{ "id": "7586e85a-0983-4bc4-8620-e66541a762a4", "created_at": "2026-04-06T00:16:06.436253Z", "updated_at": "2026-04-10T03:23:49.458844Z", "deleted_at": null, "sha1_hash": "4a340383012fb6806c4430de5f1e3b01501e323a", "title": "MyCERT : Advisories - Ransomware Group Daixin Team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 344402, "plain_text": "MyCERT : Advisories - Ransomware Group Daixin Team\r\nArchived: 2026-04-05 17:12:14 UTC\r\n1.0 Introduction\r\nOn 21 October 2022, The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA),\r\nand Department of Health and Human Services (HHS) released a joint Cyber Security Advisory (CSA) to provide\r\ninformation on the “Daixin Team”.\r\nThe Daixin Team is a ransomware and data extortion group that has targeted the Healthcare and Public Health (HPH) Sector\r\nwith ransomware and data extortion operations since at least June 2022. \r\nMyCERT has also received an incident report this year with similar activities by Daixin Team within the constituency,\r\ntargeting the Critical National Information Infrastructure (CNII) organisation. Based on the incident report, we discovered\r\nthat the Threat Actor (TA) is not only targeting companies based on particular industry type, geo-location, or political\r\nmotivation. \r\nRansomware is a type of malicious software (malware) that infects a computer or any system and restricts access to it until a\r\nransom is paid. This type of malware, which has now been observed for several years, attempts to extort money from\r\nvictims by displaying an on-screen ransom note. These ransom notes often state that their computer or system has been\r\nlocked or that all their files have been encrypted and demand that a ransom be paid to restore access. In some instances, the\r\nthreat actors also threaten victims if a ransom is not paid, their data will be exposed on the Internet. \r\nThe present advisory provides the Technique, Tactic and Procedure (TTP) and Indicator of Compromise (IOCs) associated\r\nwith the Daixin TA, primarily obtained from FBI threat response activities and MyCERT incident report.\r\n2.0 Impact\r\nDeployed ransomware to encrypt servers responsible for services in the organisation — i.e. electronic health records\r\nservices, diagnostics services, imaging services, and intranet services.\r\nExfiltrated personal identifiable information (PII) and other sensitive information such as patient data, employee\r\npersonal details. \r\nLeave an on-screen ransom note to request the victim organisation to pay a ransom and threaten to leak the\r\ninformation if a ransom is not paid. \r\nLeak the victim organisation's personal information and put the information for sale on the dark web.\r\nSee Table 1 for all referenced threat actor tactics and techniques included in this advisory.\r\nTable 1: Daixin Actors’ ATT\u0026CK Techniques for Enterprise\r\nReconnaissance\r\nTechnique Title ID Use\r\nPhishing for Information:\r\nSpearphishing Attachment\r\nT1598.002\r\nDaixin actors have acquired the VPN credentials (later used\r\nfor initial access) by a phishing email with a malicious\r\nattachment.\r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 1 of 6\n\nInitial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nDaixin actors exploited an unpatched vulnerability in a VPN\r\nserver to gain initial access to a network.\r\nValid Accounts T1078\r\nDaixin actors use previously compromised credentials to\r\naccess servers on the target network.\r\nPersistence\r\nTechnique Title ID Use\r\nAccount Manipulation T1098\r\nDaixin actors have leveraged privileged accounts to reset\r\naccount passwords for VMware ESXi servers in the\r\ncompromised environment.\r\nCredential Access\r\nTechnique Title ID Use\r\nOS Credential Dumping T1003\r\nDaixin actors have sought to gain privileged account access\r\nthrough credential dumping.\r\nLateral Movement\r\nTechnique Title ID Use\r\nRemote Service Session\r\nHijacking: SSH Hijacking\r\nT1563.001\r\nDaixin actors use SSH and RDP to move laterally across a\r\nnetwork.\r\nRemote Service Session\r\nHijacking: RDP Hijacking\r\nT1563.002 Daixin actors use RDP to move laterally across a network.\r\nUse Alternate\r\nAuthentication Material:\r\nPass the Hash\r\nT1550.002\r\nDaixin actors have sought to gain privileged account access\r\nthrough pass the hash.\r\nExfiltration\r\nTechnique Title ID Use\r\nExfiltration Over Web\r\nService\r\nT1567\r\nDaixin Team members have used Ngrok for data exfiltration\r\nover web servers.\r\nImpact\r\nTechnique Title ID Use\r\nData Encrypted for Impact T1486\r\nDaixin actors have encrypted data on target systems or on\r\nlarge numbers of systems in a network to interrupt\r\navailability to system and network resources.\r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 2 of 6\n\n3.0 Indicators of Compromise (IoCs)\r\nDaixin TA gained initial access to victims' networks through virtual private network (VPN) servers. In one confirmed\r\ncompromise, the actors likely exploited an unpatched vulnerability in the organisation’s VPN server. In another confirmed\r\ncompromise, the actors used previously compromised credentials to access a legacy VPN server that did not have\r\nmultifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a\r\nphishing email sent to potential staff members with a malicious attachment. \r\nAfter obtaining access to the victim’s VPN server, the Daixin TA move laterally via Secure Shell (SSH) and Remote\r\nDesktop Protocol (RDP). Daixin TA gained privileged account access through credential dumping and pass the hash. The\r\nactors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi\r\nservers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deployed ransomware\r\non those servers. \r\nAccording to some trusted information, the ransomware used by the Daixin TA is based on leaked Babuk Locker\r\nransomware source code. Based on some trusted information and FBI analysis show that the ransomware targets ESXi\r\nservers and encrypts files in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn.\r\nA ransom note is also written to /vmfs/volumes/. See Figure 1 for the targeted file system path and Figure 2 for the targeted\r\nfile extensions list. Figure 3 includes a sample of a ransom note. In Figure 3, it is noticeable that Daixin TA misspells\r\n“Daixin” as “Daxin.”\r\nFigure 1: Daixin Team – Ransomware Targeted File Path\r\nFigure 2: Daixin Team – Ransomware Targeted File Extensions\r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 3 of 6\n\nFigure 3: Example 1 of Daixin Team Ransom Note\r\nIn addition to deploying ransomware, Daixin TA has exfiltrated data from victim systems. In one confirmed compromise, the\r\nactors used Rclone—an open-source program to manage files on cloud storage—to exfiltrate data to a dedicated virtual\r\nprivate server (VPS). In another compromise, the actors used Ngrok—a reverse proxy tool for proxying an internal service\r\nout onto a Ngrok domain—for data exfiltration. \r\nThe table below shows the IOCs associated with the Daixin TA activities. \r\nFile SHA256\r\nrclone-v1.59.2-\r\nwindows-amd64\\git-log.txt9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238\r\nrclone-v1.59.2-\r\nwindows-amd64\\rclone.119ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD\r\nrclone-v1.59.2-\r\nwindows-amd64\\rclone.exe54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939\r\nrclone-v1.59.2-\r\nwindows-amd64\\README.htmlEC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF\r\nrclone-v1.59.2-\r\nwindows-amd64\\README.txt475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28\r\nTable 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes\r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 4 of 6\n\n4.0 Recommendations\r\nMyCERT urges organisations to implement the following best practices to defend against malicious activities associated\r\nwith the Daixin TA: \r\nInstall updates for operating systems, software, and firmware as soon as they are released. Prioritise patching VPN\r\nservers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging\r\na centralised patch management system to automate and expedite the process. \r\nConsider MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical\r\nsystems, and privileged accounts that manage backups. \r\nIf you use Remote Desktop Protocol (RDP), secure and monitor it.\r\nLimit access to resources over internal networks, especially by restricting RDP and using the virtual desktop\r\ninfrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources,\r\nand require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available\r\nexternally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate\r\nand secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP\r\nlogs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP\r\nlogin attempts, and disable unused remote access/RDP ports. \r\nEnsure devices are properly configured and that security features are enabled. Disable ports and protocols that\r\nare not being used for business purposes (e.g., RDP Transmission Control Protocol Port 3389). \r\nTurn off SSH and other network devices management interfaces such as Telnet, Winbox, and HTTP for wide area\r\nnetworks (WANs) and secure with strong passwords and encryption when enabled. \r\nIn general, it is best to disable services that are not in use and whitelist applications that are only allowed to be used. \r\nImplement and enforce multi-layer network segmentation with the most critical communications and data resting on\r\nthe most secure and reliable layer. \r\nLimit access to data by deploying public key infrastructure and digital certificates to authenticate connections with\r\nthe network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure\r\ndata packages are not manipulated while in transit from man-in-the-middle attacks. \r\nUse standard user accounts on internal systems instead of administrative accounts, which allow for overarching\r\nadministrative system privileges and do not ensure the least privilege. \r\nSecure PII at collection points and encrypt the data at rest and in transit by using technologies such as Transport\r\nLayer Security (TPS). Only store personal data on internal systems that are protected by firewalls and ensure\r\nextensive backups are available if data is ever compromised. \r\nProtect stored data by masking the permanent account number (PAN) when it is displayed and rendering it\r\nunreadable when it is stored—through cryptography, for example. \r\nUse monitoring tools to observe whether IoT devices are behaving erratically due to a compromise. \r\nEstablish and regularly review internal security policies that regulate the collection, storage, access, and monitoring\r\nof personal and sensitive data belonging to the organisations. \r\nImplement network segmentation to separate critical areas from non-critical areas to prevent threat propagation and\r\nstrengthen organisations' security policies.\r\nPerform regular backups of all critical information to limit the impact of data or system loss and to help expedite the\r\nrecovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.\r\nOrganisations are recommended to educate their employees on safe email practices and general security awareness,\r\nwhich helps to prevent attacks targeting end-users or employees.\r\n4.0 Best Practices for Business Continuity after any Ransomware Attack: \r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 5 of 6\n\nIdentify affected machines and isolate affected systems. Disconnect them immediately to prevent the attack becomes\r\nwidespread in the network.\r\nIdentify the ransomware variant using Crypto Sheriff by The No More Ransom! Project to understand the tactics and\r\ntechniques used by the ransomware variant to infiltrate the network.\r\nReimage infected machines for investigation and postmortem analysis.\r\nRestore systems using clean, good working backup and perform a password reset exercise to all systems after\r\nrestoration is completed.\r\nReview existing security tools and logs to detect vectors/vulnerabilities that caused the attack and patch them during\r\nthe recovery process to prevent future attacks.\r\nImplement Business Continuity Plan (BCP). Ideally, operational departments, key decision-makers, and relevant\r\nstakeholders are familiar with the plan and able to execute it accordingly. \r\nIn principle, we advise victims to avoid paying the ransom as this increases malicious activity, and more often, the\r\ndecryption key does not guarantee full recovery of the encrypted data. However, the decision to pay or not to pay a\r\nransom is within the victim. \r\nFor further enquiries, please get in touch with MyCERT through the following channels:\r\nE-mail: cyber999[at]cybersecurity.my \r\nPhone: 1-300-88-2999 (monitored during business hours) \r\nMobile: +60 19 2665850 (24x7 call incident reporting) \r\nBusiness Hours: Mon - Fri 09:00 -18:00 MYT \r\nWeb: https://www.mycert.org.my \r\nTwitter: https://twitter.com/mycert \r\nFacebook: https://www.facebook.com/mycert.org.my\r\n5.0    References\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-294a\r\nhttps://www.mycert.org.my/portal/advisory?id=MA-824.122021\r\nhttps://www.bleepingcomputer.com/news/security/us-govt-warns-of-daixin-team-targeting-health-orgs-with-ransomware/amp/\r\nhttps://www.mitre.org\r\n \r\nSource: https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nhttps://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611" ], "report_names": [ "details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5\u0026id=467c2374-9c18-4fb0-b5a7-155dfca4d611" ], "threat_actors": [ { "id": "86ab2e9a-75b1-48af-8313-0a5ec1f7d12c", "created_at": "2023-12-03T02:00:05.154685Z", "updated_at": "2026-04-10T02:00:03.488062Z", "deleted_at": null, "main_name": "Daixin Team", "aliases": [], "source_name": "MISPGALAXY:Daixin Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434566, "ts_updated_at": 1775791429, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a340383012fb6806c4430de5f1e3b01501e323a.pdf", "text": "https://archive.orkl.eu/4a340383012fb6806c4430de5f1e3b01501e323a.txt", "img": "https://archive.orkl.eu/4a340383012fb6806c4430de5f1e3b01501e323a.jpg" } }