Zeon

Threat Actor updated 4 days ago (2024-11-29T13:35:56.956Z)
Download STIX
Preview STIX
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as BlackCat and custom Zeon ransomware in its operations. Over time, this malware has been associated with various attacks including Quantum, Royal, Zeon, and BlackBasta. Approximately a year ago, ITG23, another threat group, stopped using its successful Conti ransomware strain, leading to its members creating or joining new operations like Quantum, Royal, Zeon, and BlackBasta. In the aftermath of the ITG23 dissolution, these factions continued to use many of the same crypters, indicating an ongoing cooperation among former members. The use of Rust programming language has also increased, with developers releasing Rust versions of malware including BlackCat, Hive, Zeon, and RansomExx. Recently, Zeon has been identified as operating as a group of elite pentesters primarily for Akira and LockBit, two prominent ransomware groups. The takedown of LockBit had a significant impact on Zeon, forcing it to shift its focus to the Akira brand. The recent troubles faced by LockBit and Akira have created a relative vacuum in the ransomware landscape, which, according to cybersecurity firm RedSense, has been partly filled by the Akira ransomware collective and associated "ghost groups" like Zeon. Keeping software fully patched and updated is considered a top defense against Zeon hackers. However, pentesters associated with Zeon are likely to continue tricking victims into installing remote management and monitoring software, targeting ESXi and cloud environments. These developments suggest that Zeon's increased involvement with Akira could lead to more sophisticated and damaging cyber threats in the future.
Description last updated: 2024-05-05T03:16:02.526Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for Zeon. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona
4
Akira is a possible alias for Zeon. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo
2
Conti Team is a possible alias for Zeon. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attack
2
Hive is a possible alias for Zeon. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Loader
Encryption
Ransom
RaaS
Antivirus
Malware
CISA
Extortion
Esxi
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ryuk Malware is associated with Zeon. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The TrickBot Malware is associated with Zeon. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
The Black Basta Malware is associated with Zeon. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
2
The Royal Ransomware Malware is associated with Zeon. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steaUnspecified
2
The Ghost Malware is associated with Zeon. The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust andis related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Zeon. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pis related to
7
The LockBitSupp Threat Actor is associated with Zeon. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," iis related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Lockbit's Ghost is associated with Zeon. Unspecified
2
Source Document References
Information about the Zeon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CSO Online
2 years ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
BankInfoSecurity
9 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago