| New Threats Detection Added | • RevStealer • Lumma Stealer |
| New Threat Protection | 79 |
| Newly Detected Threats | 8 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
RevStealer | ||||||||||||||||||
|
RevStealer is a Windows based information stealer with remote access capabilities that is often distributed through fake software and game mods. It utilises the Polygon Blockchain for retrieval of C2 configuration information (EtherHiding). Information such as credentials, browser information, and crypto wallets are collected from the local system, encrypted, and exfiltrated to the C2 server.
|
|||||||||||||||||||
|
Threat Protected:
|
9 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Trojan-activity | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
Known Exploited Vulnerabilities (Week 3 - June 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-3rd-week-of-june-2026/671.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
9.8
|
Unauthenticated RCE - Splunk Enterprise contains a vulnerability within the PostgreSQL sidecar service that can allow an unauthenticated remote attacker to execute code on the system.
|
10.2.0 - 10.2.3
10.0.0 - 10.0.6 |
10.2.4
10.0.7 |
||
|
9.8
|
Unauthenticated RCE - Widget Factory Joomla Content Editor (JCE) extension contains an improper access control vulnerability that can allow an unauthenticated remote attacker to execute code on the system.
|
<= 2.9.99.4
|
2.9.99.6
|
||
|
8.5
|
Privilege Escalation - LiteSpeed cPanel plugin contains a privilege escalation vulnerability that can allow an attacker with FTP or web shell access on a shared hosting environment running CloudLinux/CageFS to escalate privileges to root.
|
<= 2.4.7 (cPanel)
<= 5.3.1.0 (WHM) |
2.4.8
5.3.2.1 |
||
|
6.5
|
Privilege Escalation - Cisco Catalyst SD-WAN Manager contains a directory traversal vulnerability that can allow an authenticated remote attacker with write privileges to create or overwrite files on the filesystem, successful exploitation may allow an attacker to escalate to root level privileges on the system.
|
Check vendor advisory for affected products and versions.
|
|||
Updated Malware Signature (Week 3 - June 2026)
|
Threat
|
Description | |
|
Lumma Stealer (Win32)
|
Lumma Stealer (also tracked as LummaC2) is a Malware-as-a-Service information stealer that silently harvests sensitive data from compromised Windows systems and is typically delivered through fake browser updates, cracked software, or phishing lures. The stolen data is ultimately sold on underground markets, frequently serving as the initial foothold for follow-on attacks including ransomware.
|
Ransomware Report |
|
|
The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period. Ransomware Hits Last WeekLast week’s ransomware activity shows that Deadlock was the most active ransomware group, impacting 72 countries, which accounted for 26.57% of the total ransomware hits. This makes Deadlock the dominant ransomware actor for the week. The Gentlemen was the second most active group, attacking 35 countries and contributing 12.92% of the total activity. Lockbit5 followed closely with 34 countries, accounting for 12.55%. Together, these three groups represented a major share of the overall ransomware activity. A second level of activity was observed from groups such as Qilin, which attacked 15 countries and accounted for 5.54%, and SafePay, which impacted 12 countries, representing 4.43%. Shadowbyt3$ and ShinyHunters each attacked 9 countries, contributing 3.32% individually, while Krybit affected 8 countries, accounting for 2.95%. Moderate activity was seen from Nova and Anubis, each impacting 7 countries, while Nightspire attacked 6 countries. Aurora affected 5 countries, and groups such as Inc Ransom, Akira, and Pear each impacted 4 countries. Several ransomware groups had lower activity, impacting between 2 and 3 countries, including Brain Cipher, Space Bears, Play, Lynx, Prinz Eugen, Coinbase Cartel, Payload, DragonForce, Icarus, Gunra, Ransomhouse, and Genesis. The remaining groups, including Triple X, Kairos, Securotrop, Bavacai, Leaknet, Ailock, Fulcrumsec, Lamashtu, Cloak, Rhysida, Bravox, and Stormous, each attacked 1 country, accounting for 0.37% individually. |
Brain Cipher Ransomware
Origin and Encryptor Lineage
Brain Cipher is a financially motivated, double-extortion ransomware operation whose encryptor is built from the leaked LockBit 3.0 (LockBit Black) builder [1][3]. First traces of the group were identified on 16 June 2024, with an assessment that the operators had been active since at least April 2024 [1]; the first leak-site victim was recorded on 1 July 2024 [11]. The encryptor uses Salsa20 to encrypt file contents and RSA-1024 to protect the Salsa20 key, renaming encrypted files to a seven-character sequence followed by a nine-character random extension [1][8]. Unlike the stock builder, Brain Cipher also encrypts the filename itself and applies partial (intermittent) encryption - leaving data beyond an approximately 0x80000 offset intact - to accelerate the attack across large file sets [1].
Brain Cipher is assessed to be one brand among several operated by the same individuals [2][9]. Open-source analysis concludes that EstateRansomware, SenSayQ, and "Noname" ransomware are controlled by the same operators as Brain Cipher, with July 2024 activity also attributed to RebornRansomware [2][9][10]. The linkage rests on overlapping cyberfear.com negotiation email aliases, shared Tor data-leak-site scripts and technology stacks, and matched ransom-note phrasing such as "Dear managers" and "If you are reading this, it means your network has been attacked." [2][10] This re-branding behaviour is operationally significant: the disappearance of the Brain Cipher name would not indicate the operators have ceased activity.
Tactics, Techniques, and Procedures (TTPs)
Attribution Framework
|
Tactic
|
Technique ID
|
Technique
|
Evidence/Observed Behaviour
|
|
Initial Access
|
T1566
|
Phishing/Spearphishing
|
Phishing and spearphishing used for initial delivery.
|
|
Initial Access
|
T1190
|
Exploit Public-Facing App/IAB
|
Exploitation of public-facing applications and reliance on initial-access brokers for footholds.
|
|
Initial Access
|
T1078/T1133
|
Valid Accounts/RDP/VPN
|
Compromised credentials and exposed RDP/VPN used for entry - inherited from LockBit lineage.
|
|
Privilege Escalation
|
T1068
|
Exploitation for Priv-Esc (CVE-2023-28252)
|
Windows CLFS driver privilege-escalation vulnerability leveraged to obtain SYSTEM/admin.
|
|
Privilege Escalation
|
T1134
|
Access Token Manipulation
|
Access-token manipulation used to elevate and impersonate.
|
|
Defence Evasion
|
T1562.001
|
Impair Defenses: Disable Tools
|
Disables Windows Defender and stops security/backup services prior to encryption.
|
|
Defence Evasion
|
T1070.001
|
Indicator Removal: Clear Event Logs
|
Clears or disables Windows Event Logs via registry modification to hinder forensics.
|
|
Defence Evasion
|
T1027
|
Obfuscated Files
|
UPX packing and Python-based crypters used to obstruct static analysis.
|
|
Credential Access
|
T1555/T1539
|
Credentials from Browsers/Cookies
|
Harvests credentials from browsers and files and steals web session cookies.
|
|
Credential Access
|
T1003
|
OS Credential Dumping
|
OS credential dumping for domain-credential harvesting - LockBit lineage.
|
|
Discovery
|
T1083/T1012/T1082
|
File/Registry/System Discovery
|
Enumerates files, directories, registry, and system information to plan encryption.
|
|
Lateral Movement
|
T1021/T1570
|
Remote Services/SMB/PsExec/GPO
|
Self-propagation across the domain via SMB/PsExec and GPO-based deployment; encryptor pushed from a domain controller using domain-admin credentials.
|
|
Exfiltration
|
T1041
|
Exfiltration Prior to Encryption (Claimed)
|
Claims data theft prior to encryption for double extortion - but frequently not actually executed
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
LockBit 3.0-based encryptor (Salsa20 + RSA-1024) encrypts content and filenames, appending a random extension.
|
|
Impact
|
T1490
|
Inhibit System Recovery
|
Deletes Volume Shadow Copies (vssadmin/WMI) to prevent restoration.
|
|
Impact
|
T1489
|
Service Stop
|
Stops VSS, Hyper-V Volume, VirtualDisk, and Veeam vPower NFS services before encryption.
|
Attack Lifecycle
The following reconstructs a Brain Cipher intrusion based on vendor analysis, sample analysis of the LockBit 3.0-based encryptor and the PDNS-2 incident forensics [1][3].
INITIAL ACCESS - Phishing or Broker-Supplied Credentials
The operator gains entry via phishing/spearphishing, exploitation of a public-facing application, or credentials and footholds purchased from an initial-access broker [3][15]. Exposed RDP and VPN endpoints with weak or absent MFA are common entry points (LockBit lineage).
PRIVILEGE ESCALATION - CLFS Exploit + Token Manipulation
The operator escalates privilege, potentially exploiting CVE-2023-28252 (Windows CLFS driver) to obtain SYSTEM, and manipulates access tokens to impersonate privileged users [3].
DEFENSE EVASION - Disable Defender + Clear Logs
Windows Defender is disabled and security/backup services are stopped. Windows Event Logs are cleared or disabled via registry modification to hinder detection and forensics [3]. Payloads are UPX-packed or Python-crypted to obstruct static analysis [3].
CREDENTIAL ACCESS - Browser & Domain Credentials
The operator harvests credentials from browsers and files, steals web session cookies, and dumps OS credentials to obtain Windows domain-administrator access - the privilege level required for domain-wide deployment [4][6][15].
Observable artefacts: Anomalous lsass.exe access; browser credential-store access; new domain-admin authentications; credential-dumping tool execution.
DISCOVERY & LATERAL MOVEMENT - SMB/PsExec/GPO
After enumerating files, registry, and system information, the operator moves laterally via SMB and PsExec and uses GPO-based self-propagation to push the encryptor across the domain - typically deployed from a domain controller using domain-admin credentials [4][13].
EXFILTRATION - Claimed (Often Not Executed)
The operator stages and claims data theft prior to encryption for double-extortion leverage [1]. Analysis indicates that for most monitored victims the data is never actually published, suggesting the exfiltration step is frequently a bluff rather than a genuine large-scale transfer [1][9].
INHIBIT RECOVERY - Delete Shadow Copies + Stop Services
MITRE: T1490/T1489 Status: CONFIRMED [6][14]
Volume Shadow Copies are deleted (vssadmin/WMI), and VSS, Hyper-V Volume, VirtualDisk, and Veeam vPower NFS services are stopped to prevent restoration.
IMPACT - Encryption (Salsa20 + RSA-1024)
The LockBit 3.0-based encryptor executes, encrypting file contents with Salsa20 and wrapping the key with RSA-1024 [8]. Filenames are encrypted and renamed to a seven-character name plus a nine-character random extension, using partial encryption (~0x80000 cutoff) for speed [1].
RANSOM NOTE - [extension].README.txt
A ransom note named [extension].README.txt (variant "How To Restore Your Files.txt") is dropped in every enumerated directory, opening "Dear managers," promising recovery "within 4-6 hours," and pointing to the Tor support/leak sites and a cyberfear.com email.
EXTORTION - Leak Site + Countdown
The victim is listed on the Tor data leak site with a countdown timer; negotiation proceeds via the Tor portal using the per-victim encryption ID [5][11]. Where payment is refused, a leak may be threatened - though data is frequently not actually published [1][9].
Indicators Of Compromise (IOCs)
File Hashes (Brain Cipher-Attributed Samples)
|
Type
|
Indicator/Value
|
Description
|
|
SHA256
|
eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12
|
Primary/most-cited Brain Cipher sample.
|
|
SHA256
|
2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c
|
Config kills sophos and veeam services.
|
|
SHA256
|
0ed5729655b3f09c29878e1cc10de55e0cbfae7ac344f574d471827c256cf086
|
Brain Cipher sample (SOCRadar / Protergo).
|
|
SHA256
|
6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
|
Brain Cipher sample (Wazuh rule 100121).
|
|
MD5
|
448f1796fe8de02194b21c0715e0a5f6
|
Primary sample MD5.
|
|
SHA1
|
935c0b39837319fda571aa800b67d997b79c3198
|
Primary sample SHA1.
|
Host-Based Indicators
|
Type
|
Indicator/Value
|
Description
|
|
File Pattern
|
[7 chars] + [9-char random extension]
|
Encrypted-file naming pattern; filenames themselves encrypted.
|
|
Ransom Note
|
[extension].README.txt
|
Dropped in every enumerated directory (variant: How To Restore Your Files.txt).
|
|
Encryption
|
Salsa20 + RSA-1024 (partial, ~0x80000 cutoff)
|
LockBit 3.0 Black builder encryption scheme.
|
|
CVE
|
CVE-2023-28252
|
Windows CLFS driver privilege-escalation exploited.
|
|
Mutex
|
Global\{GUID} (generic LockBit)
|
No Brain Cipher-specific mutex - generic per-build LockBit scheme. NOT a reliable signature.
|
Network & Contact Indicators
|
Type
|
Indicator/Value
|
Description
|
|
Tor DLS
|
vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion
|
Brain Cipher data leak site (online 21 June 2026).
|
|
Tor Portal
|
mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion
|
Negotiation / support portal.
|
|
Tor (2025)
|
brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion
|
2025 vanity client-area onion.
|
|
Email
|
Operator contact alias (also brain.dataleak / brain.decrypt / ibrain.support).
|
|
|
Wallet
|
bc1qqjzd8jrcvz5tl895uvgy6ph83g7sh06uzu6vn8
|
BTC wallet (no observed transactions).
|
Detection Content
|
Type
|
Indicator/Value
|
Description
|
|
YARA
|
BrainCipher.yar
|
Community YARA rule (Ransomware.live).
|
|
OTX Pulse
|
667a4a587fcaf3c56325ecaa
|
AlienVault OTX pulse (Protergo).
|
Mitigation - Crystal Eye 5.5 Controls
All Crystal Eye 5.5 controls referenced below are documented across the Red Piranha platform documentation.
CE ZTNA + MFA
Enforce ZTNA with continuous authentication and least-privilege access on all remote entry. Apply MFA to every RDP and VPN endpoint and audit/disable dormant accounts - the cluster relies on initial-access brokers and valid accounts.
CEASR + ForceField
CEASR application allowlisting and protected-folder enforcement are active on all Windows endpoints - these block the LockBit-based encryptor before execution and prevent untrusted processes writing to protected folders.
CE DNS Banned Domains + Email Gateway
Block and alert on all Brain Cipher .onion addresses and cyberfear.com email aliases via DNS Banned Domains/sinkholing and email gateway rules.
CE MDR + CESOC SIEM
CE MDR endpoint telemetry alerts on Windows Defender disablement, security/backup service stops, and Windows Event Log service disablement or clearing.
CESOC 24x7 + SOAR/DFIR
CESOC 24x7 monitoring correlates the cross-stage signal - Defender disablement, domain-admin credential theft, GPO deployment, shadow-copy deletion, and mass file rename to the 7+9 character pattern - into a single incident. CE 5.5 extended SOAR/DFIR escalation supports rapid isolation and restore-from-immutable-backup.
Source References
All intelligence is directly sourced from the references below. Inline citations correspond to reference numbers. Accessed June 2026.
[1] Group-IB - "Deciphering the Brain Cipher Ransomware." group-ib.com/blog/brain-cipher-ransomware/. First traces 16 June 2024; active since April 2024; LockBit 3.0 builder lineage; exfiltration-bluff assessment; PDNS incident.
[2] Group-IB - "Brain Cipher Ransomware Group" (masked actors). group-ib.com/masked-actors/brain-cipher/. EstateRansomware / SenSayQ / Noname / RebornRansomware cluster attribution.
[3] SentinelOne - "Brain Cipher Ransomware: Analysis, Detection, and Mitigation." sentinelone.com/anthology/brain-cipher/. TTPs, CVE-2023-28252, defense evasion, obfuscation, IAB reliance.
[4] BleepingComputer - "Meet Brain Cipher, the new ransomware behind Indonesia data center attack." bleepingcomputer.com. Filename encryption; domain-admin deployment; ransom-note variant.
[5] SOCRadar - "Dark Web Profile: Brain Cipher." socradar.io/dark-web-profile-brain-cipher/. Sample hashes; BTC wallet; onion infrastructure.
[6] Cyble - "Threat Actor Profile: Brain Cipher Ransomware Group." cyble.com/threat-actor-profiles/brain-cipher-ransomware-group/. TTPs, credential access, recovery inhibition.
[7] Broadcom / Symantec - "Brain Cipher Ransomware" protection bulletin. broadcom.com. Ransom-note filename [extension].README.txt.
[8] WatchGuard - "Brain Cipher Ransomware" tracker. watchguard.com. Salsa20 + RSA-1024; 7+9 character naming.
[9] Dark Reading - "Ransomware Group Behind Major Indonesian Attack Wears Many Masks." darkreading.com. Cluster linkage; exfiltration-bluff corroboration.
[10] LeMagIT - "SenSayQ, Estate Ransomware, Brain Cipher: trois enseignes pour un meme acteur?" lemagit.fr. Cluster corroboration.
[11] Ransomware.live - BrainCipher group profile. ransomware.live/group/BrainCipher. Cumulative stats (~60 victims, 43.5-day delay, 26.7% infostealer rate, 24 countries), 15/19 June 2026 victims, onion infrastructure, YARA rule.
Worldwide Ransomware Victims
Worldwide ransomware victim distribution shows that the United States was the most heavily impacted country, with 87 victims, accounting for 32.10% of the total ransomware activity. This indicates that nearly one-third of all reported ransomware victims were based in the United States, making it the primary target region for this period.
Germany recorded the second-highest number of victims, with 18 cases, representing 6.64% of the total. Australia followed closely with 17 victims, accounting for 6.27%. France also showed notable impact, with 11 victims, contributing 4.06% of the total ransomware activity.
Other countries with significant ransomware activity included Spain with 10 victims, and both the United Kingdom and Canada with 9 victims each, accounting for 3.32% individually. Italy recorded 8 victims, while Japan and Mexico each reported 6 victims, representing 2.21% each.
Moderate activity was observed in countries such as China, Argentina, Poland, and Brazil, each with 5 victims, accounting for 1.85% individually. Singapore, Thailand, and Portugal each recorded 4 victims, while India, Netherlands, Turkey, Denmark, Malaysia, and Taiwan each reported 3 victims.
Several countries had lower victim counts, including Sweden, Croatia, Egypt, Jordan, Czech Republic, Uruguay, Peru, and Venezuela, each with 2 victims, representing 0.74% of the total.
The remaining countries recorded 1 victim each, accounting for 0.37% individually. These included Indonesia, Luxembourg, Vietnam, South Korea, Switzerland, Nigeria, Gabon, Hungary, Senegal, Paraguay, Monaco, New Zealand, Chile, Slovenia, Viet Nam, United Arab Emirates, Finland, Botswana, Philippines, South Africa, Colombia, Austria, Mauritius, and Morocco.
Industry-wide Ransomware Impact
Industry-wide ransomware victim data shows that Manufacturing was the most affected sector, with 48 victims, accounting for 17.71% of total ransomware activity. This makes Manufacturing the highest-impact industry for this period.
Business Services was the second most impacted sector, with 40 victims, representing 14.76% of the total. Construction followed with 25 victims, accounting for 9.23%, while Retail recorded 23 victims, contributing 8.49% of overall ransomware activity.
Other sectors with notable ransomware impact included IT, with 18 victims and 6.64% of the total, and Hospitality, with 16 victims, accounting for 5.90%. The Federal sector also showed significant activity, recording 15 victims, which represented 5.54% of the total.
Moderate ransomware activity was seen in Healthcare, which recorded 12 victims, accounting for 4.43%. Consumer Services and Real Estate each reported 9 victims, contributing 3.32% individually. Education, Architecture, and Organizations each recorded 8 victims, representing 2.95% each.
Lower levels of activity were observed in Agriculture and Transportation, each with 5 victims, accounting for 1.85% individually. Law Firms, Insurance, and Electronics each recorded 4 victims, while Telecommunications reported 3 victims.
The least affected sectors were Media & Internet, Energy, and Finance, each with 2 victims, accounting for 0.74% individually. Minerals & Mining recorded the lowest impact, with 1 victim, representing 0.37% of the total.
Overall, the data shows that ransomware activity was mainly concentrated in Manufacturing, Business Services, Construction, and Retail. These sectors accounted for a large portion of the total victims, indicating that ransomware operators continue to target industries with high operational dependency, supply-chain exposure, sensitive business data, and strong pressure to restore services quickly.
