Executive Summary: ShadowSyndicate Threat Group

Executive Summary In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate, active since 2022, has been associated with several ransomware families and sophisticated tools, including Cobalt Strike and Sliver. Their latest…

January 15, 2025|Eric Taylor
Executive Summary: Shadow Syndicate Threat Group Update

Executive Summary

In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate, active since 2022, has been associated with several ransomware families and sophisticated tools, including Cobalt Strike and Sliver.

Their latest collaboration with RansomHub, a rising Ransomware-as-a-Service (RaaS) operator, underscores an evolving threat landscape. This report details the tactics, techniques, and procedures (TTPs) observed in these attacks and provides actionable Indicators of Compromise (IoCs).

Threat Actor Overview: ShadowSyndicate

Background

ShadowSyndicate, also known as Infra Storm, has been active since July 2022. This group is recognized for partnering with prominent ransomware affiliates, including Quantum, Nokoyawa, and ALPHV.

Known Toolset

  • Cobalt Strike
  • Sliver
  • IcedID
  • Matanbuchus malware

Infrastructure Indicators

  • Persistent use of SSH fingerprint: 1c:a4:cb:ac:89:5f:c3:bd:12:41:7b:77:fc:6e:d3:1d.
  • As of September 2023, this fingerprint was associated with 85 servers, 52 of which were linked to Cobalt Strike command-and-control (C2) servers.

Emergence of RansomHub Ransomware

Overview

RansomHub emerged as a significant RaaS platform after the FBI’s disruption of ALPHV/BlackCat in late 2023. The takedown of LockBit in early 2024 further positioned RansomHub as a dominant force in the ransomware ecosystem.

Key Developments

  • Rapid recruitment of affiliates, including former members of disrupted groups.
  • Approximately 500 reported victims since February 2024.
  • Aggressive marketing and attractive affiliate compensation (up to 90% of ransom payments).

Observed Collaboration

Timeline

Between July 2022 and September 2023, ShadowSyndicate utilized multiple ransomware families. By late 2024, the group incorporated RansomHub into their operations.

Motivations

RansomHub’s competitive affiliate compensation and robust infrastructure likely incentivized ShadowSyndicate to adopt their platform.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access

  • Phishing Campaigns: Spear-phishing emails delivering malicious payloads.
  • Exploitation of Vulnerabilities: Targeting unpatched systems.

2. Establishing Persistence

  • Deployment of Cobalt Strike and Sliver for sustained access.

3. Credential Access

  • Use of IcedID and Matanbuchus malware for credential harvesting and privilege escalation.

4. Lateral Movement

  • Exploitation of compromised SSH credentials to navigate networks.

5. Data Exfiltration

  • Tools like Rclone and Mega.nz used for exfiltrating sensitive data.

6. Ransom Operations

  • Encryption of systems using RansomHub tools.
  • Ransom demands facilitated via RansomHub’s payment infrastructure.

Indicators of Compromise (IoCs)

SSH Fingerprint

  • 1c:a4:cb:ac:89:5f:c3:bd:12:41:7b:77:fc:6e:d3:1d

IP Addresses

  • 5.178.1.16
  • 193.142.30.134
  • 179.60.150.151
  • 194.34.239.36
  • 147.78.46.112
  • 45.227.253.29
  • 179.60.150.121
  • 185.232.67.101
  • 147.78.46.71
  • 81.19.135.216
  • 147.78.46.117
  • 45.182.189.109
  • 194.165.16.113
  • 193.142.30.242
  • 45.156.248.206
  • 45.227.255.214
  • 91.238.181.227
  • 81.19.136.251
  • 91.238.181.253
  • 88.214.25.213
  • 88.214.26.25
  • 88.214.26.37
  • 193.142.30.144
  • 194.165.16.92
  • 88.214.25.228
  • 88.214.25.247
  • 193.142.30.66
  • 92.118.36.204
  • 81.19.136.228
  • 81.19.136.241
  • 37.156.246.165
  • 81.19.135.215
  • 147.78.46.163
  • 193.142.30.39
  • 147.78.46.97
  • 193.142.30.100
  • 91.238.181.236
  • 179.60.150.132
  • 141.98.82.198
  • 179.60.150.139

Domains

  • vkmuz[.]net
  • api.playanext[.]com
  • safe-proxy[.]com
  • freevpn[.]zone

Mitigation Strategies

1. Regular Patching

Ensure systems are up-to-date with the latest security patches.

2. Network Monitoring

Deploy monitoring tools to detect anomalous activities, including unusual SSH connections.

3. Employee Training

Conduct awareness programs on phishing and social engineering threats.

4. Access Controls

Implement role-based access controls and regularly audit user privileges.

5. Incident Response Preparedness

Develop and rehearse incident response plans for swift containment and recovery.

Conclusion

ShadowSyndicate’s integration of RansomHub illustrates the adaptive nature of ransomware operations. Organizations must adopt proactive measures to mitigate risks associated with such advanced threats.

By leveraging the provided IoCs and recommended mitigations, defenders can enhance their security posture against these adversaries.

 

References

 

Discover more articles, reports, SPOTREPs, and Executive Summaries in the Blog section of our website.

 

 

RELATED

Advisory: Navigating the CVE Transition

Navigating the CVE Transition: Insights on GCVE, CVE Foundation, and Beyond

By Eric Taylor | April 16, 2025
,

The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE since 1999, has been a cornerstone of global cybersecurity, providing…

Barricade Cyber Solutions Report: Critical CVEs and Associated Threats

Critical CVEs and Associated Threats

By Eric Taylor | April 14, 2025

This report was prepared by Barricade Cyber Solutions and aims to inform our clients and prospects about critical Common Vulnerabilities…

SPOTREP: Exploitation of Windows CLFS Zer-Day Vulnerability, CVE 2025-29824

SPOTREP: Exploitation of Windows CLFS Zero-Day Vulnerability (CVE-2025-29824)

By Eric Taylor | April 9, 2025
,

Vulnerability Details: Zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) Tracked as CVE-2025-29824 Allows escalation from…