FOCUS MODE
EXTRACT IOC
Threat Research

Threat Intelligence Report – The NightSpire Ransomware Group

iocOne
The NightSpire ransomware group has emerged in early 2025, rapidly targeting small to medium-sized enterprises through the exploitation of known vulnerabilities. Their method includes a double extortion model, demanding ransoms post data exfiltration. Affected: United States, Canada, India, Germany, Italy, Australia, Japan, Singapore, United Kingdom, France, Taiwan, Mexico, Brazil, China, Spain, Egypt, Saudi Arabia, Malaysia, Poland, The Netherlands, Austria, Israel, Colombia, Indonesia, Argentina, Ireland, Switzerland, Sweden, Iran, Ukraine, New Zealand, Greece, Turkey, Thailand, South Korea, South Africa, Peru, Portugal, Romania, Luxembourg, Czech Republic, Malta, Jordan, Hungary, Cyprus.

Keypoints :

  • NightSpire is an emerging ransomware operation that surfaced in early 2025, characterized by operational security lapses.
  • The group targets small to medium-sized enterprises across various sectors.
  • Nations most affected include the United States, Canada, and India, among others.
  • Manufacturing and Business Services are the most targeted industries by NightSpire.
  • They employ a double extortion model, demanding ransoms after exfiltrating data.
  • Utilizes vulnerabilities like CVE-2024-55591 for unauthorized access.
  • Operates with tools such as MEGAcmd and WinSCP for data exfiltration.
  • Utilizes Gmail and Tor-based leak sites for communication with victims.

MITRE Techniques :

  • Initial Access: Exploit Public-Facing Application (T1190) – Exploitation of CVE-2024-55591 to gain unauthorised access to FortiGate firewalls.
  • Execution: Command and Scripting Interpreter (T1059) – Uses PowerShell and Batch script execution to deploy ransomware payloads.
  • Persistence: Scheduled Task/Job (T1053) – Creates scheduled tasks to ensure persistence across system reboots.
  • Privilege Escalation: Exploitation for Privilege Escalation (T1068) – Leverages system vulnerabilities for gaining higher privileges.
  • Defence Evasion: Obfuscated Files or Information (T1027) – Employs obfuscation techniques to evade detection.
  • Credential Access: OS Credential Dumping (T1003) – Extracts credentials using tools like Mimikatz.
  • Lateral Movement: Remote Services (T1021) – Moves laterally using SMB, RDP, and PsExec with valid credentials.
  • Impact: Data Encrypted for Impact (T1486) – Encrypts data using symmetric encryption algorithms.
  • Exfiltration: Exfiltration Over Web Service (T1567.002) – Transfers stolen data via MEGAcmd and WinSCP to cloud storage.

Indicator of Compromise :

  • [IP Address] 14.139.185.60
  • [Filename] Everything.exe
  • [Filename] WinSCP-6.3.7-Setup.exe
  • [Filename] 7z2408-x64.exe
  • [Onion URL] nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion

Full Story: https://redpiranha.net/news/threat-intelligence-report-april-8-april-14-2025

Views: 65

Tags: PERSISTENCE, EXPLOIT, CHINA, CVE, IMPACT, INITIAL ACCESS, WINDOWS, RAAS