Ghost Clown

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon. The discovery was part of an investigation into Cloudzy, a command-and-control provider (C2P) believed to be operating out of Tehran, Iran, potentially violating U.S. sanctions. Cloudzy, although incorporated in the United States, is suspected of providing services to these ransomware groups. The Halcyon report highlighted that Cloudzy might be unknowingly facilitating attack campaigns by offering its platform to advanced threat actors. The report estimated that between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to Ghost Clown and Space Kook, both deploying different ransomware strains. Ghost Clown primarily uses BlackBasta, while Space Kook relies on Royal ransomware. These revelations underscore the complex ecosystem of cyber threats, where ostensibly legitimate businesses can become unwitting accomplices to cybercriminal activities. The identification of Ghost Clown and Space Kook as new ransomware affiliates contributes to the ongoing efforts to understand and combat the evolving landscape of cyber threats. The findings also highlight the need for robust cybersecurity measures and constant vigilance against potential vulnerabilities and attacks.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Space Kook	3	Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Spyware

Locker

Cloudzy

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Royal Ransomware	Unspecified	2	Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
Blackbasta	Unspecified	2	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Black Basta	Unspecified	1	Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Conti	Unspecified	1	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Blackbasta Ransomware	Unspecified	1	BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated its

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Ghost Clown Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	a year ago	Hosting Provider Accused of Facilitating Nation-State Hacks
CERT-EU	a year ago	Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU	a year ago	Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
InfoSecurity-magazine	a year ago	Cloud Firm Under Scrutiny For Suspected Support of APT Operations
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU	a year ago	Cloudzy delivers cloud services to multiple APT groups, researchers say
CERT-EU	a year ago	Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups