Space Kook

Threat Actor updated a month ago (2024-11-29T13:39:21.536Z)
Download STIX
Preview STIX
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access broker named Exotic Lily, as reported by Google’s Threat Analysis Group in March 2022. The investigation further revealed that Space Kook relies on Cobalt Strike, a legitimate penetration testing tool often misused by attackers, and deploys Quantum Locker and Royal ransomware strains. Cloudzy, a server hosting service, has allegedly provided its services to several infamous ransomware gangs including Ghost Clown and Space Kook. According to estimates by researchers, between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to previously unreported ransomware groups like Space Kook, which uses the Royal ransomware strain. In addition to Space Kook, the Halcyon report also identifies another ransomware affiliate, Ghost Clown, which uses the BlackBasta ransomware strain. Both Space Kook and Ghost Clown were found to be part of a larger network of ransomware affiliates leveraging Cloudzy's services. These findings underscore the need for increased vigilance and improved security measures within the digital landscape to counteract the growing threat posed by these malicious actors.
Description last updated: 2024-05-04T19:07:53.808Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ghost Clown is a possible alias for Space Kook. Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ghost Malware is associated with Space Kook. The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust andis related to
2
The Royal Ransomware Malware is associated with Space Kook. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steaUnspecified
2
The Blackbasta Malware is associated with Space Kook. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnetUnspecified
2