🌒

ShadowSyndicate

Aliases

ShadowSyndicate (Group-IB), Infra Storm (Group-IB)

Tags

RansomOpsExtortionist

Attribution

💰Cybercrime

Incidents

ShadowSyndicate aiohttp exploitation

References

https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.htmlhttps://cyble.com/blog/cgsi-probes-shadowsyndicate-groups-possible-exploitation-of-aiohttp-vulnerability-cve-2024-23334/https://www.group-ib.com/blog/shadowsyndicate-raas/

Last edited

Mar 19, 2024 11:46 AM

Status

Finalized

Cloud-fluent

ShadowSyndicate, formerly known as Infra Storm, has distinguished itself by deploying an array of ransomware families, including Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play. Since its inception on July 16, 2022, the group has showcased its versatility and technical prowess by employing a suite of sophisticated post-exploitation tools such as Cobalt Strike and Sliver, alongside loaders like IcedID and Matanbuchus. This approach enables them to infiltrate, control, and execute extortion schemes across a wide range of target networks.

The global footprint of ShadowSyndicate's operations is evident from the discovery of their distinct SSH fingerprint on 85 servers spread across several countries, with a significant concentration in Panama. This network of compromised servers, utilized for command-and-control activities, underscores the group's extensive reach and operational capabilities. Furthermore, ShadowSyndicate's activities have been linked to other notorious malware operations, indicating possible collaborations or shared strategies within the cybercriminal ecosystem.