Space Kook

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access broker named Exotic Lily, as reported by Google’s Threat Analysis Group in March 2022. The investigation further revealed that Space Kook relies on Cobalt Strike, a legitimate penetration testing tool often misused by attackers, and deploys Quantum Locker and Royal ransomware strains. Cloudzy, a server hosting service, has allegedly provided its services to several infamous ransomware gangs including Ghost Clown and Space Kook. According to estimates by researchers, between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity. This includes renting services to previously unreported ransomware groups like Space Kook, which uses the Royal ransomware strain. In addition to Space Kook, the Halcyon report also identifies another ransomware affiliate, Ghost Clown, which uses the BlackBasta ransomware strain. Both Space Kook and Ghost Clown were found to be part of a larger network of ransomware affiliates leveraging Cloudzy's services. These findings underscore the need for increased vigilance and improved security measures within the digital landscape to counteract the growing threat posed by these malicious actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ghost Clown
3
Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.
EXOTIC LILY
1
Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Locker
Cloudzy
Spyware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Royal RansomwareUnspecified
2
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
BlackbastaUnspecified
2
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Ghostis related to
2
Ghost is a sophisticated malware that has been linked to various cyber threats and attacks. In 2020, there was a significant bilateral CDU/MDANG Ex Cyber Ghost operation in the works, hinting at its growing prominence. It uses techniques such as ghost spoofing, where the sender's name contains an au
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Blackbasta RansomwareUnspecified
1
BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated its
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Space Kook Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a year ago
Hosting Provider Accused of Facilitating Nation-State Hacks
CERT-EU
a year ago
Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups
CERT-EU
a year ago
US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU
a year ago
Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU
a year ago
Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs
CERT-EU
a year ago
US internet hosting company appears to facilitate global cybercrime, researchers say
InfoSecurity-magazine
a year ago
Cloud Firm Under Scrutiny For Suspected Support of APT Operations
CERT-EU
a year ago
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU
a year ago
Cloudzy delivers cloud services to multiple APT groups, researchers say