CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Targeted Industries: Consumer Services, Business Services, Financial Services
Targeted Countries: France, South Africa
Introduction:
CYFIRMA Research and Advisory Team has found Prinz Eugen Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Prinz Eugen Ransomware
Researchers identified Prinz Eugen as a modern ransomware strain developed in the Go programming language that focuses on encrypting victim data and disrupting business operations. Once executed, it recursively scans directories, encrypts files, and appends the .prinzeugen extension to the affected data, rendering files inaccessible without the corresponding decryption key. Unlike many ransomware families, it does not generate a ransom note on the compromised system; instead, it relies on external communication channels for extortion. This approach reduces on-disk artifacts and can complicate incident response efforts.
Screenshot: File encrypted by the ransomware (Source: Surface Web)
The malware employs the ChaCha20-Poly1305 authenticated encryption algorithm, providing both confidentiality and integrity protection for encrypted files. Each file is encrypted using unique cryptographic values, preventing the compromise of one file from assisting in the recovery of others. The ransomware processes files in parallel using multiple execution threads, allowing it to encrypt large volumes of data efficiently. It also prioritizes recently modified files, increasing the operational impact on victims by targeting active and business-critical data first.
Screenshot: The appearance of Prinz Eugen’s DLS Site (Source: Surface Web)
Prinz Eugen incorporates several anti-forensic features designed to hinder investigation and recovery. After completing encryption, it can securely remove original files and perform self-deletion to reduce evidence left on the system. The malware also clears sensitive cryptographic material from memory before terminating, making forensic extraction of encryption keys significantly more difficult. Due to its strong encryption design and operational safeguards, recovery of encrypted data is generally not feasible without a valid decryptor or unaffected backups, making prevention, detection, and backup strategies critical defenses against this threat.
The following are the TTPs based on the MITRE Attack Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1129 | Shared Modules |
| Execution | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1055 | Process Injection |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1018 | Remote System Discovery |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Stealth | T1574 | Hijack Execution Flow |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA assesses that Prinz Eugen is positioned to evolve into a more advanced and operationally mature ransomware threat. Although the current variant already demonstrates the use of strong cryptographic routines, anti-forensic capabilities, and a streamlined execution workflow, future iterations are likely to incorporate additional features that increase both the scale and effectiveness of attacks. These enhancements may include automated network reconnaissance, privilege escalation, lateral movement, and more efficient targeting of critical assets within compromised environments. Such capabilities would enable attackers to accelerate the attack lifecycle, reduce the need for manual intervention, and maximize operational disruption before defensive measures can be deployed.
The ransomware’s existing emphasis on stealth and artifact reduction indicates a strong focus on evading detection and complicating forensic investigations. Future versions may further strengthen these capabilities through advanced obfuscation techniques, improved memory protection mechanisms, encrypted configuration storage, and more sophisticated methods for disabling or bypassing endpoint security solutions. The continued use of delayed execution and self-deletion functionality suggests that the developers are actively considering methods to hinder automated analysis, and future variants may incorporate additional sandbox-evasion and anti-debugging features to further frustrate security researchers and incident responders.
Furthermore, the use of the Go programming language provides significant flexibility for future development, enabling the malware to be adapted more easily for deployment across diverse operating environments. While current activity is primarily associated with Windows systems, future variants may expand their targeting to include Linux-based servers, virtualized infrastructure, and cloud-hosted workloads. The ransomware may also adopt fileless execution techniques, credential harvesting capabilities, and abuse of legitimate administrative utilities to blend malicious activity with normal system operations. As the threat actors continue refining their tooling, infrastructure, and operational procedures, Prinz Eugen has the potential to develop into a highly adaptable ransomware platform capable of conducting large-scale, multi-stage intrusion campaigns against organizations across multiple industries and geographic regions.
Sigma rules:
title: Suspicious Ping/Del Command Combination
description: Detects a method often used by ransomware. This combines the “ping” to wait a couple of seconds and then “del” to delete the file in question. It’s used to hide the file responsible for the initial infection, for example
tags:
– attack.stealth
– attack.t1070.004 logsource:
category: process_creation product: windows
detection: selection_count:
CommandLine|contains|windash: ‘ -n ‘ selection_nul:
CommandLine|contains: ‘Nul’ # Covers “> Nul” and “>Nul ” selection_del_param:
CommandLine|contains|windash:
– ‘ -f ‘
– ‘ -q ‘
selection_all: CommandLine|contains|all:
– ‘ping’ # Covers “ping” and “ping.exe”
– ‘del ‘
condition: all of selection_* falsepositives:
– Unknown level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Spyware |Objectives: Credential Theft | Target Technology: Windows| Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “VBV Stealer” is in focus.
Overview of Operation VBV Stealer Malware
The analyzed VBV Stealer malware sample demonstrates characteristics consistent with a sophisticated information-stealing threat designed to covertly collect sensitive data from compromised Windows environments. The malware’s operational behavior indicates a deliberate focus on monitoring user activity, harvesting valuable information, and transmitting collected data to attacker-controlled infrastructure while maintaining a minimal operational footprint. Its primary objective appears to be the acquisition of credentials, personal information, and other sensitive data that could facilitate unauthorized access to user accounts and organizational resources.
Behavioral analysis indicates that the malware possesses the capability to gather multiple categories of user-generated information, including clipboard contents, screen captures, and locally stored credentials. Furthermore, the malware conducts reconnaissance activities to identify browser-related artifacts and cryptocurrency wallet data, highlighting an interest in both conventional account compromise and the theft of digital assets. The use of commonly trusted internet services and standard network communication channels enables the malware to blend with legitimate traffic, thereby reducing the likelihood of immediate detection by security controls.
The malware also exhibits several defense-evasion and anti-forensic characteristics intended to conceal its presence and hinder investigative efforts. Observed behaviors include the removal of files following execution, modification of native system functionality, and the concealment of malicious activities to limit forensic visibility. These mechanisms are designed to prolong the malware’s operational lifespan on compromised systems while reducing indicators that could trigger user suspicion or security monitoring alerts.
Overall, VBV Stealer represents a significant threat to both individual users and enterprise environments due to its ability to collect sensitive information, exfiltrate stolen data, and evade traditional detection mechanisms. The combination of credential theft, user activity surveillance, information gathering, and stealth-oriented functionality suggests that the malware serves as an effective platform for unauthorized access, account compromise, financial theft, and broader malicious operations within affected networks. Any detection of similar activity should be considered a strong indicator of compromise and treated as a high-priority security incident requiring immediate investigation and response.
Attack Method
The VBV Stealer malware follows a structured information-theft lifecycle designed to collect, aggregate, and exfiltrate sensitive data from compromised Windows systems. Upon execution, the malware initializes a series of reconnaissance routines that gather host-specific information, including operating system details, user account information, installed applications, network configuration, and system environment attributes. The malware interacts extensively with native Windows components and dynamically loads legitimate system libraries to facilitate networking, cryptographic operations, and process execution. By leveraging trusted operating system functionality, the malware blends its activity with normal system behavior and reduces the likelihood of immediate detection.
Following initial reconnaissance, the malware transitions into a dedicated data-harvesting phase. Analysis indicates that it searches browser-related directories, user profile locations, and application storage paths for sensitive information. The malware targets stored credentials, authentication tokens, browser cookies, autofill records, browsing sessions, and other locally stored account data. In addition, it performs targeted searches for cryptocurrency wallet artifacts and associated files that may contain digital asset information. To supplement stored data theft, the malware continuously monitors user activity by capturing clipboard contents and collecting screenshots of the victim’s desktop. These capabilities allow the malware to obtain information that may not be stored on disk, including copied passwords, authentication codes, financial data, and active user sessions.
The malware incorporates multiple concealment and anti-analysis mechanisms intended to reduce visibility and complicate security investigations. Behavioral evidence suggests the use of software packing, code obfuscation, and native function modification to hinder reverse engineering and evade signature-based detection. The sample also demonstrates artifact-cleanup functionality by removing files after execution, limiting the amount of forensic evidence available on the compromised host. Additional anti-analysis behavior indicates attempts to interfere with automated examination environments and security monitoring processes, enabling the malware to operate more effectively within real-world victim systems while minimizing exposure.
For data exfiltration, VBV Stealer establishes outbound communications using common internet protocols and services that are typically permitted within enterprise environments. Network activity shows the malware transmitting collected information through encrypted web requests, enabling stolen data to be delivered to attacker-controlled infrastructure while blending into normal network traffic. Rather than relying solely on dedicated command-and-control servers, the malware leverages publicly accessible online services and web-based communication channels to improve operational resilience and reduce infrastructure costs. This communication strategy, combined with its credential theft, activity monitoring, and stealth-oriented capabilities, makes the malware a highly effective spyware threat capable of supporting account compromise, financial theft, unauthorized access, and broader malicious operations.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprise
| Tactic | Technique ID | Technique Name |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1070 | Indicator Removal |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1027 | Obfuscated Files or Information |
| Credential Access | T1056 | Input Capture |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1012 | Query Registry |
| Collection | T1119 | Automated Collection |
| Collection | T1115 | Clipboard Data |
| Collection | T1113 | Screen Capture |
| Collection | T1005 | Data from Local System |
INSIGHTS
ETLM ASSESSMENT
For ETLM Prospective, threats like VBV Stealer are expected to further amplify the risks associated with identity and information theft as organizations continue expanding their reliance on cloud platforms, digital collaboration tools, and browser-based services. The increasing concentration of sensitive corporate and personal data within user accounts may make credential-focused attacks more attractive to cybercriminals, potentially resulting in a higher frequency of unauthorized access incidents and account misuse. As employees become increasingly dependent on interconnected digital ecosystems, the compromise of a single endpoint may have broader implications across business operations, enabling attackers to exploit trusted identities, access sensitive information, and impact organizational productivity, financial stability, and reputation.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule VBVStealer_Behavioral_Detection
{
meta:
description = “Detects VBV Stealer variants” author = “CYFIRMA”
date = “2026-06-23”
strings:
/* Known Sample Hash */
$hash_sha256 = “f993630f802c3958c1ed9f5e8f1f09ab8c568a55c26658172105eabf20d3080b”
/* Discord Webhook Communication */
$c2_1 = “canary.discord.com/api/webhooks”
$c2_2 = “discord.com/api/webhooks”
/* Browser Credential Collection */
$cred_1 = “Login Data”
$cred_2 = “Cookies”
$cred_3 = “Web Data”
$cred_4 = “Local State”
/* Clipboard and Screenshot Collection */
$collect_1 = “OpenClipboard”
$collect_2 = “GetClipboardData”
$collect_3 = “BitBlt”
$collect_4 = “CreateCompatibleBitmap”
/* Anti-Analysis Functions */
$anti_1 = “IsDebuggerPresent”
$anti_2 = “CheckRemoteDebuggerPresent”
$anti_3 = “NtQueryInformationProcess”
/* File Cleanup / Evidence Removal */
$cleanup_1 = “DeleteFileW”
$cleanup_2 = “RemoveDirectoryW”
condition:
uint16(0) == 0x5A4D and (
$hash_sha256 or (
1 of ($c2_*) and
2 of ($cred_*) and
2 of ($collect_*) and 1 of ($anti_*) and
1 of ($cleanup_*)
)
)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
Key Intelligence Signals:
ShinyHunters: Operational Shift Toward Identity and Access Exploitation
About the Threat Actor
ShinyHunters is a financially motivated cybercriminal group that has been linked to multiple high-profile data breaches involving the theft and unauthorized disclosure of sensitive information. The group is known for monetizing compromised data through sales and distribution on underground cybercriminal marketplaces and dark web forums.
Recent reporting also suggests potential operational overlaps between ShinyHunters, LAPSUS$, and Scattered Spider, indicating the emergence of a highly adaptive cybercrime ecosystem. Such collaboration may enhance operational flexibility, resource sharing, and attack scalability, increasing the collective threat posed to organizations globally.
Details on Exploited Vulnerabilities
| CVE ID | Affected Products | CVSS Score | ExploitLinks |
| CVE-2025-31324 | SAP | 9.8 | – |
| CVE-2024-6387 | OpenSSH’s server | 8.1 | link1, link2 |
| CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | 9.8 | – |
TTPs based on MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1591.002 | Gather Victim Org Information: Business Relationships |
| Reconnaissance | T1590.006 | Gather Victim Network Information: Network Security Appliances |
| Resource Development | T1586.003 | Compromise Accounts: Cloud Accounts |
| Resource Development | T1650 | Acquire Access |
| Initial Access | T1566.004 | Phishing: Spear phishing Voice |
| Initial Access | T1199 | Trusted Relationship |
| Initial Access | T1078 | Valid Accounts |
| Initial Access | T1078.004 | Valid Accounts: Cloud Accounts |
| Persistence | T1098.001 | Account Manipulation: Additional Cloud Credentials |
| Persistence | T1078 | Valid Accounts |
| Persistence | T1078.004 | Valid Accounts: Cloud Accounts |
| Persistence | T1136.003 | Create Account: Cloud Account |
| Persistence | T1556.006 | Modify Authentication Process: Multi-Factor Authentication |
| Privilege Escalation | T1098.001 | Account Manipulation: Additional Cloud Credentials |
| Privilege Escalation | T1078 | Valid Accounts |
| Privilege Escalation | T1078.004 | Valid Accounts: Cloud Accounts |
| Privilege Escalation | T1484.002 | Domain or Tenant Policy Modification: Trust Modification |
| Stealth | T1078 | Valid Accounts |
| Stealth | T1078.004 | Valid Accounts: Cloud Accounts |
| Defense Impairment | T1484.002 | Domain or Tenant Policy Modification: Trust Modification |
| Defense Impairment | T1556.006 | Modify Authentication Process: Multi-Factor Authentication |
| Credential Access | T1621 | Multi-Factor Authentication Request Generation |
| Credential Access | T1539 | Steal Web Session Cookie |
| Credential Access | T1528 | Steal Application Access Token |
| Credential Access | T1111 | Multi-Factor Authentication Interception |
| Credential Access | T1110.004 | Brute Force: Credential Stuffing |
| Credential Access | T1556.006 | Modify Authentication Process: Multi-Factor Authentication |
| Lateral Movement | T1550.001 | Use Alternate Authentication Material: Application Access Token |
| Lateral Movement | T1550.004 | Use Alternate Authentication Material: Web Session Cookie |
| Collection | T1213.003 | Data from Information Repositories: Code Repositories |
| Collection | T1530 | Data from Cloud Storage |
| Collection | T1119 | Automated Collection |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Latest Developments Observed
The threat actor is assessed to be targeting organizations across the Education, Healthcare, Retail, Healthcare Equipment, and Hospitality sectors in the UK, US, and Japan through a recent campaign focused on identity-centric attack vectors. The observed tactics indicate a shift from conventional perimeter-based intrusions to the exploitation of identities, authentication workflows, SaaS integrations, and trusted access mechanisms, leveraging stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate privileges.
The campaign’s strategic objective appears to be the unauthorized acquisition and exfiltration of sensitive business and customer information, enabling potential espionage, financial gain, and sustained access to targeted environments while minimizing the likelihood of detection through the use of legitimate authentication channels.
ETLM Insights
ShinyHunters is a financially motivated cybercriminal threat actor primarily focused on the unauthorized acquisition, monetization, and distribution of sensitive data from targeted organizations. The group has been associated with large-scale data breach operations, leveraging compromised information to support extortion, illicit sales, and other financially driven activities within underground criminal ecosystems. The threat actor demonstrates a strong focus on identity-centric intrusion activity, frequently leveraging social engineering, credential compromise, and abuse of trusted access mechanisms to gain unauthorized access to enterprise environments. Its operational approach reflects an increasing reliance on legitimate platforms, cloud services, and authentication workflows to facilitate access while reducing the likelihood of detection.
The actor’s activities demonstrate:
The threat actor has also demonstrated operational overlap with other financially motivated cybercriminal groups, including LAPSUS$ and Scattered Spider, potentially benefiting from shared infrastructure, resources, and attack methodologies.
Looking ahead, threat actors are expected to continue refining identity-based attack techniques, expanding their use of legitimate cloud and SaaS environments, and increasing reliance on social engineering-driven access operations. This evolving operational model positions the group as a persistent cybercriminal threat capable of creating sustained exposure through unauthorized access, large-scale data compromise, and theft of sensitive information across multiple sectors.
YARA Rules
rule TA_Unknown_Infra_and_CVE_References
{
meta:
description = “Detects indicators associated with observed campaign infrastructure”
author = “CYFIRMA” date = “2026-06-23”
version = “1.0”
strings:
$domain1 = “havenly.com” nocase
$domain2 = “promo.com” nocase
$cve1 = “CVE-2026-35273” ascii wide
$cve2 = “CVE-2024-6387” ascii wide
$cve3 = “CVE-2025-31324” ascii wide
condition:
any of ($domain*) or any of ($cve*)
}
Strategic Recommendations
Management Recommendations
Tactical Recommendations
UK Cyber Chief’s Warning on Hostile States Behind
Britain is already fighting the opening exchanges of future conflicts in cyberspace, according to the National Cyber Security Centre (NCSC). In the year till May, the agency handled over 200 incidents affecting critical national infrastructure, with roughly 75% traced back to state actors rather than criminal hackers. The agency warned that adversaries are currently “prepositioning” inside British systems to enable rapid exploitation and mass disruption during future conflicts. NCSC cited the Chinese state-linked Volt Typhoon campaign against U.S. infrastructure as a prime example, noting that intelligence gathered today will dictate kinetic targeting tomorrow.
Marking a notable departure from traditional cybersecurity vocabulary, the agency warned that the digital domain should no longer be treated as a “risk” to be managed, but as a “contest” to be fought. This aligns the UK with NATO and U.S. Cyber Command, which view cyberspace as a permanently contested environment where steady, sub-threshold attacks yield strategically consequential effects.
ETLM Assessment:
As noted in previous CYFIRMA reports, the threat is only expected to intensify. It is highly likely that no later than 2027, artificial intelligence tools will be used to exploit known vulnerabilities in aging critical infrastructure. As noted by both NCSC and CYFIRMA, the days of separate peace and conflict are over; we are now in an era of permanent greyzone conflict with cyber as its first line of defense.
The US and Europe discuss access to AI models after weaponization fears
The US and Europe are discussing a “trusted partner” framework for cutting-edge AI models. The proposal follows a Trump administration decision to ban AI safety startup Anthropic from supplying its latest models to foreign customers on national security grounds. The US Commerce Department raised the proposal with European diplomats on the sidelines of the G7 summit in France. The initiative – which would grant close allies privileged access to frontier AI – is set for formal debate by leaders and tech executives at the Evian-les-Bains summit.
Meanwhile, the cyber chiefs of the Five Eyes intelligence alliance have warned that the West’s artificial intelligence-armed adversaries may develop attacks capable of overwhelming government and corporate defenses within months. While the US-led alliance – which also includes the UK, Canada, New Zealand, and Australia – notes that Western military and espionage capabilities currently hold an advantage due to the rapid commercial integration of AI, they cautioned that this lead is fragile. “The timeline is not years; it is months,” the joint communiqué stated. The warning arrives just a week after the US government ordered Anthropic to block foreign nationals from accessing its most sophisticated AI models, designating their export as a national security risk. The Five Eyes statement acknowledged that these “frontier models” fundamentally transform both offensive and defensive cyber capabilities.
ETLM Assessment:
Without naming specific adversaries like China or Russia, the statement serves as a direct call to action for organizations to prepare for a wave of AI-engineered threats. Cybersecurity professionals are already encountering highly sophisticated, automated attacks capable of striking multiple targets simultaneously.
The joint warning follows a familiar pattern of asking private corporations to shoulder the burden of defending against well-resourced state adversaries. However, the cyber chiefs specifically urged Western companies to adopt AI models to strengthen their own perimeters, effectively outlining a digital arms race.
“Organisations that integrate AI tools into their security operations [will be safer],” the chiefs warned. “Those who delay will face growing and avoidable risk.” The communiqué stopped short of clarifying what Western governments themselves are doing to mitigate the threat; the UK’s National Cyber Security Centre did not immediately comment on its specific defensive measures.
SafePay Ransomware Impacts a Construction Company from Japan
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Japan was compromised by SafePay Ransomware. The compromised company is a Japanese construction company headquartered in Edogawa City, Tokyo. Established in 2020, the company specializes in public infrastructure and civil engineering projects, serving the Tokyo metropolitan area and neighboring prefectures primarily. Its business activities focus on the development and maintenance of essential social infrastructure, including river works, bridge construction, foundation engineering, water supply systems, and other government-related construction projects. The company provides a broad range of services encompassing general civil engineering, public works, private-sector construction projects, and construction management. It is involved in all stages of project execution, from planning and site supervision to quality control and safety management. The company emphasizes high technical standards and employs experienced engineers capable of responding to diverse construction requirements. Examples of completed projects include bridge works, river improvement projects, water gates, and infrastructure facilities throughout the Tokyo region. Based on the exposed directory listing shown in the image, the ransomware operators appear to have accessed and potentially exfiltrated data from multiple directories, including user-related files, general data repositories, and several folders with non-standard or corrupted character names that may contain documents, databases, configuration files, business records, or other sensitive information. The exposure of these directories suggests that internal organizational data, employee-related information, operational files, and potentially confidential business documents were compromised during the incident.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, SafePay represents a sophisticated, fast-moving ransomware threat capitalizing on VPN weaknesses and credential theft, employing effective double extortion tactics to maximize ransom payments. Organizations, especially in highly targeted sectors and regions, must prioritize layered defenses and active hunting for early detection.
The Gentlemen Ransomware Impacts an Information Technology Services Company from Thailand
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Thailand was compromised by The Gentlemen Ransomware. The compromised company is a leading Thai technology provider established in 1971 and headquartered in Bangkok. Evolving from an automotive air-conditioning distributor, they are now a premier supplier of heavy-duty climate systems, smart home automation, and professional audio-visual solutions. The company delivers comprehensive consulting, design, and installation services for commercial projects and government facilities across Thailand. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
Vulnerability in Fortra Core Privileged Access Manager (BoKS)
Relevancy & Insights:
The vulnerability exists due to improper input validation within the boks_autoregisterd daemon when handling auto-registration events.
Impact:
A remote unauthenticated attacker can send specially crafted packets to port 6507 and execute arbitrary OS commands on the system with the privileges of the service during the auto-registration processing.
Affected Products:
https[:]//www[.]Fortra[.]com/security/advisories/product-security/fi-2026-007
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in Fortra Core Privileged Access Manager (BoKS) introduces significant risks to organizations that rely on privileged access management solutions to secure administrative accounts, enforce access controls, and protect critical infrastructure. As Fortra Core Privileged Access Manager is widely used to manage privileged credentials and control access to sensitive systems, exploitation of this vulnerability could allow attackers to gain unauthorized control over privileged environments and compromise critical organizational assets. A successful attack against privileged access management infrastructure may result in unauthorized access to sensitive resources, disruption of security controls, and increased risk of further compromise across interconnected systems. Organizations leveraging privileged access management solutions must ensure timely patching, continuous monitoring, and secure configuration practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and security of privileged access management environments and enterprise identity security infrastructures.
World Leaks Ransomware attacked and published the data of a Manufacturing company from India
Summary:
Recently, we observed that World Leaks Ransomware attacked and published the data of a Manufacturing company from India on its dark web website. The Compromised company is a leading manufacturer of PVC pipes and fittings in India, offering a diverse range of products, including plumbing systems, agricultural pipes, water tanks, and bath fittings. With over 35 years of experience, the company serves various sectors, such as agriculture, industrial, and residential markets, ensuring high-quality and durable solutions. It is committed to innovation and customer satisfaction, boasting a strong distribution network and a large manufacturing capacity. The company aims to become a global leader in plastic piping systems while actively contributing to social welfare through its initiatives. Based on the information exposed on the ransomware leak portal, the threat actors claim to have obtained approximately 1.3 TB of data comprising more than 927,000 files from multiple internal file servers and departmental repositories. The exposed directory structure suggests the compromise of corporate documents, operational records, project files, employee-related information, quality management data, research and development materials, administrative records, shared network resources, and other business-critical files stored across various organizational systems. The presence of multiple server directories indicates broad access to the internal network environment, potentially exposing confidential business information, technical documentation, financial records, internal communications, and proprietary operational data. The publication of the file inventory demonstrates a significant data exfiltration event, increasing the risk of sensitive information disclosure, regulatory consequences, reputational damage, and further malicious exploitation.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, World Leaks Ransomware represents an emerging and adaptive threat within the cybersecurity landscape, particularly due to its focus on data exfiltration, double-extortion tactics, and targeting of organizations across multiple sectors. The group leverages sophisticated intrusion techniques and publicly exposes stolen data to increase pressure on victims, amplifying both financial and reputational damage. Organizations must strengthen their cybersecurity posture by implementing robust incident response strategies, enforcing strict access controls, and enhancing employee awareness to detect phishing and social engineering attempts. Continuous monitoring, timely patch management, and proactive threat intelligence are critical to mitigating risks and defending against the evolving tactics employed by World Leaks Ransomware.
Customer and Transaction Data Advertised on a Leak Site
Summary:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of allegedly compromised customer and transaction data belonging to an e-commerce organization operating in the United Arab Emirates. According to the post, the dataset contains approximately 9,885 records and appears to consist of customer information, order details, payment-related data, and shipping records collected through the organization’s online sales platform.
Based on the sample data shared by the actor, the exposed information may include customer names, email addresses, phone numbers, billing and shipping addresses, order identifiers, purchase dates, transaction values, order status information, shipping details, payment methods, refund records, and product purchase information. The dataset also appears to contain customer segmentation data and additional order-processing metadata that could provide insights into purchasing behavior and business operations.
If authentic, the exposure of this information could enable identity theft, phishing campaigns, financial fraud, account compromise attempts, and targeted social engineering attacks against affected customers. The incident may also expose the organization to regulatory scrutiny, legal liabilities, reputational damage, and loss of customer trust. At the time of reporting, the authenticity of the leaked dataset remains unverified, as the claims are based solely on information published on the underground forum and have not been independently confirmed.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA research team identified a post on a dark web forum advertising an allegedly compromised database belonging to an Indian food delivery and restaurant management platform. According to the forum post, the exposed dataset was obtained through unauthorized access to an administrative interface and contains a combination of customer, restaurant, order, promotional, and platform-related information.
The actor claims that the leak consists of multiple database files containing operational and customer records. Based on the information provided in the post, the dataset includes user information, restaurant records, order details, promotional code data, brand-related information, and administrative configuration files.
According to the actor, the leaked dataset includes:
The actor also shared sample records allegedly extracted from the database, which appear to contain customer account information, order-related details, and platform operational data. The exposed records suggest that both customer and business-related information may have been affected by the incident.
If authentic, the leaked information could be leveraged for phishing attacks, account takeover attempts, identity theft, financial fraud, and targeted social engineering campaigns. The exposure of authentication-related data and operational records may further increase the risk of unauthorized access to user accounts and business systems.
The incident could result in significant reputational damage, regulatory scrutiny, customer trust erosion, and potential financial losses for the affected organization. At the time of reporting, the authenticity and completeness of the leaked dataset remain unverified, as the claims are based solely on information published on the underground forum and have not been independently confirmed.
Source: Underground Forums
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
