{ "id": "44d3afc9-90f6-4d9c-82d0-47ea79035be8", "created_at": "2026-04-06T00:18:31.706251Z", "updated_at": "2026-04-10T03:25:35.80465Z", "deleted_at": null, "sha1_hash": "953fc799570219708d52b394d42ab6c1319f0fe1", "title": "Karakurt revealed as data extortion arm of Conti cybercrime syndicate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4254113, "plain_text": "Karakurt revealed as data extortion arm of Conti cybercrime syndicate\r\nBy Ionut Ilascu\r\nPublished: 2022-04-15 · Archived: 2026-04-05 15:44:03 UTC\r\nAfter breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware\r\nand the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation.\r\nThe Conti ransomware syndicate is one of the most prolific cybercriminal groups today that operates unabated despite the\r\nmassive leak of internal conversations and source code that a hacking group already used to cripple Russian organizations.\r\nKarakurt is a gang active since at least June 2021 that focuses on stealing data from companies and forcing them into paying\r\na ransom by threatening to publish the information.\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMore than 40 organizations have fallen victim to Karakurt in about two months, between September and November 2021.\r\nCybercriminal infrastructure pwned\r\nThe connection between the two groups was possible after security researchers gained access to an internal Conti VPS\r\nserver with credentials for a user they believe to be the leader of the entire syndicate.\r\nLogging into the server was possible after the researchers breached the threat actor's ProtonMail account and found the\r\nnecessary access credentials.\r\nsource: Infinitum IT\r\nWhen researchers accessed the VPS server, it stored more than 20TB of data that Conti stole from their victims before\r\ndeploying the encryption stage of the attack.\r\nSecurity researchers at Turkey-based security consulting company Infinitum IT say that the VPS server is hosted by Inferno\r\nSolutions, a provider in Russia that supports anonymous payment methods and accepts orders over VPN and TOR\r\nconnections.\r\nAt the same time, Inferno Solutions claims that they “don't tolerate spammers, scammers or cybercriminals,” that they\r\nalways side with the client, and that they “do not disturb clients in case of dubious and unlawful complaints (abuse).”\r\nIn a recent report, Infinitum IT details that they were able to gain access to Conti’s infrastructure when the Conti leaks\r\nstarted, on February 27, after logging into multiple ProtonMail and Mega storage accounts used by one Conti member.\r\n“At the beginning of Conti leak on February 27, 2022, we are able to get inside multiple Protonmail and Mega Upload\r\naccounts used by one of the key members of Conti Ransomware group” - Infinitum IT\r\nOnce inside the email accounts, the researchers observed incoming emails from Inferno Solutions hosting provider, which\r\nallowed them to gain remote access to the VPS server’s administration panel.\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 3 of 6\n\nsource: Infinitum IT\r\nThe analysis of the information on the storage server revealed that Conti had data with an older timestamp belonging to\r\nvictims that have not been disclosed publicly. Infinitum IT contacted the victims to return the stolen data.\r\nThe researchers noticed that the Conti member whose accounts they breached was using the FileZilla FTP client to connect\r\nto multiple servers for uploading and downloading stolen data.\r\nOne connection was to the IP address 209[.]222[.]98[.]19, which is where the Karakurt extortion group hosted their site\r\nwhere they published stolen data from non-paying victims.\r\nBleepingComputer learned months ago from Vitali Kremez of Advanced Intelligence that Karakurt is a side business of the\r\nConti syndicate to monetize from failed encryption attacks.\r\nWhen Conti's ransomware payload is blocked and the attack does not enter the encryption stage, the hackers release the\r\nalready exfiltrated information as Karakurt for data extortion.\r\nThis was confirmed today in a report from cybersecurity company Arctic Wolf stating that, during an investigation at a client\r\nthat had previously paid Conti to unlock their data, found that said client was later breached by Karakurt via a Cobalt Strike\r\nbackdoor that Conti had left behind.\r\nThe research from Arctic Wolf is a collaboration between its computer security service Tetra Defense, cybersecurity\r\ncompany Northwave and blockchain analysis firm Chainalysis and it follows clues from more than a dozen Karakurt\r\nincidents and from cryptocurrency transactions involving Conti and Karakurt operators.\r\nChainalysis' investigation revealed several Karakurt wallets that sent cryptocurrency to wallets controlled by Conti.\r\nAccording to the researchers, payments from victims are between $45,000 and $1 million.\r\nThe blockchain analyitics company also found Karakurt victim payment addresses hosted by a Conti wallet, indicating that\r\nboth gangs are managed by the same party.\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 4 of 6\n\nAccessing Karakurt servers\r\nWhile the Conti admin did not save the passwords in the FTP client, Infinitum IT researchers say that they were able to\r\nobtain the SSH credentials for the Karakurt command and control (C2) server by exploiting an unpatched vulnerability in\r\nFileZilla.\r\nThe researchers also obtained this way an SSH private key that allowed connecting to the Karakurt gang’s web server for\r\ntheir leak site, which is also served over the TOR network\r\nsource: Infinitum IT\r\nAccording to Infinitum IT’s analysis, members of the Karakurt gang upload stolen data to a “/work” folder and categorize it\r\nas public and non-public, their interest being mainly in financial information.\r\nAs Infinitum IT completely compromised the Karakurt gang’s infrastructure, they were also able to access the C2 server and\r\nthe tools used in attacks.\r\nsource: Infinitum IT\r\nBelow is an enumeration of the utilities Karakurt uses in attacks and their description:\r\nLigolo-ng: tunneling and pivoting tool\r\nMetasploit: used as a C2 server in the post-exploitation phase for obtaining reverse shell and for brute-forcing SMB\r\nshares and RDP connections\r\nImpacket: used for NTLM-relay attacks for lateral movement after getting initial access\r\nDanted: auto-install and management script for Danted–Socks5 Proxy Server, for reverse tunneling\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 5 of 6\n\nInfinitum IT’s report is the first public evidence showing that Conti ransomware and the Karakurt data extortion gang are\r\npart of the same financially-motivated group.\r\nAfter Conti took over the infamous TrickBot botnet and shut it down to focus on the development of BazarBackdoor and\r\nAnchor malware, researchers show that the syndicate’s expansion is more aggressive.\r\nConti is now managing side businesses that either sustain its ransomware operations or monetize the initial network access\r\nalready available.\r\nUpdate [March 15, 11:54 EST]: Article updated with information from cybersecurity company Arctic Wolf confirming that\r\nKarakurt and Conti are part of the same operation.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nhttps://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/" ], "report_names": [ "karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434711, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/953fc799570219708d52b394d42ab6c1319f0fe1.pdf", "text": "https://archive.orkl.eu/953fc799570219708d52b394d42ab6c1319f0fe1.txt", "img": "https://archive.orkl.eu/953fc799570219708d52b394d42ab6c1319f0fe1.jpg" } }