectors, expanding its role as an initial access broker, and increasingly relying on data-leak extortion as its core operational tactic. Organizations are advised to remain vigilant by strengthening access controls, closely monitoring for lateral movement and Cobalt Strike–related activity, and maintaining robust incident response and detection capabilities to mitigate the risks posed by Everest’s ongoing campaigns.

7. Data Leaks

Mihnati Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: Human Resources (HR) / Recruitment
• Target Geography: Saudi Arabia
• Objective: Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary: The CYFIRMA research team identified a post on a dark web forum by a threat actor operating under the alias “Grubder”, who claims to possess and offer for sale a large dataset allegedly sourced from mihnati[.]com, a Saudi Arabia– based employment and recruitment platform that connects job seekers with employers.

According to the forum post, the dataset provides a comprehensive view of platform operations, including contacts, candidate profiles, and candidate experience records. The actor describes the dataset as fresh, well-structured, and organized, making it potentially valuable for research, profiling, or commercial exploitation.

Dataset Structure Overview
The threat actor claims the dataset is divided into three primary interconnected categories:

1. Contacts (Personal & Account Information)
This section allegedly contains detailed personal and contact-related data of users, including:

• Full names (first, middle, last names)
• Email addresses and phone numbers (mobile and landline)
• Date of birth, gender, nationality, and marital status
• Address details (address lines, city, state, country)
• Emergency contact information
• Account identifiers and metadata (Contact ID, Account ID, Owner ID)
• Record lifecycle data (created/modified timestamps and user references)
• Lead source, record type, and status fields
• Language preferences, time zone, and regional codes
• Communication preferences (email opt-out, do-not-call flags)

2. Candidate Profiles (Professional & Personal Data)
This segment reportedly includes extensive candidate profile information, such as:

• Job titles and candidate type classifications
• Desired positions and CV-related details
• Skills (technical and other skills)
• Physical attributes (height, weight)
• Personal attributes (e.g., smoking habits, health conditions, disabilities)
• Family-related details (e.g., children)
• Identification-related fields (passport number, country of issue, expiration dates)

3. Candidate Experience (Work History Data)
This section is said to include candidate work experience records with regional and international breakdowns:

• Gulf region experience
• Local (Saudi Arabia) experience
• Qatar and international experience
• Total years of experience
• Record creation timestamps

Sale Details

• Asking Price: $1,300 USD
• Contact Method: Telegram and private forum messaging
• Transaction Method: Escrow services or trusted intermediaries

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Trilateral Cooperation Secretariat Japan Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: International Relations & Diplomacy
• Target Geography: Japan
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA research team identified a post on a dark web forum by a threat actor operating under the alias “gtavispeak”, who claims to possess and offer for sale a dataset allegedly sourced from jp.tcs-asia[.]org. The targeted entity appears to be associated with operations in Japan, and the dataset is described as containing sensitive administrative and operational data.

According to the forum post, the dataset provides a detailed overview of organizational activities, including contacts, support tickets, and content engagement records. The actor claims the data is fresh, well-structured, and organized into interconnected sections, making it potentially valuable for analysis, research, or exploitation.

Dataset Structure Overview
The threat actor states that the dataset is divided into three primary interconnected categories:

1. Contacts (Customer & Account Information)
This section allegedly includes primary customer and contact data collected from website interactions, such as:

• Full names and email addresses
• Website URLs and encrypted passwords
• Social media identifiers (Twitter, Facebook, LinkedIn)
• Contact numbers (phone and mobile)
• Account-related metadata (account tier, lead source, contact owner)
• Regional and language information (region code, time zone, language preference)
• Status indicators (last contacted, preferred contact method, marketing opt-in)
• Customer lifecycle data (customer since, record creation/modification timestamps)
• Additional attributes such as job titles, notes, and campaign sources

2. Support Tickets (Customer Interaction Records)
This segment reportedly contains customer support ticket data capturing inquiries and responses, including:

• Ticket ID, Contact ID, subject, and description
• Creation and update timestamps
• Customer IP address and submitted email
• Comments, replies, and internal notes
• Ticket status, priority, and assigned personnel
• Severity level and resolution codes
• Escalation levels and response times
• Customer satisfaction scores and feedback records
• Tags, categories, and subcategories
• Attachment references and follow-up details

3. Content Engagement (User Activity Data)
This section is said to track user interactions with platform content, including:

• Engagement ID and contact linkage
• Content categories and attachment file paths
• Positive and negative reactions
• URLs and click metrics (primary and secondary links)
• Content titles, body, and tags
• Engagement timestamps and device/browser information
• Social account references (Twitter, Facebook)
• Regional, language, and referral source data
• Session IDs and spam/moderation flags
• User interaction types and engagement scores
• Metrics such as click-through rate, bounce rate, and time spent

Additional Claims by the Threat Actor

• The dataset is described as interlinked, enabling correlation between customer data, support interactions, and user activity.
• The actor has reportedly shared sample data via external paste sites to demonstrate authenticity.
• The dataset is promoted as useful for research, behavioral analysis, and operational insights.

Sale Details

• Contact Method: Telegram and forum-based communication
• Transaction Method: Escrow services or trusted intermediaries
• Pricing: Not explicitly disclosed in the post

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor known as “Grubder” is assessed to be a highly active and capable group primarily engaged in data-leak operations. Multiple credible sources have associated this actor with a series of security incidents involving unauthorized access to systems and the sale or dissemination of stolen data on dark web marketplaces. These activities underscore the persistent and rapidly evolving cyber-threat landscape driven by underground criminal ecosystems and highlight the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat-intelligence capabilities, and proactive defensive measures to protect sensitive information and critical infrastructure.

Recommendations: Enhance the cybersecurity posture by:

• Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
• Ensure proper database configuration to mitigate the risk of database-related attacks.
• Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA research team observed that Xtium, a managed service provider (formerly known as ATSG) focusing on AI-powered IT infrastructure, security, and cloud solutions, has allegedly been compromised in a massive extortion campaign. A threat actor claims to have breached the company’s network and maintained undetected access to their Veeam backup instances for approximately eight months. According to the forum post, after initial extortion negotiations with Xtium management stalled, the attacker breached the network a second time ten days later. The actor is now listing the stolen data for sale and actively soliciting Xtium’s clients directly, offering to delete their specific backups in exchange for payment.

According to the actor, the 485.8TB of allegedly compromised data includes:

• 480TB of client Virtual Machine (VM) backups obtained from a compromised Veeam instance.
• Client file-level restore data.
• 5.8TB of internal Xtium and client TeamShares data extracted from Synology ShareSync.

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions, remediations, and lessons learned.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
• Ensure that detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies should be continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Consider using security automation to speed up threat detection, improved incident response, increased visibility of security metrics, and rapid execution of security checklists.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
• Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security controls, such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.

Back to Listing