{
	"id": "2778aee0-1d37-405f-973d-74d4d954e081",
	"created_at": "2026-04-06T00:08:34.320598Z",
	"updated_at": "2026-04-10T03:30:41.324535Z",
	"deleted_at": null,
	"sha1_hash": "cd532bfca9200c77a9492f282690a995505a8043",
	"title": "Cyber Awakeness Month: Takedown of Trigona, Hive Ransomware Resurges, RansomedForum and New RaaS ‘qBit’",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62404,
	"plain_text": "Cyber Awakeness Month: Takedown of Trigona, Hive Ransomware\r\nResurges, RansomedForum and New RaaS ‘qBit’\r\nPublished: 2023-10-23 · Archived: 2026-04-05 16:51:19 UTC\r\nFrom the takedown of Trigona to the resurgence of Hive Ransomware, and the emergence of a new hackers’ hub,\r\nsignificant events have recently transpired in the ransomware ecosystem.\r\nIn the ongoing cyber battle, it is imperative to stay well-informed about the latest ransomware incidents to fortify\r\nyour cybersecurity defenses. \r\nThis blog post will provide a quick and informative overview of these recent ransomware events, offering a fresh\r\nperspective on the ransomware threat landscape.\r\nTrigona Ransomware: Hacked and Defaced\r\nThe Ukrainian Cyber Alliance (UCA) detected a vulnerability in the Trigona gang’s Confluence server and\r\npromptly seized the opportunity to hack their servers. They meticulously copied all available information before\r\nwiping the servers clean. \r\nThis initial breach enabled UCA to access other Trigona-run sites, where they acquired copies of internal chats,\r\ndata, and even the website’s source code. Subsequently, they defaced Trigona’s TOR negotiation and data leak\r\nsites. \r\nTrigona’s website has been defaced\r\nTrigona Ransomware publicly acknowledged the breach on a hacker forum, announcing their intentions to launch\r\nnew sites by the end of October 22.\r\nTrigona acknowledging the breach (Source: X)\r\nBlackCat Deploys Munchkin ISO for Stealth\r\nThe BlackCat/ALPHV ransomware operation now deploys “Munchkin,” a tool that uses virtual machines for\r\nstealthy network device encryption. Munchkin allows remote system operation and network share encryption.\r\nPalo Alto Networks Unit 42 discovered that Munchkin is a custom Alpine OS Linux distribution provided as an\r\nISO file. After compromising a device, the threat actors create a new virtual machine using the Munchkin ISO,\r\nwhich comprises a set of scripts to facilitate password dumping, lateral movement, executing programs and\r\ndeploying the BlackCat encryptor. \r\nHow does BlackCat utilize the Munchkin tool? (Source: Palo Alto Networks)\r\nRagnarLocker’s Site Has Been Taken Down by Law Enforcement\r\nhttps://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/\r\nPage 1 of 3\n\nIn a concurrent development, the RagnarLocker data leak and negotiation sites displayed a seizure banner. As\r\npart of a coordinated international law enforcement operation, authorities apprehended a malware developer\r\nassociated with the RagnarLocker ransomware gang and successfully seized control of the group’s dark web sites. \r\nRagnarLocker’s data leak site has been seized (Source: BleepingComputer)\r\nWeedSec Drops Moodle Databases\r\nIn a startling incident, the threat actor group “WeedSec” posted sample databases of moodle[.]org on its Telegram\r\nchannel. Moodle is an online learning and course management platform, used by schools, universities, colleges,\r\nvocational trainers, and workplaces alike. \r\nThe leaked data in their initial share includes moodle.sql (3GB) and erpnext.sql (1.1GB), followed by an archive\r\nshare.\r\nWeedSec leaks Moodle databases\r\nEmergence of Hunters International: Potential Rebranding of Hive\r\nFollowing the FBI’s takedown of Hive ransomware, the operators have transitioned to a fresh endeavor named\r\n“Hunters International.”\r\nAccording to Rivitna on X, the sample employed by Hunters International is Hive v6. BushidoToken revealed\r\nthere are numerous code overlaps and remarkable similarities that firmly connect Hive with this new venture.\r\nThe researchers’ findings suggest a potential evolution or rebranding of the Hive ransomware operation.\r\nResults of an analysis on Intezer (Source: X)\r\nRansomedVC Launches a New Hub for Threat Actors: RansomedForum\r\nThe cybersecurity community has recently observed the emergence of a new cybercrime forum, established by the\r\nnovel ransomware operation, RansomedVC.\r\nThe forum, named RansomedForum, serves as RansomedVC’s primary leak blog and provides a platform for\r\ncybercriminals. In their welcoming message to fellow threat actors, RansomedVC detailed the forum’s existing\r\nfeatures and those in development, addressing anticipated questions from potential members.\r\nRansomedForum can rapidly evolve into a central hub for threat actors seeking to exchange information, tools,\r\nand tactics related to ransomware attacks, potentially contributing to an increase in ransomware threats.\r\nRansomedVC’s announcement on RansomedForum (Source: X)\r\nFresh RaaS in the Cybercrime Market: Introducing qBit, the New Ransomware\r\nThe emergence of the new hacker forum has quickly given rise to a new threat within the cybersecurity landscape.\r\nA new ransomware variant named qBit has swiftly made its debut on the RansomedForum, with a post shared by\r\nhttps://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/\r\nPage 2 of 3\n\nthe user “qBitSupp.”\r\nThis ransomware is currently in its Beta stage, qBitSupp claims it is built from scratch using Go, making it a fresh\r\naddition to the ransomware scene. qBit operates on a Ransomware as a Service (RaaS) model, offering many\r\nfeatures. \r\nFeatures of the qBit ransomware\r\nThe threat actor behind qBit advertises that it has faster encryption speed, a low detection rate, and remarkable\r\nversatility. It is worth noting that there are both Windows and Linux variants available, tested on various builds.\r\nThe threat actor also mentions the development of an ESXi version and lists additional features designed to\r\nenhance its malicious capabilities.\r\nqBit aims to be an affordable and accessible choice, making it attractive for newcomers to the world of\r\ncybercrime. According to a recent message from qBitSupp, they provide their affiliates with an 85/15 profit-sharing arrangement:\r\nqBitSupp’s statement about the payment structure\r\nThe threat actor has even shared demo videos, providing an unsettling glimpse into the potential harm this\r\nransomware can inflict. This new development adds to the growing concerns within the cybersecurity community,\r\nhighlighting the proliferating nature of ransomware threats.\r\nStay Updated on New Ransomware Threats with SOCRadar \r\nIn a world where the ransomware landscape is in a constant state of flux, staying informed is your best defense.\r\nCybercriminals adapt swiftly, and so must our defenses.\r\nWith SOCRadar Dark Web News, you stay updated on the latest threats and trends emerging within the threat\r\nactors’ communities, enabling you to proactively safeguard your assets and organization.\r\nSOCRadar Dark Web News\r\nFurthermore, SOCRadar’s Threat Actor \u0026 Malware tracking feature furnishes you with detailed insights into these\r\nthreats, including current and new ransomware threats. \r\nSOCRadar Threat Actors/Malware page – BlackCat (ALPHV) Ransomware\r\nEmpowering yourself with knowledge represents the primary step in fortifying your digital realm. Confronted\r\nwith ever-changing ransomware threats, ongoing vigilance, proactive defense, and real-time threat intelligence\r\naccess can significantly enhance your cybersecurity posture.\r\nSource: https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/\r\nhttps://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socradar.io/cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit/"
	],
	"report_names": [
		"cyber-awakeness-month-takedown-of-trigona-hive-ransomware-resurges-ransomedforum-and-new-raas-qbit"
	],
	"threat_actors": [
		{
			"id": "d85923d4-06b6-4a23-b903-c54cc854a1ed",
			"created_at": "2023-11-21T02:00:07.351342Z",
			"updated_at": "2026-04-10T02:00:03.465119Z",
			"deleted_at": null,
			"main_name": "WeedSec",
			"aliases": [],
			"source_name": "MISPGALAXY:WeedSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb01bdec-5c18-4479-b343-cf58076dacf1",
			"created_at": "2024-08-10T02:02:56.273673Z",
			"updated_at": "2026-04-10T02:00:03.773129Z",
			"deleted_at": null,
			"main_name": "GOLD CRESCENT",
			"aliases": [
				"Hunters International",
				"World Leaks"
			],
			"source_name": "Secureworks:GOLD CRESCENT",
			"tools": [
				"Hunters International",
				"SharpRhino"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3",
			"created_at": "2025-03-07T02:00:03.799095Z",
			"updated_at": "2026-04-10T02:00:03.827106Z",
			"deleted_at": null,
			"main_name": "Ukrainian Cyber Alliance",
			"aliases": [
				"UCA"
			],
			"source_name": "MISPGALAXY:Ukrainian Cyber Alliance",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67",
			"created_at": "2025-05-29T02:00:03.220566Z",
			"updated_at": "2026-04-10T02:00:03.871851Z",
			"deleted_at": null,
			"main_name": "Cyber Alliance",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Alliance",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775791841,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd532bfca9200c77a9492f282690a995505a8043.pdf",
		"text": "https://archive.orkl.eu/cd532bfca9200c77a9492f282690a995505a8043.txt",
		"img": "https://archive.orkl.eu/cd532bfca9200c77a9492f282690a995505a8043.jpg"
	}
}