{
	"id": "a86dc0c4-2b87-4758-a889-4d60a756a4e0",
	"created_at": "2026-04-06T00:18:50.317533Z",
	"updated_at": "2026-04-10T03:23:49.461256Z",
	"deleted_at": null,
	"sha1_hash": "e001eac821f12458392d95766a5d57c5cb3397f8",
	"title": "#StopRansomware: Daixin Team | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120318,
	"plain_text": "#StopRansomware: Daixin Team | CISA\r\nPublished: 2022-10-26 · Archived: 2026-04-05 13:49:37 UTC\r\nSummary\r\nActions to take today to mitigate cyber threats from ransomware:\r\nInstall updates for operating systems, software, and firmware as soon as they are released.\r\nRequire phishing-resistant MFA for as many services as possible.\r\nTrain users to recognize and report phishing attempts.\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department\r\nof Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a\r\ncybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH)\r\nSector, with ransomware and data extortion operations.\r\nThis joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party\r\nreporting.\r\nDownload the PDF version of this report:\r\nDownload the IOCs: \r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 11. See MITRE ATT\u0026CK for\r\nEnterprise for all referenced tactics and techniques.\r\nCybercrime actors routinely target HPH Sector organizations with ransomware:\r\nAs of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all\r\n16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.\r\nAccording to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure\r\nsectors; the HPH Sector accounted for the most reports at 148.\r\nThe Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and\r\ndata extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused\r\nransomware incidents at multiple HPH Sector organizations where they have:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 1 of 8\n\nDeployed ransomware to encrypt servers responsible for healthcare services—including electronic health\r\nrecords services, diagnostics services, imaging services, and intranet services, and/or\r\nExfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to\r\nrelease the information if a ransom is not paid.\r\nDaixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed\r\ncompromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190 ]. In\r\nanother confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server\r\n[T1078 ] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the\r\nVPN credentials through the use of a phishing email with a malicious attachment [T1598.002 ].\r\nAfter obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) [T1563.001 ]\r\nand Remote Desktop Protocol (RDP) [T1563.002 ]. Daixin actors have sought to gain privileged account access\r\nthrough credential dumping [T1003 ] and pass the hash [T1550.002 ]. The actors have leveraged privileged\r\naccounts to gain access to VMware vCenter Server and reset account passwords [T1098 ] for ESXi servers in the\r\nenvironment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486\r\n] on those servers. \r\nAccording to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. This\r\nthird-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located\r\nin /vmfs/volumes/ with the following extensions: .vmdk , .vmem , .vswp , .vmsd , .vmx , and .vmsn . A\r\nransom note is also written to /vmfs/volumes/ . See Figure 1 for targeted file system path and Figure 2 for targeted\r\nfile extensions list. Figure 3 and Figure 4 include examples of ransom notes. Note that in the Figure 3 ransom\r\nnote, Daixin actors misspell “Daixin” as “Daxin.”\r\nFigure 1: Daixin Team – Ransomware Targeted File Path\r\nFigure 2: Daixin Team – Ransomware Targeted File Extensions\r\nFigure 3: Example 1 of Daixin Team Ransomware Note\r\nFigure 4: Example 2 of Daixin Team Ransomware Note\r\nIn addition to deploying ransomware, Daixin actors have exfiltrated data [TA0010 ] from victim systems. In one\r\nconfirmed compromise, the actors used Rclone—an open-source program to manage files on cloud storage—to\r\nexfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok —a reverse\r\nproxy tool for proxying an internal service out onto an Ngrok domain—for data exfiltration [T1567 ].\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee Table 1 for all referenced threat actor tactics and techniques included in this advisory.\r\nTable 1: Daixin Actors’ ATT\u0026CK Techniques for Enterprise\r\nReconnaissance\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 2 of 8\n\nTechnique Title ID Use\r\nPhishing for Information:\r\nSpearphishing Attachment\r\nT1598.002 Daixin actors have acquired the VPN credentials (later used for\r\ninitial access) by a phishing email with a malicious attachment.\r\nInitial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nDaixin actors exploited an unpatched vulnerability in a VPN\r\nserver to gain initial access to a network.\r\nValid Accounts T1078\r\nDaixin actors use previously compromised credentials to access\r\nservers on the target network.\r\nPersistence\r\nTechnique Title ID Use\r\nAccount Manipulation T1098\r\nDaixin actors have leveraged privileged accounts to reset\r\naccount passwords for VMware ESXi servers in the\r\ncompromised environment.\r\nCredential Access\r\nTechnique Title ID Use\r\nOS Credential Dumping T1003\r\nDaixin actors have sought to gain privileged account access\r\nthrough credential dumping.\r\nLateral Movement\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 3 of 8\n\nTechnique Title ID Use\r\nRemote Service Session\r\nHijacking: SSH Hijacking\r\nT1563.001 Daixin actors use SSH and RDP to move laterally across a\r\nnetwork.\r\nRemote Service Session\r\nHijacking: RDP Hijacking\r\nT1563.002\r\nDaixin actors use RDP to move laterally across a network.\r\nUse Alternate Authentication\r\nMaterial: Pass the Hash\r\nT1550.002 Daixin actors have sought to gain privileged account access\r\nthrough pass the hash.\r\nExfiltration\r\nTechnique Title ID Use\r\nExfiltration Over Web\r\nService\r\nT1567\r\nDaixin Team members have used Ngrok for data exfiltration\r\nover web servers.\r\nImpact\r\nTechnique Title ID Use\r\nData Encrypted for Impact T1486\r\nDaixin actors have encrypted data on target systems or on large\r\nnumbers of systems in a network to interrupt availability to\r\nsystem and network resources.\r\nINDICATORS OF COMPROMISE\r\nSee Table 2 for IOCs obtained from third-party reporting.\r\nTable 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes\r\nFile SHA256\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 4 of 8\n\nrclone-v1.59.2-\r\nwindows-amd64\\git-log.txt9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238\r\nrclone-v1.59.2-\r\nwindows-amd64\\rclone.119ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD\r\nrclone-v1.59.2-\r\nwindows-amd64\\rclone.exe54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939\r\nrclone-v1.59.2-\r\nwindows-amd64\\README.htmlEC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF\r\nrclone-v1.59.2-\r\nwindows-amd64\\README.txt475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28\r\nMitigations\r\nFBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related\r\nmalicious activity:\r\nInstall updates for operating systems, software, and firmware as soon as they are released. Prioritize patching\r\nVPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider\r\nleveraging a centralized patch management system to automate and expedite the process.\r\nRequire phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts\r\nthat access critical systems, and privileged accounts that manage backups.\r\nIf you use Remote Desktop Protocol (RDP), secure and monitor it.\r\nLimit access to resources over internal networks, especially by restricting RDP and using virtual\r\ndesktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the\r\noriginating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse.\r\nIf RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure,\r\nor other means to authenticate and secure the connection before allowing RDP to connect to internal\r\ndevices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of\r\nattempts to block brute force campaigns, log RDP login attempts, and disable unused remote\r\naccess/RDP ports.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 5 of 8\n\nEnsure devices are properly configured and that security features are enabled. Disable ports and\r\nprotocols that are not being used for business purposes (e.g., RDP Transmission Control Protocol Port\r\n3389).\r\nTurn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide\r\narea networks (WANs) and secure with strong passwords and encryption when enabled.\r\nImplement and enforce multi-layer network segmentation with the most critical communications and data\r\nresting on the most secure and reliable layer.\r\nLimit access to data by deploying public key infrastructure and digital certificates to authenticate connections\r\nwith the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as\r\nto ensure data packages are not manipulated while in transit from man-in-the-middle attacks.\r\nUse standard user accounts on internal systems instead of administrative accounts, which allow for overarching\r\nadministrative system privileges and do not ensure least privilege.\r\nSecure PII/PHI at collection points and encrypt the data at rest and in transit by using technologies such as\r\nTransport Layer Security (TPS). Only store personal patient data on internal systems that are protected by\r\nfirewalls, and ensure extensive backups are available if data is ever compromised.\r\nProtect stored data by masking the permanent account number (PAN) when it is displayed and rendering it\r\nunreadable when it is stored—through cryptography, for example.\r\nSecure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health\r\nInsurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can\r\nprevent the introduction of malware on the system.\r\nUse monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.\r\nCreate and regularly review internal policies that regulate the collection, storage, access, and monitoring of\r\nPII/PHI.\r\nIn addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the\r\nfollowing recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\r\nPreparing for Ransomware\r\nMaintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration.\r\nThese practices safeguard an organization’s continuity of operations or at least minimize potential downtime\r\nfrom a ransomware incident and protect against data losses.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure.\r\nCreate, maintain, and exercise a basic cyber incident response plan and associated communications plan that\r\nincludes response procedures for a ransomware incident.\r\nOrganizations should also ensure their incident response and communications plans include response\r\nand notification procedures for data breach incidents. Ensure the notification procedures adhere to\r\napplicable state laws.\r\nRefer to applicable state data breach laws and consult legal counsel when necessary.\r\nFor breaches involving electronic health information, you may need to notify the Federal Trade\r\nCommission (FTC) or the Department of Health and Human Services, and—in some cases—the\r\nmedia. Refer to the FTC’s Health Breach Notification Rule and U.S. Department of Health and\r\nHuman Services’ Breach Notification Rule for more information.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 6 of 8\n\nSee CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide\r\nand CISA Fact Sheet, Protecting Sensitive and Personal Information from Ransomware-Caused Data\r\nBreaches, for information on creating a ransomware response checklist and planning and responding to\r\nransomware-caused data breaches.\r\nMitigating and Preventing Ransomware\r\nRestrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary\r\nand remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate\r\nmalware across organizations.\r\nReview the security posture of third-party vendors and those interconnected with your organization. Ensure all\r\nconnections between third-party vendors and outside software or hardware are monitored and reviewed for\r\nsuspicious activity.\r\nImplement listing policies for applications and remote access that only allow systems to execute known and\r\npermitted programs.\r\nOpen document readers in protected viewing modes to help prevent active content from running.\r\nImplement user training program and phishing exercises to raise awareness among users about the risks of\r\nvisiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the\r\nappropriate user response to phishing and spearphishing emails.\r\nUse strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and\r\nProtecting Passwords and the National Institute of Standards and Technology’s (NIST’s) Special Publication\r\n800-63B: Digital Identity Guidelines for more information.\r\nRequire administrator credentials to install software.\r\nAudit user accounts with administrative or elevated privileges and configure access controls with least\r\nprivilege in mind.\r\nInstall and regularly update antivirus and antimalware software on all hosts.\r\nOnly use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.\r\nConsider adding an email banner to messages coming from outside your organizations.\r\nDisable hyperlinks in received emails.\r\nResponding to Ransomware Incidents\r\nIf a ransomware incident occurs at your organization:\r\nFollow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).\r\nScan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This\r\nshould be performed using an isolated, trusted system to avoid exposing backups to potential compromise.\r\nFollow the notification requirements as outlined in your cyber incident response plan.\r\nReport incidents to the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service\r\n(USSS) at a USSS Field Office.\r\nApply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to\r\nUncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of\r\nAustralia, Canada, New Zealand, and the United Kingdom.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 7 of 8\n\nNote: FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will\r\nbe recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage\r\nother criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\r\nREFERENCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware\r\nresources and alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nOngoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center\r\n(HC3) and can be found at hhs.gov/HC3.\r\nFor additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care\r\nIndustry Security Approaches at 405d.hhs.gov \r\nREPORTING\r\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information,\r\ndecryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have\r\ndecided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI\r\nField Office, or CISA at cisa.gov/report.\r\nACKNOWLEDGEMENTS\r\nFBI, CISA, and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center\r\n(Health-ISAC) for their contributions to this CSA.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not\r\nendorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial\r\nproducts, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply\r\nendorsement, recommendation, or favoring by FBI, CISA, or HHS.\r\nRevisions\r\nInitial Publication: October 21, 2022\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a"
	],
	"report_names": [
		"aa22-294a"
	],
	"threat_actors": [
		{
			"id": "86ab2e9a-75b1-48af-8313-0a5ec1f7d12c",
			"created_at": "2023-12-03T02:00:05.154685Z",
			"updated_at": "2026-04-10T02:00:03.488062Z",
			"deleted_at": null,
			"main_name": "Daixin Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Daixin Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775791429,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e001eac821f12458392d95766a5d57c5cb3397f8.pdf",
		"text": "https://archive.orkl.eu/e001eac821f12458392d95766a5d57c5cb3397f8.txt",
		"img": "https://archive.orkl.eu/e001eac821f12458392d95766a5d57c5cb3397f8.jpg"
	}
}