| New Threats Detection Added | • GoldenGh0stLoader |
| New Threat Protection | 68 |
| Newly Detected Threats | 13 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
GoldenGh0stLoader | ||||||||||||||||||
|
GoldenGh0stLoader is a Windows remote access trojan delivered via malware campaigns masquerading as TurboVPN, WhatsApp and other legitimate software. Upon execution of the malware, secondary payloads are retrieved via Google Cloud Storage and Amazon S3 buckets.
Once deployed, the RAT establishes a WebSocket connection to attacker-controlled C2 infrastructure, using a binary length-prefixed framing protocol with a 12-byte header and application-layer-encrypted payloads. The bundled VPN components route victim traffic for monetization and man-in-the-middle purposes and operate independently of the C2 channel.
|
|||||||||||||||||||
|
Threat Protected:
|
03 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Trojan-activity | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
Known Exploited Vulnerabilities (Week 4 - June 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-4th-week-of-june-2026/672.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
9.8
|
Unauthenticated RCE - PTC Windchill and FlexPLM contains a deserialization vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code on the system.
|
Check vendor advisory for affected products and versions.
|
|||
|
8.6
|
Unauthenticated SSRF - Cisco Unified Communications Manager (Unified CM) and Session Management Edition (Unified CM SME) contains a server-side request forgery vulnerability that can allow an unauthenticated remote attacker to write files to the system which can later be used to elevate to root level privileges. Exploitation of this vulnerability requires the WebDialer service to be enabled.
|
14.0 - 14SU5
15.0 - 15SU4A |
14SU6
15SU5 |
||
|
9.8
|
Unauthenticated RCE - Lantronix EDS5000 contains a command injection vulnerability that can allow an unauthenticated remote attacker to execute operation system commands with root level privileges via the username parameter.
|
Check vendor advisory for affected products and versions.
|
|||
|
10
|
Unauthenticated RCE - Ubiquiti UniFi OS contains a command injection vulnerability that can allow an unauthenticated remote attacker to execute operating system commands on the system.
|
Check vendor advisory for affected products and versions.
|
|||
|
10
|
Path Traversal - Ubiquiti UniFi OS contains a path traversal vulnerability that can allow an unauthenticated remote attacker to gain access to files located on the system which can result in gaining access to the account.
|
Check vendor advisory for affected products and versions.
|
|||
|
10
|
Authentication Bypass - Ubiquiti UniFi OS contains an authentication bypass vulnerability that can allow an unauthenticated remote attacker to gain access to the system.
|
Check vendor advisory for affected products and versions.
|
|||
Updated Malware Signature (Week 4 - June 2026)
|
Threat
|
Description | |
|
XWorm
|
A Remote Access Trojan (RAT) and malware loader that's commonly used in cyberattacks to give attackers full remote control over a victim's system. It's part of a growing trend of commercialised malware sold or rented on dark web forums, often under the guise of a “legitimate tool.”
|
Cybersecurity Weekly Recap
|
Ransomware Report |
|
|
The Red Piranha Team conducts continuous surveillance across the dark web and other threat intelligence channels to identify global organisations impacted by ransomware attacks. In the past week, this monitoring revealed multiple ransomware incidents spanning a diverse range of threat groups, underscoring the persistent and widespread nature of today's cyber threat landscape. Presented below is a detailed breakdown of ransomware group activity, victim geographies, and targeted industries observed during this period. Ransomware Hits Last WeekLast week’s ransomware activity shows that The Gentlemen was the most active ransomware group, impacting 22 countries, which accounted for 15.83% of the total ransomware hits. This made The Gentlemen the leading ransomware actor for the week. Nova recorded the second-highest activity, attacking 15 countries and contributing 10.79% of the total. Qilin and Settra followed, each impacting 11 countries, representing 7.91% individually. A moderate level of activity was observed from Inc Ransom and Akira, with both groups attacking 8 countries and accounting for 5.76% each. Payload, CMD Organization, and Stormous each impacted 7 countries, contributing 5.04% individually. Icarus also showed notable activity, attacking 6 countries, which represented 4.32% of the total. Lower but still visible activity was seen from Aurora, which impacted 5 countries, accounting for 3.60%, while Chaos attacked 4 countries, contributing 2.88%. Eraleign (APT73) affected 3 countries, representing 2.16%. Several groups had smaller activity levels, impacting 2 countries each. These included WorldLeaks, Nightspire, Brain Cipher, DragonForce, Interlock, Anubis, and Krybit, each accounting for 1.44% of total ransomware activity. The remaining groups, including RansomEXX, SafePay, Prinz Eugen, Wallstreet, Ransomhouse, Bravox, ShinyHunters, Morpheus, Play, and Ailock, each attacked 1 country, contributing 0.72% individually. Overall, the data shows that ransomware activity last week was led mainly by The Gentlemen, Nova, Qilin, and Settra. While The Gentlemen had the highest country-level reach, the presence of many smaller groups shows that ransomware activity remains broad and fragmented across multiple threat actors. |

AiLock Ransomware
Origin and Profile
AiLock is a financially motivated Ransomware-as-a-Service operation that recruits affiliates to deploy its encryptor for a share of proceeds. It was first publicly documented on 1 April 2025 by external threat researchers, with first identification often cited as March 2025. [1][5] The group operates a Tor-based data leak site and a separate negotiation/chat portal and has relocated infrastructure and opened new leak sites repeatedly since discovery. [3] It markets itself as "AI-assisted," but no published technical analysis substantiates any actual AI component in the malware - this is assessed as branding rather than a validated capability.
The AiLock encryptor is written in C/C++ and uses an unusual hybrid scheme: ChaCha20 for file content and NTRUEncrypt256 - a post-quantum-resistant lattice-based algorithm - to protect the ChaCha20 key and metadata. The 30-byte key/nonce is generated via CryptGenRandom(). [1] Encryption is multithreaded using I/O Completion Ports (IOCP) for speed, with a dedicated path-traversal thread separate from the encryption thread. Files under 100MB are fully encrypted; larger files (and those at or above 1GB) receive partial encryption to shorten dwell time. [1] Static-analysis markers include the configuration values "DE AD BA BE"/"BA BE DE AD" and a metadata start marker B16B00B5, with SHA256 verification of the embedded configuration. Strings are obfuscated with an 8-byte repeating XOR key, and Windows APIs are resolved dynamically via LoadLibrary() and GetProcAddress(). [1]
Tactics, Techniques, and Procedures (TTPs)
Attribution Framework
|
Tactic
|
Technique ID
|
Technique
|
Evidence/Observed Behaviour
|
|
Initial Access
|
T1566
|
Phishing
|
|
|
T1133 T1078
|
External Remote Services/Valid Accounts
|
Exposed RDP/VPN and stolen/reused credentials - assessed, not confirmed. Intrusion methods not publicly disclosed. [3]
|
|
|
Execution
|
T1059.003
|
Windows Command Shell
|
cmd.exe used; self-delete via cmd.exe /C ping 127.0.0.1 & del [path] when run with -del. Operator-controlled execution requiring -full or -path. [1]
|
|
Privilege Escalation
|
T1134.001
|
Token Impersonation/Theft
|
Access-token manipulation to elevate and impersonate. [1]
|
|
Defence Evasion
|
T1027
|
Obfuscated Files or Information
|
Strings XOR-obfuscated with an 8-byte repeating key; dynamic API resolution via LoadLibrary()/GetProcAddress(); config hidden with validation markers and SHA256 checks. [1]
|
|
Defence Evasion
|
T1480/T1480.002
|
Execution Guardrails/Mutual Exclusion
|
|
|
Discovery
|
T1082
|
System Information Discovery
|
Enumerates logical drives via GetLogicalDrives() during a dedicated path-traversal thread. [1]
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
Traverses directories to identify encryption targets. [1]
|
|
Discovery
|
T1135
|
Network Share Discovery
|
Resolves and targets network shares via WNet APIs when run with the -shares option. [1]
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
ChaCha20 + NTRUEncrypt256; .AiLock extension; Readme.txt dropped per directory; full <100MB, partial >=1GB; icon set to green padlock and wallpaper changed. [1]
|
|
Impact
|
T1489
|
Service Stop
|
Stops file-locking services via ControlService() and terminates processes via TerminateProcess() before encryption; empties Recycle Bin via SHEmptyRecycleBinA(). [1]
|
|
Impact
|
T1657
|
Financial Extortion
|
|
|
Impact
|
T1490
|
Inhibit System Recovery (Shadow Copies)
|
Shadow-copy deletion via vssadmin/wmic is widely cited as generic ransomware behaviour but is NOT confirmed in the analysed AiLock sample - intelligence gap. [1]
|
Attack Lifecycle
The following reconstructs an AiLock intrusion based on primary malware analysis of an AiLock sample [1] and RaaS ecosystem norms for the stages not confirmed in that analysis. [3][5]
INITIAL ACCESS - Unconfirmed
AiLock's initial-access tradecraft is not established in public reporting. Affiliates are assessed to enter via phishing, exploitation of an internet-facing service, or valid/stolen credentials on exposed RDP/VPN - consistent with RaaS norms but not confirmed for AiLock specifically.
Observable artefacts: Phishing email in mail-gateway logs; inbound authentication to RDP/VPN from unfamiliar geography or IP; exploitation attempts against internet-facing services. (Assessed, not AiLock-confirmed.)
EXECUTION - Operator-Controlled Detonation
The encryptor requires operator-supplied parameters (-full or -path) to detonate - it is not an autonomous worm. A FAUST mutex enforces single-instance execution. When run with -del, it self-removes via cmd.exe /C ping 127.0.0.1 & del [path]. [1]
Observable artefacts: cmd.exe spawning ping/del self-delete sequence; FAUST mutex creation; encryptor process launched with -full / -path / -shares / -del parameters.
DISCOVERY - Drives and Network Shares
A dedicated path-traversal thread enumerates logical drives via GetLogicalDrives() and directories for encryption targets. When run with -shares, WNet APIs resolve and target network shares. [1]
Observable artefacts: Rapid logical-drive enumeration; WNet share resolution from a user workstation; directory traversal preceding mass file access.
PRIVILEGE ESCALATION - Token Theft
The malware uses token impersonation/theft to operate with elevated privileges required for broad file and share encryption.
Observable artefacts: Anomalous token-manipulation events; process operating under impersonated security context.
DEFENCE EVASION - Obfuscation & Guardrails
Strings are XOR-obfuscated with an 8-byte repeating key; Windows APIs are resolved dynamically via LoadLibrary()/GetProcAddress(); the embedded config is hidden behind validation markers and SHA256 checks. The FAUST mutex and "Single instance only Exit" guardrail prevent duplicate execution. [1][5]
Observable artefacts: XOR-obfuscated strings in memory; dynamic API resolution; FAUST mutex; config markers DE AD BA BE / B16B00B5.
IMPACT (1) - Service Stop & Recycle-Bin Wipe
Before encryption, file-locking services are stopped via ControlService() and processes terminated via TerminateProcess(). The Recycle Bin is emptied via SHEmptyRecycleBinA(). Note: vssadmin shadow-copy deletion is NOT confirmed in the analysed sample.
Observable artefacts: Burst of service-stop and process-termination events; Recycle Bin emptied; NB: watch for vssadmin/wmic regardless, as an assessed-but-unconfirmed behaviour.
Files are encrypted with ChaCha20 (content) and NTRUEncrypt256 (key/metadata), appending .AiLock. Files under 100MB are fully encrypted; larger files receive partial encryption. The file icon is set to a green padlock via HKCR/.AiLock/DefaultIcon and the wallpaper is changed via SystemParametersInfoW().
Observable artefacts: Mass file rename to .AiLock; HKCR/.AiLock/DefaultIcon and %Temp%/tmp.ico; wallpaper change; HKCU/Control Panel/Desktop edits; high file-handle churn from IOCP threads.
A ransom note named Readme.txt (ReadMe.txt) is dropped in each processed directory, setting out the 72-hour response and five-day payment deadlines and the regulator/competitor-notification threats.
Observable artefacts: Readme.txt across directories; note referencing PDPL/GDPR regulator notification, competitor alerting, and the Tor negotiation onion.
EXTORTION - Leak Site + Deadlines
The victim is listed on the Tor data leak site and directed to a negotiation/chat portal. Non-payment is met with threatened data publication, data-protection-authority notification, and competitor alerting. Funds are laundered via a peel chain to the Wasabi mixer and FixedFloat, often converting to Monero. [2][5][6]
Observable artefacts: Victim appears on the AiLock DLS; negotiation-portal activity; countdown to leak; downstream laundering to mixer/exchange.
Indicators Of Compromise (IOCs)
IOCs are labelled CONFIRMED (attributed to AiLock in primary analysis) or ATTRIBUTED (ecosystem/secondary).
File Hashes
|
Type
|
Indicator/Value
|
|
SHA256
|
3c7c91cd4dc336db8082e07ab7549556f05d80acbc778afc2dade67c02002f69
|
|
MD5
|
2a728d98ae8280efeaa674783181f3fa
|
Host-Based Indicators
|
Type
|
Indicator/Value
|
Description
|
|
File Extension
|
.AiLock
|
Appended to all encrypted files.
|
|
Ransom Note
|
Readme.txt / ReadMe.txt
|
Dropped in every processed directory.
|
|
Mutex
|
FAUST
|
Single-instance guardrail (YARA: "Single instance only Exit").
|
|
Encryption
|
ChaCha20 + NTRUEncrypt256
|
Hybrid post-quantum scheme; full <100MB, partial >=1GB.
|
|
Config Markers
|
DE AD BA BE / BA BE DE AD/B16B00B5
|
Static-analysis config and metadata markers.
|
|
Registry
|
HKCR/.AiLock/DefaultIcon -> %Temp%/tmp.ico
|
Encrypted-file icon set to green padlock.
|
|
Registry
|
HKCU/Control Panel/Desktop
|
Wallpaper changed (robot-skull logo).
|
|
Self-Delete
|
cmd.exe /C ping 127.0.0.1 & del [path]
|
Triggered by the -del parameter.
|
|
Parameters
|
-full / -path / -shares / -del
|
Operator-supplied execution parameters.
|
Network & Infrastructure Indicators
|
Type
|
Indicator/Value
|
|
Tor DLS
|
dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion
|
|
Tor Negotiation
|
jaawqs6wu56n2adj7qrjg25dhcux2nislvjouffpzldj23e4y72akoid.onion
|
|
C2 IP
|
None publicly documented
|
YARA Detection Strings (Published)
|
Type
|
Indicator/Value
|
Description
|
|
YARA
|
"Single instance only Exit"
|
FAUST single-instance guardrail string.
|
|
YARA
|
"Total time of encryption: %llu seconds"
|
Encryptor logging string.
|
|
YARA
|
"Start Log:%d Network:%d Selfdelete:%d Path=%s"
|
Operator parameter logging string.
|
|
YARA Markers
|
DE AD BA BE / BA BE DE AD / BE BA AD AB / B5 00 6B B1
|
Config/metadata byte markers.
|
Mitigation - Crystal Eye 5.5 Controls
All Crystal Eye 5.5 controls referenced below are documented across the Red Piranha platform documentation. Controls are organised in three remediation stages by priority. Because AiLock's initial-access vector is unconfirmed, Stage 1 prioritises broad remote-access hardening rather than a single ingress signature.
CE ZTNA + MFA + Entra SSO
Move every remote-user path behind SSO and MFA via Crystal Eye ZTNA and Microsoft Entra ID SSO integration; migrate remote users to WireGuard or SSL VPN under identity control and eliminate unauthenticated/legacy remote access.
CEASR + ForceField
Apply CEASR (ASD Essential Eight ML3) application allowlisting and Windows hardening to high-risk endpoints, jump hosts, and privileged admin workstations to block unauthorised encryptor execution and restrict LSASS access. ForceField behavioural blocking and self-defence detect ransomware behaviour and auto-ban offending IPs.
CE DNS Banned Domains + SWG
Block and sinkhole the AiLock DLS onion (dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion) and deny all .onion/Tor egress at DNS and proxy via DNS Banned Domains and the Secure Web Gateway.
CE Advanced Firewall + IDPS
Segment user, server, backup, hypervisor, and remote-access networks into separate Advanced Firewall zones and restrict SMB, RDP, and admin protocols to explicit allowlists - directly countering AiLock's WNet share enumeration and encryption
CE Web Filter/SWG + DLP
Enable Secure Web Gateway URL filtering and content inspection plus DLP (credit-card/SSN monitoring) and egress ACLs to detect and block genuine data egress. Note AiLock's exfiltration tooling is undocumented - absence of an egress alarm must not be read as absence of compromise. Ref: Secure Web Gateway; Web Filter.
Source References:
All intelligence is directly sourced from the references below. Inline citations correspond to reference numbers. Reference titles are clickable links. Accessed June 2026.
[1] S2W TALON (Huiseong Yang) - "Detailed Analysis of AiLock Ransomware" (S2W, Medium).
[2] Fortra (Graham Cluley) - "AiLock ransomware: What you need to know". Ransom-note coercion: PDPL/GDPR regulator notification, competitor alerting, 72-hour response and 5-day payment deadlines.
[3] RansomLook - AiLock group profile. Reporting-window activity (one post, last 2026-06-26, Hokua); leak-site and negotiation-onion infrastructure and status; note that intrusion methods are not publicly disclosed. Onion infrastructure independently corroborated by the deepdarkCTI ransomware-gang list.
[4] Ransomware.live - AiLock group profile. Cumulative victim count (38); country and sector statistics; infostealer co-infection rate; average publication delay.
[5] SOS Ransomware - "AiLock Ransomware: Profile and Extortion Tactics". FAUST single-instance mutex; extortion model; AI-branding caveat; no confirmed initial-access vector; FAUST/Phobos coincidence assessed. First public documentation of AiLock (originally surfaced by external threat research, 1 April 2025).
[6] TRM Labs - "Nine Emerging Groups Shaping the Ransomware Landscape". AI-driven self-branding; laundering via the Wasabi mixer and FixedFloat, with conversion to Monero.
[7] CYFIRMA - "Tracking Ransomware: March 2026". Cumulative victim trajectory (0 to 45) and emergence tracking.
[8] IronGate Security - "AiLock Ransomware". Victim list; cracked/pirated-software user-execution assessment.
[9] BleepingComputer - "England Hockey investigating ransomware data breach". England Hockey ~129 GB claim; ecosystem scale (~800 clubs, ~150,000 players); investigation status. Corroborated by additional industry reporting.
[10] RedPacket Security - "[AILOCK] Ransomware Victim: Hokua". Hokua listing (2026-06-26) and standing unverified-claims alert; corroborated by DeXpose (Honolulu luxury-condominium identification, full-leak threat) and additional dark-web monitoring that noted the inconsistent country tag.
Worldwide Ransomware Victims
Here is the country-wise ransomware victim data converted into a writing block:
Worldwide ransomware victim distribution shows that the United States was the most affected country, with 59 victims, accounting for 42.45% of the total ransomware activity. This indicates that the United States remained the primary target region during this period.
Canada recorded the second-highest number of victims, with 7 cases, representing 5.04% of the total. Australia and India followed closely, each reporting 6 victims and accounting for 4.32% individually. Germany also showed notable activity, with 5 victims, contributing 3.60% of the total.
Moderate ransomware impact was observed in Austria, Peru, and Italy, each recording 4 victims, representing 2.88% individually. Brazil, Switzerland, Turkey, and the United Kingdom each reported 3 victims, accounting for 2.16% each.
Lower levels of activity were seen across several countries, including China, Thailand, Mexico, Netherlands, and South Korea, each with 2 victims, representing 1.44% of the total individually.
The remaining countries recorded 1 victim each, accounting for 0.72% individually. These included Vietnam, Viet Nam, Russian Federation, Libya, Indonesia, Bangladesh, Ukraine, El Salvador, France, Kuwait, Czech Republic, Portugal, Malaysia, Paraguay, Dominican Republic, Singapore, Taiwan, Belgium, Colombia, and Pakistan.
Overall, the data shows that ransomware activity was heavily concentrated in the United States, which accounted for more than two-fifths of all reported victims. While other countries experienced smaller victim counts, the distribution across multiple regions shows that ransomware remained a global threat during this period.

Industry-wide Ransomware Impact
Industry-wide ransomware victim data shows that Manufacturing was the most affected sector, with 22 victims, accounting for 15.83% of total ransomware activity. This makes Manufacturing the highest-impact industry for this period.
Business Services was the second most impacted sector, with 20 victims, representing 14.39% of the total. Retail followed with 17 victims, accounting for 12.23%, while Construction recorded 14 victims, contributing 10.07% of overall ransomware activity.
Other sectors with notable ransomware impact included Media & Internet, Transportation, and Finance, each with 6 victims, accounting for 4.32% individually. IT and Law Firms each recorded 5 victims, representing 3.60% of the total.
Moderate activity was observed in Hospitality, Consumer Services, Healthcare, Education, Organizations, and Architecture, each reporting 4 victims and accounting for 2.88% individually. Insurance, Real Estate, and Federal each recorded 3 victims, contributing 2.16% each.
Lower levels of ransomware activity were seen in Energy, with 2 victims, accounting for 1.44% of the total. The least affected sectors were Minerals & Mining and Agriculture, each recording 1 victim, representing 0.72% individually.
Overall, the data shows that ransomware activity was mainly concentrated in Manufacturing, Business Services, Retail, and Construction. These sectors accounted for a significant portion of the total victims, suggesting that ransomware operators continued to target industries with high operational dependency, business-critical systems, supply-chain exposure, and strong pressure to restore services quickly.
