Emerging Threat Alert: ShadowSyndicate
Cybersecurity experts have exposed a new cybercrime entity named ShadowSyndicate (formerly Infra Storm), which may have harnessed up to seven different ransomware families in the past year.
Diverse Ransomware Arsenal:
ShadowSyndicate, an actor in operation since July 16, 2022, is linked to ransomware activities associated with Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. They also employ off-the-shelf post-exploitation tools and loaders to maximize their reach.
Global Reach and Impact:
This threat actor has left a distinct SSH fingerprint across 85 servers, with 52 acting as command-and-control (C2) for Cobalt Strike. Servers are scattered worldwide, with Panama, Cyprus, Russia, Seychelles, Costa Rica, and more hosting these nodes.
Infrastructure Overlaps:
ShadowSyndicate’s connection to TrickBot, Ryuk/Conti, FIN7, and TrueBot operations raises concerns. Infrastructure overlaps suggest potential collaboration between these groups.
International Actions:
While this revelation unfolds, German authorities are actively targeting actors linked to DoppelPaymer ransomware. The ongoing threat landscape also includes the evolving double extortion actor, Snatch (formerly Team Truniger), highlighted by a joint FBI and CISA advisory.
Comments will appear here when deployed.