{
	"id": "3022cef2-f5b8-4a24-b3cf-ffba56cce1b4",
	"created_at": "2026-04-06T00:07:52.698071Z",
	"updated_at": "2026-04-10T03:30:10.300327Z",
	"deleted_at": null,
	"sha1_hash": "05b336b34bb251b63be8b0dd8d112baa50f5309b",
	"title": "Rewterz Threat Alert - New Ransomware Actor OldGremlin Hits Multiple Organizations - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49275,
	"plain_text": "Rewterz Threat Alert - New Ransomware Actor OldGremlin Hits\r\nMultiple Organizations - Rewterz\r\nPublished: 2020-09-24 · Archived: 2026-04-05 16:40:40 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nA new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack. Codename OldGremlin is used for the group.\r\nSecurity experts suspect that OldGremlin is currently operating at smaller scale to fine-tune their tools and\r\ntechniques before going global. OldGremlin is using custom backdoors (TinyPosh and TinyNode) and\r\nransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement\r\n(Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery). The group has\r\nso far targeted medical labs, banks, manufacturers, software developers, etc.\r\nThe threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use\r\nvalid names for the sender address, impersonating well-known individuals. The emails contain links that\r\ndownload the TinyPosh backdoor. The aim is to gain a foothold on the target organization’s network via one of the\r\ntwo backdoors (TinyNode or TinyPosh) that allow expanding the attack via additional modules downloaded from\r\ntheir command and control (C2) server. Remote Desktop Protocol is also used to jump to other systems on the\r\nnetwork. After spending some time on the network identifying valuable systems, the attacker deploys the file-encrypting routine. In the case of a medical laboratory, the attacker obtained domain administrator credentials and\r\ncreated a fallback account with the same elevated privileges to maintain persistence in case the initial one was\r\nblocked. OldGremlin moved to the encryption stage a few weeks after the initial access, deleting server backups\r\nand locking hundreds of computers on the corporate network. The ransom note left behind asked close to $50,000\r\nin cryptocurrency for the decryption key and provided a Proton email address for contact.\r\nImpact\r\nCredential Theft\r\nUnauthorized Access\r\nFiles Encryption\r\nInformation Theft\r\nNetwork-wide Infection\r\nIndicators of Compromise\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations\r\nPage 1 of 3\n\nDomain Name\r\nksdkpwpfrtyvbxdobr1[.]tiyvbxdobr1[.]workers[.]dev\r\nwispy-fire-1da3[.]nscimupf[.]workers[.]dev\r\nnoisy-cell-7d07[.]poecdjusb[.]workers[.]dev\r\nhello[.]tyvbxdobr0[.]workers[.]dev\r\nwispy-surf-fabd[.]bhrcaoqf[.]workers[.]dev\r\nbroken-poetry-de86[.]nscimupf[.]workers[.]dev\r\ncalm-night-6067[.]bhrcaoqf[.]workers[.]dev\r\nrough-grass-45e9[.]poecdjusb[.]workers[.]dev\r\nksdkpwprtyvbxdobr0[.]tyvbxdobr0[.]workers[.]dev\r\ncurly-sound-d93e[.]ygrhxogxiogc[.]workers[.]dev\r\nold-mud-23cb[.]tkbizulvc[.]workers[.]dev\r\nrbcholding[.]press\r\nMD5\r\nf30e4d741018ef81da580ed971048707\r\n94293275fcc53ad5aca5392f3a5ff87b\r\n2c6a9a38ace198ab62e50ab69920bf42\r\nfc30e902d1098b7efd85bd2651b2293f\r\ne0fe009b0b1ae72ba7a5d2127285d086\r\n306978669ead832f1355468574df1680\r\ne1692cc732f52450879a86cb7dcfbccd\r\ne47a296bac49284371ac396a053a8488\r\n30fdbf2335a9565186689c12090ea2cf\r\nSHA-256\r\n71f351c47a4cd1d9836b39da8454d1dc20df51950fe1c25aa3192f0d60a0643f\r\nd3082e2737ab637ee7ee09473ad51c3e98e85f54bfb613974c06ff6f35e5cd09\r\n752b9fe24c357a04b0bdcad4d09e96bbad1bddfac8e637491b4181085eb58632\r\n5c9cf2e4f2392a60cb7fe1d3ca94bda99968c7ee73f908dfc627a6b6d3dc404a\r\nac95d34a008d0ec9deeb3d68afb16b2306a56b6bdc01810072a03b4f6a523586\r\n273b91f37c01bd64d87c507db9868152665f964a2f5bbc744c207d6083e0af89\r\ndc9cbd484395367158c5819882ac811ee8464a62b018ffa51d3d476003643e54\r\n57af8362ebba93155fb29af190fd450903bd62983179e5096cb24b5d0d1ea153\r\n65267892a81d5e6c38c12d808623314ed9798156f3c24df2e8e906394fd51396\r\nSHA1\r\n2af5efccfbac6de50f0c48c1a232e0b4ce497538\r\nd5872e7c1c544fc5be51dc4aeb3e21af4f924928\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations\r\nPage 2 of 3\n\n34524fb4cc41a313604315c81da1a29fe8d2eeb7\r\n54c74c995c734a59564de507c2608e0ecc5804f7\r\nffb3cd3fb3ccb40352846ea5ece09e07767d6b5a\r\ndc5b5c9e991dffd1f692c052cf1a2af174b5f4b1\r\nafd3de962d53ee4caa94f67eeca62e0ecb369364\r\n927e7b81816979c0393d926e013bb7b351756d43\r\na9a282a11a97669d96cce3feaeaaa13051d51880\r\nSource IP\r\n5[.]181[.]156[.]84\r\n95[.]179[.]252[.]217\r\n136[.]244[.]67[.]59\r\n45[.]61[.]138[.]170\r\nRemediation\r\nBlock the threat indicators at their respective controls.\r\nDo not download attachments from untrusted emails.\r\nDo not click on links provided in untrusted emails.\r\nDouble-check a URL for spelling mistakes before entering credentials.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations"
	],
	"report_names": [
		"rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations"
	],
	"threat_actors": [
		{
			"id": "a060d952-fc4b-44df-bd0e-ee3606e79f83",
			"created_at": "2022-10-25T16:07:23.920646Z",
			"updated_at": "2026-04-10T02:00:04.790469Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "ETDA:OldGremlin",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"TinyCryptor",
				"TinyNode",
				"TinyPosh",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e35c1877-f6a5-4e47-8464-ddc943e3b320",
			"created_at": "2023-11-21T02:00:07.390198Z",
			"updated_at": "2026-04-10T02:00:03.476348Z",
			"deleted_at": null,
			"main_name": "OldGremlin",
			"aliases": [],
			"source_name": "MISPGALAXY:OldGremlin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775791810,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05b336b34bb251b63be8b0dd8d112baa50f5309b.pdf",
		"text": "https://archive.orkl.eu/05b336b34bb251b63be8b0dd8d112baa50f5309b.txt",
		"img": "https://archive.orkl.eu/05b336b34bb251b63be8b0dd8d112baa50f5309b.jpg"
	}
}