{ "Event": { "analysis": "1", "date": "2026-04-07", "extends_uuid": "", "info": "[Threat Intel] Leveling Up with NightSpire Ransomware", "protected": false, "publish_timestamp": "1776072065", "published": true, "threat_level_id": "2", "timestamp": "1776072065", "uuid": "2c495c78-83d3-4f8d-a66b-3d1c283ea8f3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#aa1f95", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#f5055a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"nightspire\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775646014", "to_ids": false, "type": "link", "uuid": "7fed5bca-35c8-49ca-8d45-7de3c69343e8", "value": "https://www.huntress.com/blog/nightspire-ransomware" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775646014", "to_ids": false, "type": "text", "uuid": "fc006895-6227-44a4-aee5-760fc7e8ac94", "value": "NightSpire ransomware, first discovered in February 2025, presents a categorization challenge regarding whether it operates as Ransomware-as-a-Service (RaaS). Analysis of two incidents from December 2025 and March 2026 reveals significant variations in tactics, techniques, and procedures between attacks. The March 2026 incident involved threat actors installing Chrome Remoting Desktop and AnyDesk for persistence, using Everything and 7Zip for data staging, MEGASync for exfiltration, and deploying VMWare Workstation and WPS Office. The attacker accessed systems via RDP days before detection. Comparison with the December 2025 incident shows evolution in the ransomware encryptor, including modified ransom note filenames and contents. These variations in TTPs and indicators suggest either operational evolution or involvement of multiple affiliates, demonstrating that ransomware indicators aren't consistent across campaigns." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775646014", "to_ids": false, "type": "text", "uuid": "a1e35c98-0971-418b-973e-eb604587f89e", "value": "Name: Leveling Up with NightSpire Ransomware\nAuthor: AlienVault\nAdversary: NightSpire\nTags: [\"persistence mechanisms\", \"remote desktop\", \"data exfiltration\", \"nightspire\", \"ransomware-as-a-service\", \"raas\", \"file encryption\", \"chrome remoting desktop\", \"megasync\", \"anydesk\"]\nTgtd countries: []\nMlwr families: [\"NightSpire\"]\nAttack_ids: [\"T1005\", \"T1070\", \"T1021.001\", \"T1562\", \"T1083\", \"T1567\", \"T1059.001\", \"T1486\", \"T1074\", \"T1219\", \"T1547\", \"T1039\", \"T1133\", \"T1490\", \"T1560\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776007265", "to_ids": false, "type": "threat-actor", "uuid": "96f09832-e7a4-4f98-bd4b-9d0400aebfae", "value": "NightSpire", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"nightspire\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "file encryptor, enc.exe, from 25 Mar 2026 No sample in VT\r\nLast check:13/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776018390", "to_ids": true, "type": "sha256", "uuid": "e3185d8e-9f94-4469-a832-1d2846ab0e1f", "value": "ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "enc.exe, from 2 Dec 2025 No sample in VT\r\nLast check:13/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776018391", "to_ids": true, "type": "sha256", "uuid": "a8c74668-5cab-41e8-8677-c249acec509f", "value": "bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Email address associated with Chrome Remoting Desktop, 24 & 25 Mar 2026", "deleted": false, "disable_correlation": false, "timestamp": "1776007257", "to_ids": true, "type": "email-src", "uuid": "dcca2c99-b64e-4d48-bd26-22175b3cdf67", "value": "prince1990905@gmail.com" } ] } }