Ghost Clown

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon. The discovery was part of an investigation into Cloudzy, a command-and-control provider (C2P) believed to be operating out of Tehran, Iran, potentially violating U.S. sanctions. Cloudzy, although incorporated in the United States, is suspected of providing services to these ransomware groups. The Halcyon report highlighted that Cloudzy might be unknowingly facilitating attack campaigns by offering its platform to advanced threat actors. The report estimated that between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to Ghost Clown and Space Kook, both deploying different ransomware strains. Ghost Clown primarily uses BlackBasta, while Space Kook relies on Royal ransomware. These revelations underscore the complex ecosystem of cyber threats, where ostensibly legitimate businesses can become unwitting accomplices to cybercriminal activities. The identification of Ghost Clown and Space Kook as new ransomware affiliates contributes to the ongoing efforts to understand and combat the evolving landscape of cyber threats. The findings also highlight the need for robust cybersecurity measures and constant vigilance against potential vulnerabilities and attacks.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Space Kook
3
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackbastaUnspecified
2
BlackBasta is a notorious malware group known for its ransomware attacks, which began in April 2022. The group primarily used SharpDepositorCrypter as the main loader for their ransomware throughout most of 2022. In addition to BlackBasta Ransomware, they have also utilized other malicious software
Royal RansomwareUnspecified
2
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ghost Clown Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
9 months ago
Cloud Firm Under Scrutiny For Suspected Support of APT Operations
BankInfoSecurity
10 months ago
Hosting Provider Accused of Facilitating Nation-State Hacks
CERT-EU
10 months ago
Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU
9 months ago
Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU
10 months ago
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU
9 months ago
Cloudzy delivers cloud services to multiple APT groups, researchers say
CERT-EU
10 months ago
Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups
CERT-EU
10 months ago
Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs