{ "id": "1487a137-77ab-4394-95c4-09c04209db63", "created_at": "2026-04-06T00:10:45.585263Z", "updated_at": "2026-04-10T03:35:52.809593Z", "deleted_at": null, "sha1_hash": "3b05a14dcb907c72e7a45c40f1282cb4bfec6684", "title": "ShadowSyndicate, a new RaaS player? | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1218442, "plain_text": "Dusting for fingerprints:\r\nShadowSyndicate, a new RaaS\r\nplayer?\r\nNo sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this\r\nnew ransomware-as-a-service affiliate.\r\nSeptember 26, 2023 · min to read · Threat Intelligence\r\n← Blog\r\nEline Switzer\r\nThreat Intelligence Analyst\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 1 of 28\n\nCybercrime Fighters Club RaaS ShadowSyndicate\r\nPreface\r\nIn mid-May 2023, Group-IB began to receive highly positive feedback from the cybersecurity\r\ncommunity regarding the publication of joint research. As a result, Group-IB Threat Intelligence\r\nanalysts teamed up with Joshua Penny from Bridewell, Group-IB’s long-standing MSSP partner in\r\nEurope, and threat researcher Michael Koczwara as part of Group-IB’s new Cybercrime Fighters\r\nClub initiative to conduct a collaborative investigation into what we assert to be a new\r\nRansomware-as-a-Service (RaaS) affiliate.\r\nAcknowledgements: We would like to thank Nikita Rostovtsev for his contribution to this blog post.\r\nIntroduction\r\nThe Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate\r\ngroups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends\r\n2022/2023, Group-IB Threat Intelligence’s review of the top cyber threats, our researchers predicted\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 2 of 28\n\nthat the RaaS industry will continue to grow rapidly and that numerous new gangs would likely\r\nappear on the block. In this blog, we’ll detail what we believe to be a new RaaS group that appears\r\nto operate differently from the rest: Enter ShadowSyndicate.\r\nWhat is unusual about ShadowSyndicate (not to be confused with Shadow ransomware)? Well, it’s\r\nincredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections\r\nwith a large number of malicious servers. In total, we found ShadowSyndicate’s SSH fingerprint\r\non 85 servers since July 2022. Additionally, we can say with various degrees of confidence that\r\nthe group has used seven different ransomware families over the course of the past year,\r\nmaking ShadowSyndicate notable for their versatility. At this stage, we are unable to confirm if\r\nShadowSyndicate is a RaaS affiliate or an initial access broker, although based on our evidence,\r\nwhich we’ll outline in this blog post, we believe that the threat actor is the former.\r\nThis blog post aims to provide an overview of the infrastructure leveraged by ShadowSyndicate\r\nand contains our preliminary conclusions; leaving avenues for further research into the group’s\r\nidentity open for exploration. As part of Group-IB’s new Cybercrime Fighters Club program, this\r\nblog also serves as a key example of the value of knowledge exchange and joint research in the\r\nfield of cybersecurity.\r\nJoin the Group-IB Cybercrime Fighters\r\nClub!\r\nThe global fight against cybercrime is a collaborative effort, and that’s why we’re\r\nlooking to partner with industry peers to research emerging threats and publish joint\r\nfindings on our blog. If you’ve discovered a breakthrough into a particular threat\r\nactor or a vulnerability in a piece of software, let us know, and we can mobilize all our\r\nnecessary resources to dive deeper into the issue.\r\nAll contributions will be given appropriate credit along with the full backing of our\r\nsocial media team on Group-IB’s Threat Intelligence Twitter page, where we regularly\r\nshare our latest findings into threat actors’ TTPs and infrastructure, along with our\r\nother social media accounts.\r\n#LetsStopCybercrime #CybercrimeFightersClub\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 3 of 28\n\nKey findings\r\nSummary\r\nThe SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d, which is connected to various\r\npotentially malicious servers, was detected by multiple researchers. It was deployed on 85 IP\r\nservers and most of them (at least 52) were tagged as Cobalt Strike C2.\r\nWe have dubbed the threat actor that uses the SSH fingerprint\r\n1ca4cbac895fc3bd12417b77fc6ed31d ShadowSyndicate (previous name Infra Storm). This SSH\r\nfingerprint was first seen on July 16, 2022 and it is still in use at the time of writing (September\r\n2023).\r\nJoin us now\r\nThe threat actor dubbed ShadowSyndicate uses the same Secure Shell (SSH) fingerprint on\r\nmany servers (85 at the time of writing).\r\nShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of\r\nransomware programs.\r\nIn its attacks, ShadowSyndicate used an “off-the-shelf” toolkit, including Cobalt Strike, IcedID,\r\nand Sliver malware.\r\nAt least 52 servers with this SSH were used as a Cobalt Strike C2 framework.\r\nShadowSyndicate has been active since July 2022.\r\nWe can, with a strong degree of confidence, attribute ShadowSyndicate to Quantum\r\nransomware activity in September 2022, Nokoyawa ransomware activity in October 2022,\r\nNovember 2022, and March 2023, as well as to ALPHV activity in February 2023.\r\nWith a low degree of confidence, we can attribute ShadowSyndicate to Royal, Cl0p, Cactus,\r\nand Play ransomware activity.\r\nWe found connections between ShadowSyndicate infrastructure and Cl0p/Truebot.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 4 of 28\n\nTogether we looked into any associated information we could find, with the aim of determining\r\nwhich cybercriminal groups used these servers.\r\nAt the start of our research, we established five hypotheses about ShadowSyndicate that we set\r\nout to prove. These hypotheses are as follows:\r\nAlthough we have not reached a final verdict, all the facts obtained during our research suggest\r\nthat hypothesis E, that ShadowSyndicate is a RaaS affiliate that uses various types of\r\nransomware, is the most plausible.\r\nFigure 1. Hosts related to ShadowSyndicate’s SSH fingerprint. Source: Group-IB Graph Network\r\nAnalysis tool.\r\nThe full list of IP addresses used by the threat actor is as follows:\r\n1. ShadowSyndicate is a hoster who set up the SSH fingerprint on their server.\r\nShadowSyndicate is a DevOps engineer that deploys servers and provides them to various\r\nthreat actors.\r\n2.\r\nShadowSyndicate owns an underground service offering “bulletproof hosting” to\r\ncybercriminals.\r\n3.\r\nShadowSyndicate is an initial access broker that obtains initial access to victims themselves and\r\nthen sells that access to other cybercrime groups.\r\n4.\r\n5. ShadowSyndicate is a RaaS affiliate that uses various types of ransomware.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 5 of 28\n\nTable 1. List of IP addresses linked to ShadowSyndicate\r\nIP address SSH first seen on host\r\n1 45.227.253[.]20 2022.07.16\r\n2 194.135.24[.]247 2022.08.11\r\n3 5.188.86[.]227 2022.08.17\r\n4 179.60.150[.]139 2022.08.23\r\n5 179.60.146[.]51 2022.09.06\r\n6 81.19.135[.]249 2022.09.11\r\n7 179.60.146[.]52 2022.09.13\r\n8 179.60.146[.]25 2022.09.14\r\n9 45.227.253[.]30 2022.09.14\r\nFor the sake of convenience, we will refer to this list of servers as List A.\r\nIf we go back to our initial assumptions, option A (that ShadowSyndicate is a hoster who set up the\r\nSSH fingerprint on their servers) was rejected immediately because we discovered the existence of\r\n18 different hosts in multiple countries.\r\nWe identified several server clusters presumably related to various threat actors. We also found their\r\ntools and some TTPs that they used. Some servers had been detected in previous attacks. The\r\ntools and malware used by the attackers included Cobalt Strike, Sliver, IcedID, and\r\nMatanbuchus.\r\nResearch\r\nWe conducted our research using Group-IB tools and data, reports by other vendors, the search\r\nengines Shodan and Censys, and OSINT.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 6 of 28\n\nTools identified\r\nCobalt Strike\r\nWhen analyzing the servers contained on List A, we came across eight different Cobalt Strike\r\nwatermarks. A watermark is a license key for Cobalt Strike users. Adversaries can use cracked\r\nversions of Cobalt Strike, with the watermark changed to a value that is not unique, for example\r\n12345678. In addition, threat actors can use special scripts to change a watermark to any value.\r\nWe have come across the following Cobalt Strike watermarks on servers from List A.\r\nTable 2. Cobalt Strike watermarks on servers from List A.\r\nWatermark\r\nUnique hosts\r\nwith\r\nwatermark\r\n(data obtained\r\nby Group-IB)\r\nThreat actors\r\nwho used\r\nCobalt Strike\r\nwith this\r\nwatermark\r\nDetails Sources\r\n12345 121 Royal, Cactus\r\nIn 2023, watermark\r\n12345 was found to be\r\nused in attacks related\r\nto Royal and Cactus\r\nRoyal – Link\r\nCactus – Link\r\n305419776 151\r\nQuantum,\r\nNokoyawa\r\nIn April and September\r\n2022, watermark\r\n305419776 + sleeptime\r\n60000 were found to\r\nbe used in attacks\r\ninvolving Quantum\r\nransomware.\r\nIn October and\r\nNovember 2022, this\r\nQuantum – Link 1 |\r\nLink 2\r\nNokoyawa – Link 1 |\r\nLink 2\r\nIt is noteworthy that, while analyzing Cobalt Strike configurations from servers on List A, we saw\r\ninstances when an identical configuration was deployed on two servers, one of which is on List\r\nA and the second is not. In one case, both servers were on List A.\r\nCobalt Strike configuration pairs\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 7 of 28\n\nAs stated above, we came across identical configurations of Cobalt Strike on pairs of servers: the\r\nfirst is on list A and the second is not. In this section, we provide the relevant data. It will be useful\r\nfor future attribution efforts.\r\nTable 3. Servers with identical Cobalt Strike configurations\r\nPair\r\nno.\r\nConfiguration\r\nServer #1 (Server\r\non list A)\r\nServer #2 Comment\r\n1\r\n2022-11-28\r\nwatermark 674054486,\r\nsleeptime 119588\r\n194.135.24[.]246 194.135.24[.]253\r\nBoth servers are\r\non List A\r\n2\r\n2022-10-01\r\nwatermark 206546002,\r\nsleeptime 60000,\r\nmysqlserver[.]org\r\n179.60.146[.]25 146.70.116[.]20\r\nSecond server is\r\nnot on List A\r\n3\r\n2023-01-21\r\nwatermark 674054486,\r\nsleeptime 57247,\r\navdev[.]net\r\n194.165.16[.]62 212.113.106[.]118\r\nSecond server is\r\nnot on List A\r\n4\r\n2022-12-19\r\nwatermark 674054486,\r\nsleeptime 60216,\r\n194.165.16[.]91 79.137.202[.]45\r\nSecond server is\r\nnot on List A\r\nSliver\r\nSliver is an open-source penetration testing tool developed in the programming language Go. It’s\r\ndesigned to be scalable and can be used by organizations of all sizes to perform security testing.\r\nLike Cobalt Strike and Metasploit, Sliver can be used by threat actors in real-life attacks. We found\r\nevidence of Sliver being used on servers from List A:\r\nSliver JARM certificates\r\n193.142.30[.]17 was connected to Sliver in May 2023\r\n193.142.30[.]154 has been used as Sliver C2 since at least May 2023 and is still being used as of\r\nJuly 2023\r\n194.135.24[.]241 was tagged by Group-IB as Sliver in January 2023\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 8 of 28\n\n00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01\r\n00000000000000000000000000000000000000000000000000000000000000\r\nReferences:\r\nIcedID\r\nIcedID is a malware developed in 2017 as a banking Trojan with web injects. In recent years it has\r\nmostly been used in attack chains to deliver another payload, for example ransomware. IcedID was\r\ndetected in attacks involving the following ransomware groups: Karakurt, RansomEXX, Black\r\nBasta, Nokoyawa, Quantum, REvil, Xingteam, and Conti.\r\nThe server 78.128.112[.]139 from List A (above) was detected in activity connected to the IcedID\r\ninfection chain. It led to Quantum ransomware being deployed in September 2022. In this case, the\r\ninitial vector of attack was MalSpam, which delivered a malicious ISO file.\r\nThe server 5.8.18[.]242 from List A was also detected in activity connected to the IcedID infection\r\nchain. This activity led to Nokoyawa being deployed in October 2022. In this case, the initial vector\r\nof attack was an Excel maldoc containing VBA macros which downloaded the IcedID payload.\r\nMatanbuchus\r\nMatanbuchus is a Malware-as-a-Service (MaaS) loader known since 2021. It is used to execute .exe\r\npayloads and for loading and executing shellcodes and malicious DLL files. It has been detected in\r\nphishing campaigns and it ultimately drops the Cobalt Strike post-exploitation framework on\r\ncompromised machines.\r\nThe following servers from List A were potentially connected to Matanbuchus activity in February\r\n2023:\r\nMeterpreter\r\nReference #1\r\nReference #2\r\nReference #3\r\n45.182.189[.]105\r\n45.182.189[.]106\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 9 of 28\n\nMeterpreter is a Metasploit payload that runs on the target system and supports the penetration\r\ntesting process.\r\nThe server 179.60.150[.]151 was detected as Meterpreter C2 in March 2023.\r\nDeployment of servers\r\nSecure Shell (SSH) uses a fingerprint generated with a unique server host key so that a client can\r\nidentify the server. We began our investigation after finding a set of servers with the same SSH key\r\nfingerprint.\r\nOur initial assumption was that servers from List A were related to one hosting provider that used\r\nthe same SSH for setting up servers. To confirm or disprove this theory, we checked information\r\nabout the networks for servers from List A, which we have compiled in Table 4 (below).\r\nTable 4. Network information of servers\r\nIP address Country Network name Owner name\r\n1 45.227.253[.]20 Panama PA-DICO2-LACNIC DirectWebH CORP\r\n2 194.135.24[.]247\r\nCzech\r\nRepublic\r\nCZ-RELCOM-19950206\r\nReliable Communications\r\ns.r.o.\r\n3 5.188.86[.]227 Cyprus CHANNEL-NET Channelnet\r\n4 179.60.150[.]139 Belize BZ-MGLT-LACNIC MAXWELL GROUP LTD\r\n5 179.60.146[.]51 Costa Rica CR-DASA3-LACNIC DATASOLUTIONS S.A.\r\n6 81.19.135[.]249 Seychelles DIGICLOUD-NET Alviva Holding Limited\r\n7 179.60.146[.]52 Costa Rica CR-DASA3-LACNIC DATASOLUTIONS S.A.\r\n8 179.60.146[.]25 Costa Rica CR-DASA3-LACNIC DATASOLUTIONS S.A.\r\nThe information in the above table indicates that the servers used by ShadowSyndicate do not\r\nhave the same owner, allowing us to discount hypothesis A (that ShadowSyndicate is a hoster who\r\nset up the SSH fingerprint on their server). In fact, we identified 18 different server owners.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 10 of 28\n\nFigure 2. ShadowSyndicate servers by owner name.\r\nFurther supporting our decision to discount hypothesis A, we found that the servers do not have\r\nthe same network name. In total, we identified 22 different network names.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 11 of 28\n\nFigure 3. ShadowSyndicate servers by network name.\r\nAdditionally, the servers are not all based in the same country. ShadowSyndicate leveraged servers\r\nbased in 13 different territories, with Panama being their preferred country of choice.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 12 of 28\n\nFigure 4. ShadowSyndicate servers by country in which they are based.\r\nWe have therefore reached the conclusion that servers from List A aren’t related to one network\r\nand one hosting provider. Hypothesis A (above), which stated that\r\n1ca4cbac895fc3bd12417b77fc6ed31d is the SSH on which the hoster was set up, can therefore be\r\nrejected.\r\nOn most List A servers, OpenSSH 8.2p1 was used. Further research uncovered connections with\r\nvarious ransomware families (for example Trickbot, Nokoyawa, Royal, Ryuk, FIN7, ALPHV, and\r\nCl0p). Most of our findings connect ShadowSyndicate with ransomware activity, but unfortunately\r\nwe didn’t detect strong ties to a specific threat actor. As a result, assumptions B, C, D, and E have\r\nyet to be fully discounted.\r\nData attributed with a high degree of\r\nconfidence\r\nSeveral servers on List A were attributed to known attackers with a high degree of confidence. In\r\nthe interests of brevity, we will not provide full Cobalt Strike configurations. However, we will provide\r\nsome parameters if they are known (date of detection, watermark, sleeptime, Cobalt Strike C2\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 13 of 28\n\nserver) because certain combinations of these parameters could be unique and useful for\r\nattribution.\r\nConnection with Quantum\r\nQuantum ransomware was discovered in July 2021. Quantum presumably included members of\r\nConti, a prolific cybercrime group that shut down its ransomware operations and dedicated leak site\r\n(DLS) more than a year ago. Quantum’s DLS hasn’t been updated since November 2022.\r\nTable 5. Attribution of IP address 78.128.112[.]139 (found in List A).\r\nIP address Attribution\r\n78.128.112[.]139\r\nThis Cobalt Strike server with watermark 305419776, sleeptime 60000 was\r\ndetected in a Quantum ransomware attack in September 2022 –Link\r\nISO file -\u003e IceDID -\u003e Cobalt Strike -\u003e Quantum\r\nConnection with Nokoyawa\r\nNokoyawa is a type of ransomware first discovered in February 2022. The origins of Nokoyawa can\r\nbe traced back to another ransomware type called Nemty. Nokoyawa has been active since August\r\n2023.\r\nOne of the Cobalt Strike servers from List A was detected in two connected Nokoyawa attacks in\r\nQ4 2022. These attacks have a lot in common with the Quantum attack described in the previous\r\nsection. Another server from List A was detected in a Nokoyawa attack in April 2023.\r\nTable 6. Attribution of IP address 5.8.18[.]242 (found in List A).\r\nIP\r\naddress\r\nCobalt Strike configurations and Attribution\r\n5.8.18[.]242\r\nCobalt Strike with watermark 305419776, sleeptime 60000 was detected on a\r\nhost on October 12, 2022.\r\nThis Cobalt Strike server was detected in an attack involving Nokoyawa in\r\nOctober 2022 – Link\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 14 of 28\n\nTable 7. Attribution of IP address 46.161.27[.]160 (found in List A).\r\n46.161.27[.]160\r\nCobalt Strike with watermark 674054486 was detected on a host on March 27,\r\n2023, with CS domain devsetgroup[.]com\r\nThe domain devsetgroup.com was detected in an attack involving Nokoyawa –\r\nLink\r\nSSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d was detected on this\r\nserver on April 4, 2023.\r\nConnection with ALPHV\r\nALPHV (aka BlackCat) is a ransomware operator group discovered in December 2021. It has been\r\nactive since August 2023 and is one of the most active ransomware groups in history.\r\nLet’s have a closer look at the server pairs 5 and 6 in Table 3 (found above). These server pairs had\r\nidentical configurations of Cobalt Strike.\r\nTable 8. Server pairs containing identical configurations of Cobalt Strike.\r\nCobalt Strike configuration\r\nServer #1 (server on\r\nlist A)\r\nSSH first seen on\r\nserver #1\r\nServer #2\r\n2023-01-31\r\nwatermark 674054486\r\nsleeptime 60946\r\nserver devcloudpro[.]com\r\n194.165.16[.]64 December 6, 2022 109.172.45.28\r\nExcel maldoc -\u003e IceDID -\u003e Cobalt Strike -\u003e Nokoyawa\r\nIt is important to note that the watermark, sleeptime, period of attack and TTPs\r\nare all similar to the Quantum attack described in the previous section.\r\nIn November 2022 the same Cobalt Strike server 5.8.18[.]242 (with the same\r\nwatermark 305419776, sleeptime 60000) was also used in attack involving\r\nNokoyawa – Link\r\nThread-Hijacked Email -\u003e HTML Attachment -\u003e ZIP -\u003e ISO file -\u003e IcedID -\u003e\r\nCobalt Strike -\u003e Nokoyawa\r\nThe SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d was detected on this\r\nserver on October 11, 2022.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 15 of 28\n\n2023-01-29\r\nwatermark 674054486\r\nsleeptime 58835\r\nserver\r\nuranustechsolution[.]com\r\n194.165.16[.]90 January 29, 2023 109.172.45.77\r\nIdentical Cobalt Strike configurations (same watermark, sleeptime, Cobalt Strike domain and date of\r\ndetection by Group-IB) were identified by Group-IB specialists in an incident response case related\r\nto an ALPHV attack that took place in February 2023. It should be noted that these configurations\r\nare unique and were seen only twice.\r\nServers from the attack involving ALPHV:\r\nThe evidence points to a strong connection with ALPHV ransomware.\r\nData attributed with a low degree of\r\nconfidence\r\nWhile checking List A servers using Group-IB data sources, we established that some servers were\r\nmapped as Ryuk, Conti, and Trickbot. However, these criminal groups no longer exist. Ryuk ceased\r\nto exist at the end of 2021, while Conti and Trickbot (which are connected) went dormant at the\r\nbeginning of 2022.\r\nResearchers believe that former members of these groups could be continuing with their criminal\r\nactivity using the same infrastructure, but they might now operate individually or in other criminal\r\ngroups. Unfortunately, at the time of writing we do not have reliable enough evidence to attribute\r\nthem to existing threat actors — we can only make educated guesses.\r\nWe would also like to highlight unattributed servers with Cobalt Strike, presumably related to\r\nransomware activity. Our assumptions of current attribution are based on Cobalt Strike watermarks\r\ndetected in previous attacks conducted by ransomware groups and mentioned in other reports.\r\n109.172.45[.]28\r\n109.172.45[.]77\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 16 of 28\n\nOur research shows that several watermarks could be detected on a single server, which\r\ncomplicates attribution but confirms our theory that ShadowSyndicate could be an affiliate who\r\nworks with various RaaS groups.\r\nLet’s look into available information in more detail. Below we provide data with known Cobalt Strike\r\nwatermarks and other tags which might help with attribution.\r\nTable 9. Connections with Royal, Quantum, Cl0p, ALPHV, Nokoyawa, and Play\r\nIP address\r\nSSH first\r\nseen on\r\nhost\r\nCobalt Strike configurations and possible attributions\r\n45.227.253[.]20\r\nJuly 16,\r\n2022\r\nMay 16, 2023\r\nwatermark 1580103824\r\nsleeptime 57297\r\ndomain qw.sveexec[.]comIn 2022, watermark 1580103824 was\r\ndetected on a server related to Royal ransomware.In May 2023,\r\nwatermark 1580103824 was detected in an attack related to\r\nCl0p ransomware.\r\n194.135.24[.]247\r\nAugust 11,\r\n2022\r\nAugust 24, 2022\r\nwatermark 305419776\r\nsleeptime 60000April 8, 2023\r\nwatermark 1580103824\r\nsleeptime 60000In April and September 2022, watermark\r\n305419776 + sleeptime 60000 was detected in attacks involving\r\nQuantum ransomware. In Q4 2022, this watermark also was\r\ndetected in an attack involving Nokoyawa.In 2022, watermark\r\nTable 10. Notable data found on servers\r\nIP address\r\nSSH first\r\nseen on\r\nhost\r\nData found on server\r\n158.255.2[.]245 July 20,\r\n2023\r\nMay 24, 2022\r\nThe Cobalt Strike watermark is unknown. However, this server is\r\nconnected to several domains registered on July 18, 2023:\r\nasapor[.]xyz\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 17 of 28\n\n193.142.30[.]205\r\nJuly 26,\r\n2023\r\nCobalt Strike wasn’t detected on this host.\r\nHowever, this server is connected to a domain registered on\r\nJuly 23, 2023: eastzonentp[.]com\r\nConnections with Cl0p/Truebot infrastructure\r\nDuring our research, we uncovered several potential connections between ShadowSyndicate and\r\nTruebot/Cl0p infrastructure. We identified a number of IP addresses attributed to Cl0p that we\r\nbelieve have changed ownership to ShadowSyndicate, as evidenced by the use of the\r\nShadowSyndicate SSH key. These IP addresses have been linked to 4 out of 5 clusters that we\r\nhave attributed to ransomware affiliates associated with Cl0p and Black Basta and to ex-ransomware groups such as Ryuk.\r\nTo show the association between Cl0p and ShadowSyndicate, below we present the IP addresses\r\nreused by both Cl0p clusters and ShadowSyndicate. We also compared hosting providers to try\r\nand determine whether the ShadowSyndicate threat actors previously operated as Cl0p affiliates.\r\nOut of the 149 IP addresses that we linked to Cl0p ransomware affiliates, we have seen, since\r\nAugust 2022, 12 IP addresses from 4 different clusters changed ownership to\r\nShadowSyndicate, which suggests that there is some potential sharing of infrastructure between\r\nthese groups. Unfortunately, we could not verify the use of these IPs before they changed\r\nownership to ShadowSyndicate, but they are now all used as C2 infrastructure for Cobalt Strike or\r\nMetasploit.\r\nThese IP addresses are as follows:\r\nTable 11. IP addresses shared between Cl0p and ShadowSyndicate\r\nIP ShadowSyndicate SSH first seen Usage\r\n147.78.47[.]231 September 20, 2022 Cobalt Strike\r\nasaporeg[.]xyz\r\nasaper[.]xyz\r\nassapaa[.]xyz\r\naserpo[.]xyz\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 18 of 28\n\n179.60.146[.]51 September 6, 2022 Cobalt Strike\r\n179.60.150[.]151 February 6, 2023 Meterpreter\r\n194.135.24[.]241 November 12, 2022 Cobalt Strike\r\n194.135.24[.]248 September 18, 2022 Cobalt Strike\r\n45.227.252[.]247 November 16, 2022 Cobalt Strike\r\n45.227.252[.]252 November 25, 2022 Cobalt Strike\r\n45.227.255[.]189 October 7, 2022 Cobalt Strike\r\nFigure 5: Data visualization of connections between ShadowSyndicate and Cl0p\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 19 of 28\n\nThese IPs can be attributed to Cl0p on account of their connection with clusters of infrastructure\r\nthat were previously linked to Cl0p affiliates using SSH hash fingerprints.\r\nThe following SSH hashes represent select clusters of infrastructure predominantly linked to Cl0p:\r\nSSH hashes:\r\nBelow we show how infrastructure was reused between Cl0p and ShadowSyndicate and we\r\ncompare how hosting providers were selected. Although we cannot directly connect\r\nShadowSyndicate to Cl0p with a high degree of confidence, the following observations are\r\nnoteworthy and suggest some form of connection between the two groups.\r\nddd9ca54c1309cde578062cba965571\r\nb54cce689e9139e824b6e51a84a7a103\r\n9bd79ffaeb8de31c9813b3ce51b30488\r\n5e21f8e88b007935710b2afc174f289\r\n55c658703c07d6344e325ea26cf96c3\r\n96ea77a1a901e38aac8b9d5772d3d765\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 20 of 28\n\nFigure 6. Association between ShadowSyndicate IP addresses and past SSH clusters linked to Cl0p\r\nThe graph above shows how ShadowSyndicate IP addresses are associated with previous SSH\r\nhash clusters linked to Cl0p. Some IP addresses were also reused between Cl0p hashes.\r\nSSH hash: ddd9ca54c1309cde578062cba965571\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 21 of 28\n\nFigure 7. Visual connection of ShadowSyndicate (Infra Storm) with Truebot infrastructure, as shown\r\nin Group-IB’s Network Graph Analysis tool.\r\nSSH hash: 5e21f8e88b007935710b2afc174f289\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 22 of 28\n\nFigure 8. Connection between ShadowSyndicate (Infra Storm) and SSH\r\n5e21f8e88b007935710b2afc174f289\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 23 of 28\n\nFigure 9. Comparison of hosting providers of ShadowSyndicate and Cl0p infrastructure\r\nThe above Figure 9 shows that while there is some limited crossover between the infrastructure\r\nused by both the two threat actors, the majority of the hosting providers leveraged by\r\nShadowSyndicate have not been used by Cl0p previously.\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 24 of 28\n\nConclusions\r\nAlthough we have not reached a final verdict, all the facts obtained during this joint research\r\nproject suggest that the most plausible assumption is that ShadowSyndicate is an affiliate working\r\nwith various RaaS.\r\nGroup-IB Threat Intelligence will continue to hunt for more information related to this particular\r\nthreat actor, and as part of the Cybercrime Fighters Club initiative, we are open to collaboration with\r\nany researchers who also share our interest in fighting against cybercrime. We hope that with more\r\nresearch, we will be able to determine, in the near future, the threat actor’s identity.\r\nJoin the Group-IB Cybercrime Fighters\r\nClub!\r\nThe global fight against cybercrime is a collaborative effort, and that’s why we’re\r\nlooking to partner with industry peers to research emerging threats and publish joint\r\nfindings on our blog. If you’ve discovered a breakthrough into a particular threat\r\nactor or a vulnerability in a piece of software, let us know, and we can mobilize all our\r\nnecessary resources to dive deeper into the issue.\r\nAll contributions will be given appropriate credit along with the full backing of our\r\nsocial media team on Group-IB’s Threat Intelligence Twitter page, where we regularly\r\nshare our latest findings into threat actors’ TTPs and infrastructure, along with our\r\nother social media accounts.\r\n#LetsStopCybercrime #CybercrimeFightersClub\r\nIndicators of compromise\r\nJoin us now\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 25 of 28\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nIP addresses arrow_drop_down\r\nDomain names arrow_drop_down\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 26 of 28\n\nUnified Risk Platform AI Cybersecurity Hub\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 27 of 28\n\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/shadowsyndicate-raas/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "report_names": [ "shadowsyndicate-raas" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "eae4b6c4-8a61-4303-becc-b11f00b5bfda", "created_at": "2024-02-22T02:00:03.772831Z", "updated_at": "2026-04-10T02:00:03.592334Z", "deleted_at": null, "main_name": "ShadowSyndicate", "aliases": [], "source_name": "MISPGALAXY:ShadowSyndicate", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434245, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b05a14dcb907c72e7a45c40f1282cb4bfec6684.pdf", "text": "https://archive.orkl.eu/3b05a14dcb907c72e7a45c40f1282cb4bfec6684.txt", "img": "https://archive.orkl.eu/3b05a14dcb907c72e7a45c40f1282cb4bfec6684.jpg" } }