Space Kook

Threat Actor updated 6 months ago (2024-05-04T19:59:10.248Z)

Download STIX

Preview STIX

Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access broker named Exotic Lily, as reported by Google’s Threat Analysis Group in March 2022. The investigation further revealed that Space Kook relies on Cobalt Strike, a legitimate penetration testing tool often misused by attackers, and deploys Quantum Locker and Royal ransomware strains. Cloudzy, a server hosting service, has allegedly provided its services to several infamous ransomware gangs including Ghost Clown and Space Kook. According to estimates by researchers, between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to previously unreported ransomware groups like Space Kook, which uses the Royal ransomware strain. In addition to Space Kook, the Halcyon report also identifies another ransomware affiliate, Ghost Clown, which uses the BlackBasta ransomware strain. Both Space Kook and Ghost Clown were found to be part of a larger network of ransomware affiliates leveraging Cloudzy's services. These findings underscore the need for increased vigilance and improved security measures within the digital landscape to counteract the growing threat posed by these malicious actors.

Description last updated: 2024-05-04T19:07:53.808Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ghost Clown is a possible alias for Space Kook. Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Ghost Malware is associated with Space Kook. "Ghost" refers to a sophisticated malware network that was discovered and dismantled in 2020 following a two-year investigation led by Europol and global law enforcement agencies. The network, also known as the Stargazers Ghost Network, was found to be operating through GitHub accounts, distributing	is related to	2
The Royal Ransomware Malware is associated with Space Kook. The Royal Ransomware, a harmful malware program designed to exploit and damage computer systems, operated from September 2022 through June 2023. It employed multi-threaded encryption to disrupt operations and hold data hostage for ransom. The ransomware was primarily disseminated through suspicious	Unspecified	2
The Blackbasta Malware is associated with Space Kook. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	Unspecified	2

Source Document References

Information about the Space Kook Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	a year ago	Hosting Provider Accused of Facilitating Nation-State Hacks
CERT-EU	a year ago	Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU	a year ago	Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
InfoSecurity-magazine	a year ago	Cloud Firm Under Scrutiny For Suspected Support of APT Operations
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU	a year ago	Cloudzy delivers cloud services to multiple APT groups, researchers say