Space Kook

Threat Actor updated 4 months ago (2024-05-04T19:59:10.248Z)

Download STIX

Preview STIX

Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access broker named Exotic Lily, as reported by Google’s Threat Analysis Group in March 2022. The investigation further revealed that Space Kook relies on Cobalt Strike, a legitimate penetration testing tool often misused by attackers, and deploys Quantum Locker and Royal ransomware strains. Cloudzy, a server hosting service, has allegedly provided its services to several infamous ransomware gangs including Ghost Clown and Space Kook. According to estimates by researchers, between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to previously unreported ransomware groups like Space Kook, which uses the Royal ransomware strain. In addition to Space Kook, the Halcyon report also identifies another ransomware affiliate, Ghost Clown, which uses the BlackBasta ransomware strain. Both Space Kook and Ghost Clown were found to be part of a larger network of ransomware affiliates leveraging Cloudzy's services. These findings underscore the need for increased vigilance and improved security measures within the digital landscape to counteract the growing threat posed by these malicious actors.

Description last updated: 2024-05-04T19:07:53.808Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ghost Clown	3	Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Ghost	is related to	2	"Ghost" is a potent malware that has been plaguing the digital world. In 2020, the first signs of its impending threat emerged with the planning of a large bilateral CDU/MDANG Ex Cyber Ghost operation. However, it wasn't until Check Point Research (CPR) identified a network of GitHub accounts, dubbe
Royal Ransomware	Unspecified	2	The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious
Blackbasta	Unspecified	2	BlackBasta is a notorious malware, specifically ransomware, that has been associated with several high-profile cyber-attacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information,

Source Document References

Information about the Space Kook Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	a year ago	Hosting Provider Accused of Facilitating Nation-State Hacks
CERT-EU	a year ago	Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU	a year ago	Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
InfoSecurity-magazine	a year ago	Cloud Firm Under Scrutiny For Suspected Support of APT Operations
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU	a year ago	Cloudzy delivers cloud services to multiple APT groups, researchers say