Shadowsyndicate

Threat Actor updated 5 months ago (2024-05-04T17:16:20.150Z)

Download STIX

Preview STIX

ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWORM, Nefilim, Karma, and Nemty. In addition to developing ransomware and managing Ransomware-as-a-Service (RaaS) programs, ShadowSyndicate has launched its own RaaS program based on the Nokoyawa ransomware. Over the past year, ShadowSyndicate has reportedly deployed seven different ransomware families in attacks. The group's infrastructure has been linked, albeit with a low degree of confidence, to TrickBot, Ryuk, FIN7, and TrueBot malware operations. In September, Group-IB also linked ShadowSyndicate's infrastructure to attacks from Quantum ransomware, Nokoyawa, and the Alphv ransomware hackers. Furthermore, one of the IP addresses used by the hackers to scan for vulnerable servers has been associated with ShadowSyndicate. Since February 29th, threat actors including ShadowSyndicate have been scanning the internet for vulnerable servers, exploiting flaws in Python libraries among other vulnerabilities. This is part of the group's strategy to find susceptible versions of utilities as an entry point for network compromise. The group's activities were discussed in depth during a podcast episode on Security Weekly News on September 26, 2023, which included a discussion about the events leading to a prosecution case against the group.

Description last updated: 2024-05-04T17:07:20.536Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
FIN7 is a possible alias for Shadowsyndicate. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

RaaS

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The IcedID Malware is associated with Shadowsyndicate. IcedID is a type of malware, malicious software designed to exploit and damage computer systems. It has been identified in association with various other malwares such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, and Pikabot. The IcedID IntBot Loader (int-bot.dll) is	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Shadowsyndicate. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its la	Unspecified	2

Source Document References

Information about the Shadowsyndicate Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	7 months ago	Cyber Security Today, March 18, 2024 – Fix this Python vulnerability, patch these industrial control system products, the latest data breaches and more \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware
BankInfoSecurity	7 months ago	Ransomware Hackers May Be Exploiting Aiohttp Library Bug
CERT-EU	7 months ago	Cyber Security Today, March 18, 2024 – Fix this Python vulnerability, patch these industrial control system products, the latest data breaches and more \| IT World Canada News
CERT-EU	a year ago	The Week in Ransomware - September 29th 2023 - Dark Angels
CERT-EU	a year ago	NarcBots, Blacktech, ZenRat, Chrome, CISOs, Privacy, More News & Aaran Leyland – SWN #329
CERT-EU	a year ago	Threat Intelligence Work Reveals Threat Actor Farnetwork Operations
CERT-EU	a year ago	In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
CERT-EU	a year ago	Cyber Security Today, Sept. 27 2023 – Hackers are targeting luxury hotels, a Red Cross scam and more \| IT World Canada News
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
CERT-EU	a year ago	The security pitfalls of social media sites offering ID-based authentication
CERT-EU	a year ago	ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year
CERT-EU	a year ago	Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains
CERT-EU	a year ago	ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families – GIXtools
InfoSecurity-magazine	a year ago	ShadowSyndicate Investigation Reveals RaaS Ties
CERT-EU	a year ago	ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers