Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access.
QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
Timeline
Dec 2, 2025
Researchers disclose overlapping espionage and ransomware intrusions
Researchers publicly reported that the overlap between QuietCrabs and Thor in the two Russian companies appeared coincidental rather than collaborative. They also noted that the ToolShell vulnerability, CVE-2025-53770, has been exploited by other Chinese and financially motivated threat actors worldwide.
Dec 2, 2025
Thor's noisy intrusion triggers detection before ransomware deployment
Thor's more conspicuous activity led defenders to detect the intrusion early, preventing the ransomware stage from being executed. That response also exposed QuietCrabs' previously hidden espionage foothold in the same environments.
Dec 2, 2025
Thor breaches the same Russian firms via SharePoint and Ivanti flaws
A separate threat group, Thor, also compromised the same two Russian companies by exploiting the same set of known SharePoint and Ivanti vulnerabilities. Thor used common tooling for reconnaissance, privilege escalation, persistence, data extraction, and exfiltration.
Dec 2, 2025
QuietCrabs exploits SharePoint and Ivanti flaws for initial access
QuietCrabs used known vulnerabilities in Microsoft SharePoint Server and Ivanti products, including CVE-2025-53770, CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, and CVE-2023-38035, to gain entry to victim environments. The actor then deployed KrustyLoader malware and a Sliver C2 implant to support espionage operations.
Nov 4, 2024
QuietCrabs establishes long-term access in two Russian companies
An Asian-origin cyber espionage group tracked as QuietCrabs compromised two Russian companies and maintained stealthy access in their networks. The group's reported average dwell time is 393 days, indicating the intrusion likely began well before the later ransomware activity.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Sources
Related Stories
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
1 months ago
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
1 months ago
Ransomware Operators Abuse Velociraptor for Persistent Access and Deployment
Ransomware operators have begun leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool, to facilitate and enhance their attacks on enterprise environments. Cisco Talos confirmed that Velociraptor, previously not definitively linked to ransomware campaigns, was used by threat actors believed to be associated with Storm-2603 and possibly a China-based group. These actors targeted VMware ESXi virtual machines and Windows servers, deploying multiple ransomware strains including Warlock, LockBit, and Babuk, which resulted in significant disruption to the victim's IT infrastructure. The attackers installed an outdated version of Velociraptor (0.73.4.0) that contained a privilege escalation vulnerability (CVE-2025-6264), enabling them to execute arbitrary commands and potentially take over endpoints. Velociraptor was used to maintain stealthy, persistent access, allowing the attackers to operate undetected while preparing and executing the ransomware payloads. In addition to Velociraptor, the attackers utilized the Windows msiexec utility to download and install tools from a Cloudflare Workers domain, including Visual Studio Code and the Radmin remote administration tool, further expanding their control and tunneling capabilities. Visual Studio Code was installed as a service and configured to create a tunnel to an attacker-controlled command-and-control (C2) server, with logs redirected for monitoring. The attackers also used encoded PowerShell commands to automate the download and execution of these tools. Sophos incident responders encountered the same threat actors in a separate incident, where they were able to prevent the final deployment of ransomware, but observed the same tactics, techniques, and procedures (TTPs). The use of Velociraptor in these attacks highlights a growing trend of threat actors repurposing legitimate security tools for malicious purposes, complicating detection and response efforts. The campaign demonstrates the attackers' ability to combine multiple open-source and commercial tools to achieve persistence, lateral movement, and data exfiltration. The presence of Babuk ransomware files on the victim's network marks a new development, as this strain had not previously been associated with Storm-2603. The attackers' use of multiple ransomware variants in a single campaign suggests a flexible and opportunistic approach to maximizing impact. The exploitation of a known vulnerability in Velociraptor underscores the importance of timely patching and monitoring of security tools themselves. The campaign also involved the use of Cloudflare tunneling and remote administration utilities, indicating a sophisticated approach to maintaining access and evading detection. The incident serves as a warning to organizations about the risks of outdated or misconfigured security tools being turned against them. Security teams are advised to monitor for unusual deployments of DFIR tools and to ensure all such software is kept up to date. The blending of legitimate and malicious activity in these attacks poses significant challenges for defenders, requiring enhanced vigilance and advanced detection capabilities.
1 months ago