Night Sky

Malware Profile Updated a day ago
Download STIX
Preview STIX
Night Sky is a potent form of malware that has been linked to several significant ransomware activities, including LockFile, AtomSilo, Rook, and Pandora. Analysis of the Cobalt Strike Beacon samples loaded by HUI Loader has revealed a connection between AtomSilo, Night Sky, and Pandora ransomware, suggesting similarities across these ransomware families. Further research indicates that the five ransomware families connected to HUI Loader were developed from two distinct codebases: one for LockFile and AtomSilo, and the other for Rook, Night Sky, and Pandora. This suggests a level of coordination and shared resources among these malicious actors. The operational patterns and victimology of LockFile, AtomSilo, Rook, Night Sky, and Pandora deployments do not align with conventional financially motivated cybercrime operations, indicating a more complex motivation or strategy behind these attacks. As of mid-April, 21 victims have been listed across the AtomSilo, Rook, Night Sky, and Pandora leak sites, demonstrating the widespread impact of these threats. The deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware further underscores the significant threat posed by these malware families. Additional analysis has uncovered a link between Night Sky and Emperor Dragonfly, a Chinese ransomware group. A reference to a Chinese font family in a Night Sky ransom note, along with the detection of a Chinese character font in another ransom note dropped by Night Sky ransomware, points towards a possible origin or affiliation. These findings highlight the global nature of the cyber threat landscape and underscore the need for robust cybersecurity measures to counter such sophisticated threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lockfile
1
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX
Atomsilo
1
AtomSilo is a type of malware that has been linked to several other ransomware families including LockFile, Rook, Night Sky, and Pandora. This connection was revealed through the analysis of Cobalt Strike Beacon samples loaded by HUI Loader. CTU analysis suggests that these five ransomware families
Rook
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Cobalt Strike Beacon
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Emperor Dragonfly
1
Emperor Dragonfly, also known as Bronze Starlight or Storm-0401, is a threat actor group linked to China that has been identified as deploying various ransomware payloads. This group targets sectors such as gambling within Southeast Asia. The cybersecurity industry uses different names for the same
Pandora Ransomware
1
Pandora ransomware is a type of malware that has been connected to several other malicious software strains, including AtomSilo, Night Sky, and Rook. Researchers from CTU identified code overlap between the updated HUI Loader samples and Pandora ransomware, suggesting a common origin or shared devel
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Loader
Cybercrime
Twitter
Police
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CheerscryptUnspecified
1
Cheerscrypt is a malicious software (malware) that was discovered in May 2022, specifically designed to target ESXi servers, which are extensively used by enterprises for server virtualization. This discovery was made following the reporting of DarkSide ransomware variants in May 2021. Cheerscrypt,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bronze StarlightUnspecified
1
Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlig
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Source Document References
Information about the Night Sky Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
a day ago
From RA Group to RA World: Evolution of a Ransomware Group
CERT-EU
7 months ago
A Murder at the End of the World Makes Hacker Style Freaky Again | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Serbian Police’s Expanding Drone Arsenal Draws Concern – Analysis
CERT-EU
10 months ago
NIST 800-82 R2/R3: A Practical Guide for OT Security Professionals
CERT-EU
a year ago
Hashtag Trending Aug.1- Will AI hit higher paying jobs first?; FraudGPT, the newest tool for cybercriminals; Twitter removes brightly lit X logo placed on its headquarters | IT World Canada News
CERT-EU
a year ago
Hackaday Podcast 226: Ice, Snow, And Cooling Paint In July
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader