| New Threats Detection Added | • MarkiRAT |
| New Threat Protection | 278 |
| Newly Detected Threats | 13 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
Threat name: | MarkiRAT | |||||||||||||||||||||||||||
MarkiRAT is a Windows based Remote Access Trojan (RAT) that’s known to be distributed through fake software and VPN applications for surveillance purposes orchestrated by Iranian linked threat actors. Once infected, the computer name, current user, and screenshots from the device are captured and sent to attacker-controlled infrastructure. | ||||||||||||||||||||||||||||
Threat Protected: | 36 | |||||||||||||||||||||||||||
Rule Set Type: |
| |||||||||||||||||||||||||||
Class Type: | Trojan-activity | |||||||||||||||||||||||||||
Kill Chain: |
| |||||||||||||||||||||||||||
Known Exploited Vulnerabilities (Week 1 - July 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-1st-week-of-july-2026/675.
Vulnerability | CVSS | Description | Affected Version | Fixed Version | |
8.8 | Unauthenticated RCE - Microsoft SharePoint Server (on-premises) contains a deserialisation vulnerability that can allow an unauthenticated remote attacker to execute code on the system. | Check vendor advisory for affected products and versions. | |||
10.0 | Authentication Bypass - SimpleHelp contains an authentication bypass vulnerability within the OIDC authentication flow that can allow an unauthenticated remote attacker to forge authentication tokens to gain access to the system. | <= 5.5.15 6.0 | 5.5.16 6.0 RC2 | ||
Updated Malware Signature (Week 1 - July 2026)
Threat | Description | |
XWorm | A Remote Access Trojan (RAT) and malware loader that's commonly used in cyberattacks to give attackers full remote control over a victim's system. It's part of a growing trend of commercialised malware sold or rented on dark web forums, often under the guise of a “legitimate tool.” |
| Ransomware Report | |
The Red Piranha Team conducts continuous surveillance across the dark web and other threat intelligence channels to identify global organisations impacted by ransomware attacks. In the past week, this monitoring revealed multiple ransomware incidents spanning a diverse range of threat groups, underscoring the persistent and widespread nature of today's cyber threat landscape. Presented below is a detailed breakdown of ransomware group activity, victim geographies, and targeted industries observed during this period. Ransomware Hits Last WeekLast week’s ransomware activity shows that Qilin was the most active ransomware group, recording 25 hits, which accounted for 17.48% of the total ransomware activity. This made Qilin the leading ransomware actor for the week. The Gentlemen recorded the second-highest activity, with 22 hits, contributing 15.38% of the total. Krybit followed with 12 hits, representing 8.39%, while Stormous and Inc Ransom each recorded 11 hits, accounting for 7.69% individually. A moderate level of activity was observed from DragonForce, which recorded 6 hits, representing 4.20% of total ransomware activity. CMD Organisation, Anubis, Eraleign (APT73), Pear, and Doommageddon each recorded 5 hits, contributing 3.50% individually. Lower but still visible activity was seen from SafePay, Brain Cipher, and Worldleaks, each with 4 hits, accounting for 2.80% individually. Akira recorded 3 hits, representing 2.10% of the total. Several groups had smaller activity levels, with Play, Redact, 3AM, and Ransomhouse each recording 2 hits, contributing 1.40% individually. The remaining groups, including Prinz Eugen, Bavacai, Embargo, Aurora, Genesis, Money Message, Space Bears, and Payload, each recorded 1 hit, accounting for 0.70% individually. Overall, the data shows that ransomware activity last week was led mainly by Qilin, The Gentlemen, Krybit, Stormous, and Inc Ransom. Together, these top five groups accounted for 81 hits, representing approximately 56.64% of all recorded ransomware activity. While a few groups dominated the weekly activity, the presence of many smaller groups shows that the ransomware landscape remained broad, active, and fragmented across multiple threat actors. |

Aurora Ransomware
Origin and Profile
Aurora is currently tracked as an active ransomware group in 2026, with public leak-site activity observed during the requested reporting window. SOCRadar listed Primed Halberstadt Medizintechnik as an alleged Aurora victim on 30 June 2026, with high confidence.
Important attribution note: public reporting uses the name Aurora for both the newer 2026 leak-site ransomware group and the older Aurora/OneKeyLocker/Zorro ransomware family first seen in 2018. The current 2026 leak-site actor has limited public technical malware analysis available. Therefore, technical TTPs and IOCs below are mapped from validated Aurora/OneKeyLocker reporting and should be treated as family-level indicators, not fully confirmed 2026 actor tooling unless internal telemetry confirms the same samples. [2][4]
Tactics, Techniques, and Procedures (TTPs)
Attribution Framework
Tactic | Technique ID | Technique | Evidence / Observed Behaviour |
Initial Access | T1566.001 | Spearphishing Attachment | Aurora/OneKeyLocker was reported as distributed through malicious spam email attachments. |
Initial Access | T1110.001/T1021.001 | Password Guessing/Remote Desktop Protocol | Aurora/Zorro activity showed indications of compromise through exposed RDP services where attackers brute-forced accounts and installed ransomware. |
Execution | T1203 | Exploitation for Client Execution | ANY.RUN documents AZORult campaigns using Microsoft Office / EQNEDT32.EXE and CVE-2017-11882 exploitation; Aurora was observed as a secondary ransomware payload in such campaigns. |
Command-and-Control/ Delivery | T1105 | Ingress Tool Transfer | AZORult delivery chain downloaded and executed malicious payloads after Office exploitation. |
Collection | T1005 | Data from Local System | In AZORult-linked campaigns, credentials, browser data, cookies, desktop files, chat history, and crypto-related data were collected before ransomware deployment. |
Impact | T1486 | Data Encrypted for Impact | Aurora encrypts victim files, appends extensions such as .Aurora, .aurora, .desu, .ONI, and drops ransom notes. |
Impact | T1491.001 | Internal Defacement | Aurora/Zorro created %UserProfile%wall.i, a JPG used as desktop wallpaper with ransom instructions. |
Attack Lifecycle
The following reconstructs Aurora ransomware activity based on public reporting for Aurora/OneKeyLocker/Zorro and related delivery-chain analysis. Current 2026 Aurora leak-site reporting confirms activity but does not yet provide enough public malware-level telemetry to confirm whether the same tooling is being used.
INITIAL ACCESS - Phishing/RDP Compromise
Older Aurora/OneKeyLocker reporting identifies malicious spam attachments as a delivery vector. BleepingComputer also reported signs that Aurora/Zorro may be installed after attackers compromise exposed Remote Desktop services by brute-forcing RDP accounts. [4][5]
Observable artefacts: Suspicious email attachments; Office document execution; RDP authentication failures followed by successful login; unfamiliar source IPs accessing RDP/VPN; new executable creation after remote login.
EXECUTION - Office Exploit/Payload Launch
ANY.RUN documents AZORult campaigns where an Office document starts WINWORD.EXE, invokes EQNEDT32.EXE, exploits CVE-2017-11882, and downloads a malicious executable. Aurora ransomware was observed as a secondary payload in AZORult campaigns. [7]
Observable artefacts: WINWORD.EXE spawning EQNEDT32.EXE; outbound download after document open; suspicious child process creation; payload execution from user/temp paths.
DATA THEFT PRECURSOR - AZORult Stealer Activity
In campaigns where AZORult precedes Aurora, the stealer collects browser credentials, cookies, autofill data, desktop files, chat history, banking data, and cryptocurrency-related information before ransomware impact.
Observable artefacts: Browser credential access; unusual outbound C2; suspicious archive or POST traffic; stealer detections before encryption.
IMPACT - File Encryption
Aurora encrypts files using RSA-2048 according to PCrisk reporting and appends extensions such as .Aurora. Ransom notes such as HOW_TO_DECRYPT_YOUR_FILES.txt and !-GET_MY_FILES-!.txt are dropped across folders. [5]
Observable artefacts: Rapid file rename activity; .Aurora or related extensions; mass creation of ransom notes; high file-write activity across user and shared directories.
IMPACT - Ransom Note and Wallpaper
Aurora/Zorro creates ransom notes including !-GET_MY_FILES-!.txt, #RECOVERY-PC#.txt, and @_RESTORE-FILES_@.txt. It also creates %UserProfile%wall.i, a JPG used as the desktop wallpaper to direct victims to the ransom instructions. [5]
Observable artefacts: Ransom-note files in multiple directories; wallpaper change; %UserProfile%wall.i; user complaints of encrypted files and changed desktop background.
Indicators of Compromise (IOCs)
IOCs below are validated for the older Aurora/Zorro/OneKeyLocker ransomware family. They are not conclusively confirmed for the 2026 Aurora leak-site actor.
File Hashes
Type | Indicator/Value |
SHA256 | e8e995787549117aacb30b3d4896c058a8bfc8d0aab312b726d34e6ab85d819d |
Host-Based Indicators
Type | Indicator/Value | Description |
File Extension | .Aurora | Known encrypted file extension. |
File Extension | .aurora | Known encrypted file extension. |
File Extension | .animus | Known Aurora/Zorro variant extension. |
File Extension | .desu | Known Aurora/Zorro variant extension. |
File Extension | .ONI | Known Aurora/Zorro variant extension. |
Ransom Note | !-GET_MY_FILES-!.txt | Dropped ransom note. |
Ransom Note | #RECOVERY-PC#.txt | Dropped ransom note. |
Ransom Note | @_RESTORE-FILES_@.txt | Dropped ransom note. |
Ransom Note | HOW_TO_DECRYPT_YOUR_FILES.txt | Dropped ransom note. |
Wallpaper Artifact | %UserProfile%wall.i | JPG wallpaper used for ransom instructions. |
Associated Email Addresses
Type | Indicator/Value |
Email | anastacialove21@mail.com |
Email | anonimus.mr@yahoo.com |
Email | big.fish@vfemail.net |
Email | enco@cock.email |
Email | hellstaff@india.com |
Email | j0ra@protonmail.com |
Email | ochennado@tutanota.com |
Email | oktropys@protonmail.com |
Email | UnlockAlexKingman@protonmail.com |
YARA Detection
Type | Indicator/Value | Description |
YARA | win_aurora_auto | Public Malpedia YARA rule for win.aurora. |
Malpedia Hash | a182e35da64e6d71cb55f125c4d4225196523f14 | Malpedia family hash reference. |
Mitigation - Crystal Eye 5.5 Controls
All Crystal Eye XDR 5.5 controls referenced below are mapped to the observed Aurora ransomware behaviours and the broader ransomware kill chain. Because the current 2026 Aurora leak-site actor does not yet have enough public malware-level reporting, the mitigations focus on preventing and detecting the validated delivery paths, remote-access compromise, payload staging, file encryption, and possible data theft.
CE Secure Web Gateway + Anti-phishing
Enable Anti-phishing with Signature Engine, Heuristic Engine, Block SSL Mismatch, and Block Cloaked URLs. This helps block phishing and malware-delivery URLs used for credential theft or payload staging.
CE Antivirus + Anti-malware File Scanner
Use CE Antivirus to inspect files in transit and configure Anti-malware File Scanner to scan web proxy cache, email, FTP, web, home, and network file-share directories. Enable quarantine for infected files and schedule daily scans.
CE Advanced Firewall + IDPS
Segment user, server, backup, and remote-access networks. Restrict RDP and SMB to explicit administrative sources only. Use CE IDPS local rules and backend rules to detect RDP brute force, suspicious Office exploit delivery, malicious HTTP downloads, and ransomware-related traffic.
CE SIEM + CESOC Escalation
Use CE SIEM to correlate IDPS, SWG, AV, DLP, endpoint, and network events. Escalate confirmed Aurora-family IOCs or suspicious ransomware behaviour to CESOC for investigation and threat hunting.
CE DLP + SWG Egress Monitoring
Enable DLP and SWG monitoring to detect unusual outbound transfer of sensitive files, especially where stealer activity is suspected before encryption.
CE Vulnerability Scanning
Run vulnerability scans against internet-facing systems, RDP hosts, VPN services, Windows endpoints, and Office-exposed attack paths. Prioritise exposed remote services and outdated Microsoft Office components.
Source References
All intelligence is directly sourced from the references below. Inline citations correspond to reference numbers.
[1] SOCRadar - Primed Halberstadt Medizintechnik Data Breach -
https://socradar.io/blog/data-breach/primed-halberstadt-medizintechnik-aurora-ransomware-2026/. Aurora victim listing dated 30 June 2026; high confidence; healthcare/business services victim in Germany.
[2] Malpedia - Aurora/win.aurora/OneKeyLocker - https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora. Malware family taxonomy, alias, actor reference, and public YARA.
[3] NHS Digital - Aurora Ransomware -
https://digital.nhs.uk/cyber-alerts/2018/cc-2584. Aurora/Animus/OneKeyLocker background; Windows impact; spam-email attachment vector.
[4] PCrisk - Aurora ransomware virus removal and decryption options - https://www.pcrisk.com/removal-guides/12850-aurora-ransomware. RSA-2048 encryption, .Aurora extension, and ransom-note behaviour.
[5] BleepingComputer -
Aurora/Zorro Ransomware Actively Being Distributed - https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/. RDP brute-force indication, file extensions, ransom notes, wallpaper artifact, hash, and associated emails.
[6] ANY.RUN -
AZORult Malware Analysis - https://any.run/malware-trends/azorult/. AZORult delivery chain, Office exploitation via CVE-2017-11882, and Aurora as secondary ransomware payload.
Worldwide Ransomware Victims
Worldwide ransomware victim distribution shows that the United States was the most affected country, with 60 victims, accounting for 41.96% of the total ransomware activity. This indicates that the United States remained the primary target region during this period.
Germany recorded the second-highest number of victims, with 9 cases, representing 6.29% of the total. Italy, Japan, the United Kingdom, and Canada followed, each reporting 6 victims and accounting for 4.20% individually. Brazil also showed notable activity, with 5 victims, contributing 3.50% of the total.
Moderate ransomware impact was observed in Australia, which recorded 4 victims, representing 2.80% of total activity. Mexico, France, Singapore, Taiwan, and Turkey each reported 3 victims, accounting for 2.10% individually.
Lower levels of activity were seen across several countries, including Malaysia, Argentina, Pakistan, Chile, Spain, and Vietnam, each with 2 victims, representing 1.40% of the total individually.
The remaining countries recorded 1 victim each, accounting for 0.70% individually. These included United Arab Emirates, Tunisia, South Africa, South Korea, Austria, Norway, Greece, China, Poland, Switzerland, Colombia, New Zealand, Cambodia, and Portugal.
Overall, the data shows that ransomware activity was heavily concentrated in the United States, which accounted for more than two-fifths of all reported victims. While other countries recorded smaller victim counts, the distribution across 33 countries shows that ransomware activity remained global, with impact spread across North America, Europe, Asia-Pacific, the Middle East, Africa, and Latin America.

Industry-wide Ransomware Impact
Industry-wide ransomware victim data shows that Manufacturing was the most affected sector, with 27 victims, accounting for 18.88% of total ransomware activity. This makes Manufacturing the highest-impact industry for this period.
Retail was the second most impacted sector, with 19 victims, representing 13.29% of the total. Business Services followed closely with 18 victims, accounting for 12.59%, while Healthcare recorded 12 victims, contributing 8.39% of overall ransomware activity.
Other sectors with notable ransomware impact included Transportation, which recorded 9 victims, accounting for 6.29% of the total. Law Firms and IT each reported 7 victims, representing 4.90% individually.
Moderate activity was observed in Hospitality, Organisations, and Federal, each recording 5 victims and accounting for 3.50% individually. Education, Finance, Construction, and Architecture each recorded 4 victims, contributing 2.80% each.
Lower levels of ransomware activity were seen in Insurance, Consumer Services, and Electronics, each with 3 victims, accounting for 2.10% individually. The least affected sectors were Real Estate and Agriculture, each recording 2 victims, representing 1.40% individually.
Overall, the data shows that ransomware activity was mainly concentrated in Manufacturing, Retail, Business Services, and Healthcare. These sectors accounted for 76 victims, representing approximately 53.15% of total ransomware activity, indicating that ransomware operators continued to focus on industries with high operational dependency, large digital footprints, sensitive data, and strong pressure to restore services quickly.
