Ghost Clown

Malware updated 7 months ago (2024-05-04T21:18:42.189Z)
Download STIX
Preview STIX
Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon. The discovery was part of an investigation into Cloudzy, a command-and-control provider (C2P) believed to be operating out of Tehran, Iran, potentially violating U.S. sanctions. Cloudzy, although incorporated in the United States, is suspected of providing services to these ransomware groups. The Halcyon report highlighted that Cloudzy might be unknowingly facilitating attack campaigns by offering its platform to advanced threat actors. The report estimated that between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to Ghost Clown and Space Kook, both deploying different ransomware strains. Ghost Clown primarily uses BlackBasta, while Space Kook relies on Royal ransomware. These revelations underscore the complex ecosystem of cyber threats, where ostensibly legitimate businesses can become unwitting accomplices to cybercriminal activities. The identification of Ghost Clown and Space Kook as new ransomware affiliates contributes to the ongoing efforts to understand and combat the evolving landscape of cyber threats. The findings also highlight the need for robust cybersecurity measures and constant vigilance against potential vulnerabilities and attacks.
Description last updated: 2024-05-04T20:32:23.519Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Space Kook is a possible alias for Ghost Clown. Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Blackbasta Malware is associated with Ghost Clown. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
2
The Royal Ransomware Malware is associated with Ghost Clown. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steaUnspecified
2
Source Document References
Information about the Ghost Clown Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more