| New Threats Detection Added | • Sainbox RAT |
| New Threat Protection | 79 |
| Newly Detected Threats | 9 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
Sainbox RAT | |||||||||||||||||||||
|
Sainbox is a windows-based Remote Access Trojan (RAT) that is a variant of Gh0stRAT which has been known to be used in phishing campaigns conducted by China-based threat actors. Landing pages used in previous campaigns mimicked the websites of trusted software such as WPS Office, DeepSeek and Sougou to trick the victims into downloading and executing the malicious fake software installers. Once executed, the malware implements a rootkit to maintain persistence and provides the attacker complete control of the infected machine.
|
||||||||||||||||||||||
|
Threat Protected:
|
05 | |||||||||||||||||||||
|
Rule Set Type:
|
|
|||||||||||||||||||||
|
Class Type:
|
Command-and-Control | |||||||||||||||||||||
|
Kill Chain:
|
|
|||||||||||||||||||||
Known Exploited Vulnerabilities (Week 3 - May 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-3rd-week-of-may-2026/663.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
8.1
|
Cross-site Scripting (XSS) - Microsoft Exchange Server (on-prem) contains a cross-site scripting vulnerability within the Outlook Web Access that can allow an unauthenticated remote attacker to execute arbitrary JavaScript within the context of the browser upon opening a specially crafted email.
|
Check vendor advisory for affected products and versions.
|
|||
|
10
|
Authentication Bypass - Cisco Catalyst SD-WAN Controller & Manager contains an authentication bypass vulnerability that can allow an unauthenticated remote attacker to gain administrative access on the system.
|
Check vendor advisory for affected products and versions.
|
|||
Updated Malware Signature (Week 3 - May 2026)
|
Threat
|
Description | |
|
XWorm
|
A Remote Access Trojan (RAT) and malware loader that's commonly used in cyberattacks to give attackers full remote control over a victim's system. It's part of a growing trend of commercialised malware sold or rented on dark web forums, often under the guise of a “legitimate tool.”
|
Ransomware Report |
|
|
The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period. Ransomware Hits Last WeekRansomware activity this week was led by Qilin (17.93%), which remained the most active threat group, continuing its aggressive campaign operations across multiple sectors and regions. The Gentlemen (9.66%) and Genesis (7.59%) also demonstrated strong operational presence, reinforcing their growing influence within the ransomware ecosystem. Other major contributors included Akira (6.9%) and Inc Ransom (6.21%), both maintaining sustained attack activity during the reporting period. Lynx (5.52%), along with Coinbase Cartel and Play (4.83% each), showed moderate but consistent campaign execution, indicating continued affiliate-driven operations. Groups such as CMD Organisation (4.14%) and DragonForce (3.45%) maintained noticeable activity levels, while Lamashtu, Kairos, and Interlock (2.76% each) contributed smaller but recurring ransomware operations. Leak Bazaar, Aurora, and Everest (2.07% each) also remained active, reflecting the continued diversity of the threat landscape. Lower-volume activity was attributed to Krybit, Killsec3, and Payload (1.38% each), while a long tail of actors including ShinyHunters, Pear, Fulcrumsec, Ailock, Space Bears, Bravox, Nitrogen, Money Message, Leaknet, Brain Cipher, Worldleaks, Payoutsking, Abyss-Data, Morpheus, and Rhysida (0.69% each) reported isolated or minimal activity. |
BravoX Ransomware
BravoX represents a maturing RaaS operation with confirmed technical capability and a deliberate affiliate recruitment strategy. Active victim listing continued during the 09 –15 May 2026 reporting window. The group's selective targeting of mid-market organisations across Healthcare, Legal, Food Processing, and Warehouse sectors.
BravoX is a Ransomware-as-a-Service (RaaS) operation that surfaced publicly on 23 January 2026 following the publication of a Tor-based Data Leak Site (DLS) address on the RAMP underground cybercriminal forum. The threat actor behind BravoX registered on RAMP in September 2025 but maintained an extended period of dormancy prior to its public emergence. This gap between forum registration and public announcement is consistent with preparatory infrastructure build-out observed in other Russian-speaking RaaS operations.
TACTICS, TECHNIQUES, AND PROCEDURES (TTPs)
The following TTPs are derived from a confirmed BravoX ransomware incident investigated and published by InfoGuard Labs (April 2026) and corroborated across multiple open-source sources. All techniques are mapped to the MITRE ATT&CK Framework (Enterprise).
|
Phase
|
Technique ID
|
Technique Name
|
Observed Behaviour
|
|
Initial Access
|
T1133
|
External Remote Services
|
Threat actors gained initial access via an internet-exposed SSL VPN endpoint that lacked MFA enforcement and used a weak account credential.
|
|
Initial Access
|
T1078
|
Valid Accounts
|
Weak VPN credentials enabled authenticated access to the internal network without triggering lockout controls.
|
|
Reconnaissance
|
T1046
|
Network Service Discovery
|
SoftPerfect Network Scanner and Advanced IP Scanner were deployed to enumerate active hosts and services across the internal network.
|
|
Reconnaissance
|
T1082
|
System Information Discovery
|
WMI commands (wmic product get name) were executed via cmd.exe to enumerate installed software. Output redirected to temporary files in C:\Windows\Temp.
|
|
Credential Access
|
T1003.001
|
LSASS Memory Dump
|
A memory dump of lsass.exe was created on a compromised server. Privileged domain credentials were successfully extracted and immediately leveraged.
|
|
Privilege Escalation
|
T1068
|
Exploitation for Privilege Escalation (BYOVD)
|
vulndriver.sys (wsftprm.sys) was loaded as a Bring Your Own Vulnerable Driver (BYOVD) to gain kernel-level access for EDR termination.
|
|
Lateral Movement
|
T1021.001
|
Remote Desktop Protocol
|
Authenticated RDP sessions were used to traverse the environment interactively, moving from the initial foothold to Domain Controllers and back. Seven-day dwell gap observed before lateral movement resumed.
|
|
Persistence
|
T1053.005
|
Scheduled Task / Job
|
Two scheduled tasks established persistent access: (1) \Windows Timer - executed tor.exe to expose RDP (127.0.0.1:3389) as a Tor v3 Hidden Service via C:\Windows\wintne\torrc.txt. (2) \WindowsUpdateZ - executed dmw.exe to establish an authenticated outbound SSH SOCKS5 tunnel to 45.61.136.225:22 on local port 56555.
|
|
Persistence
|
T1090.003
|
Proxy: Multi-hop Proxy (Tor)
|
Tor Hidden Service (v3) configured to expose internal RDP over .onion, creating a covert anonymised backdoor bypassing perimeter firewall controls.
|
|
Defence Evasion
|
T1562.001
|
Impair Defences: Disable Security Tools
|
Microsoft Defender was first disabled via the user interface. Subsequently, Killer.exe and vulndriver.sys (wsftprm.sys, driver handle \\.\ Warsaw_PM) were deployed to terminate Microsoft Defender and Sophos EDR processes.
|
|
Defence Evasion
|
T1036
|
Masquerading
|
Malicious binaries used Windows-blend names: dmw.exe, win.exe. Scheduled tasks named \Windows Timer and \WindowsUpdateZ to blend with legitimate Windows task naming conventions.
|
|
Exfiltration
|
T1567.002
|
Exfiltration to Cloud Storage (Rclone)
|
Rclone was used to exfiltrate bulk data to cloud storage, blending with legitimate cloud sync traffic. Exfiltrated volume was disclosed in the ransom note (in gigabytes).
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
win.exe was executed with --token, --path-only, and --no-elevate parameters to encrypt targeted network paths. VMDKs on virtual servers were encrypted. Physical servers were encrypted at OS level. Encrypted files appended with .bx-0000 extension. Ransom note 00_Recovery_Notes.txt dropped on affected systems.
|
|
Impact
|
T1490
|
Inhibit System Recovery
|
Shadow copy deletion and recycle bin wipe capabilities are present in win.exe (--no-shadow-rm, --no-recycle-wipe flags). Use in confirmed incident not fully confirmed; flags available at operator discretion.
|
|
Impact - Extortion
|
T1657
|
Financial Theft / Extortion
|
Aggressive post-negotiation tactics observed: mail bombing of victim organisation and direct LinkedIn contact with employees to pressure payment after negotiation breakdown.
|
Attack Chain Summary
Phase 1 - Initial Access: SSL VPN exploitation using weak credentials on an MFA-deficient endpoint (T1133 / T1078).
Phase 2 - Reconnaissance: Network scanning (SoftPerfect, Advanced IP Scanner) and WMI-based software enumeration (T1046 / T1082).
Phase 3 - Credential Access: LSASS memory dump created; privileged account credentials extracted and immediately re-used (T1003.001).
Phase 4 - Lateral Movement: Interactive RDP traversal across hosts to Domain Controllers. Seven-day dwell period observed between initial and resumed activity (T1021.001
Phase 5 - Persistence: Dual scheduled task persistence: Tor Hidden Service exposing RDP via .onion address; SOCKS5 SSH tunnel via dmw.exe (T1053.005 / T1090.003).
Phase 6 - Defence Evasion: Microsoft Defender UI disable attempt; Killer.exe + BYOVD (vulndriver.sys / wsftprm.sys) to terminate Defender and Sophos EDR (T1562.001 / T1068
Phase 7 - Exfiltration: Bulk data exfiltration via Rclone to cloud storage (T1567.002). Exfiltrated volumes published on DLS.
Phase 8 - Impact: win.exe encrypts VMDKs and OS-level file systems. Extension .bx-0000 appended. Ransom note 00_Recovery_Notes.txt dropped (T1486).
Phase 9 - Post-Negotiation Extortion: Mail bombing and direct LinkedIn employee contact used to apply pressure after negotiation breakdown (T1657).
MITIGATION - CRYSTAL EYE XDR 5.5 CONTROLS
- The following mitigation controls are specifically mapped to Crystal Eye 5.5 platform capabilities and are directly aligned to the identified BravoX TTPs. Controls reference confirmed CE 5.5 features as documented in the Red Piranha platform and docs.redpiranha.net/5.0.
- Enforce MFA on all SSL VPN endpoints via Crystal Eye's Multi-Factor Authentication integration. Apply ZTNA zone-based access control to restrict VPN access to authorised user groups only. Review and remove weak credentials. Enable geo-blocking rules via Advanced Firewall for VPN exposure to high-risk geographies. Source: docs.redpiranha.net/5.0 - ZTNA in Crystal Eye.
- Deploy Crystal Eye Attack Surface Reduction (CEASR) endpoint policies aligned to ASD Essential Eight Maturity Level 3. CEASR applies ASD Windows ISM controls that restrict LSASS memory access from unprivileged processes. Enable CE MDR for continuous endpoint telemetry forwarding to CESOC for anomalous lsass.exe access alerts. Source: Red Piranha CEASR documentation.
- Apply Advanced Firewall Zone controls to restrict RDP (TCP 3389) to authorised management VLAN segments only.
- CE MDR captures endpoint telemetry and forwards to CESOC; Killer.exe execution and driver load events (wsftprm.sys, Warsaw_PM device handle) should be treated as critical escalation triggers.
INDICATORS OF COMPROMISE (IOCs)
Network Indicators
|
Type
|
Indicator
|
Description
|
|
IP Address
|
91[.]222.174.96
|
BravoX threat actor C2 / staging IP
|
|
IP Address
|
91[.]222.174.120
|
BravoX threat actor C2 / staging IP
|
|
IP Address
|
64.94[.]85.76
|
BravoX threat actor C2 / staging IP
|
|
IP Address
|
45.61[.]136.225
|
SSH tunnel host - dmw.exe SOCKS5 target (port 22)
|
|
Tor Onion
|
bravoxxtrmqeeevhl7gdh2yzvlrjxajr66d33c7ozosrccx4cz7cepad[.]onion
|
BravoX Data Leak Site (Primary)
|
|
Tor Onion
|
bravoxxwcfz5qk43ychgveprpd5mw5hvxfs4a2uz2okx7mumiht4fzyd[.]onion
|
BravoX Data Leak Site (Secondary)
|
|
TCP Port
|
56555
|
Local SOCKS5 proxy port exposed by dmw.exe
|
Host-Based Indicators
|
Type
|
Indicator
|
Description
|
|
File
|
00_Recovery_Notes.txt
|
BravoX ransom note filename
|
|
Extension
|
.bx-0000
|
Encrypted file extension appended by win.exe
|
|
Binary
|
win.exe
|
BravoX ransomware encryptor binary
|
|
Binary
|
dmw.exe
|
SOCKS5 SSH tunnel utility; first VT submission 2025-10-23; 1 detection (DeepInstinct: MALICIOUS)
|
|
Binary
|
Killer.exe
|
EDR termination tool targeting Microsoft Defender and Sophos EDR
|
|
Driver
|
vulndriver.sys (wsftprm.sys)
|
BYOVD vulnerable driver; communicates via \\.\ Warsaw_PM handle
|
|
Binary
|
tor.exe
|
Tor client used for Hidden Service RDP backdoor
|
|
Config File
|
torrc.txt
|
Tor config: HiddenServiceDir C:\Windows\wintne\hs; exposes RDP 3389
|
|
Directory
|
C:\Windows\wintne\
|
Staging directory for Tor binary and config
|
|
Directory
|
C:\Temp\
|
Used to download and stage scripts, tools, and malware
|
|
Directory
|
C:\Windows\
|
Used to download and execute tools including win.exe
|
|
Sched. Task
|
\Windows Timer
|
Launches tor.exe for Tor Hidden Service persistence
|
|
Sched. Task
|
\WindowsUpdateZ
|
Launches dmw.exe SOCKS5 SSH tunnel persistence
|
|
Device Handle
|
\\.\ Warsaw_PM
|
Kernel device handle for Killer.exe / vulndriver.sys EDR killer IPC
|
|
Hostname
|
WIN-3P5JQGGAS0L
|
Attacker-controlled hostname observed during investigation
|
|
Hostname
|
69810693C1FBFF7
|
Attacker-controlled hostname observed during investigation
|
Worldwide Ransomware Victims
Ransomware activity this week remained overwhelmingly concentrated in the United States (60%), which continued to dominate the global threat landscape by a substantial margin. The continued focus on US-based organisations reflects the country’s large digital infrastructure, concentration of high-value enterprises, and increased likelihood of financially motivated extortion success.
The United Kingdom (5.52%) and Australia (4.83%) followed as the next most impacted regions, demonstrating sustained targeting across major English-speaking economies. Spain (2.76%), along with Canada, Germany, and Mexico (2.07% each), also experienced notable ransomware activity, indicating continued operational reach across Europe and North America.
Moderate levels of activity were observed across Thailand, United Arab Emirates, Taiwan, China, Netherlands, Qatar, and India (1.38% each), reflecting broader geographic expansion by ransomware affiliates into both Asia-Pacific and Middle Eastern regions.
Lower-volume or isolated incidents were identified across Nigeria, Slovenia, South Korea, Paraguay, Tunisia, New Zealand, Italy, Argentina, Ireland, Lebanon, Sweden, Denmark, Brazil, Russia, and Switzerland (0.69% each). These isolated cases demonstrate the increasingly global nature of ransomware campaigns, even in regions that historically report lower attack volumes.
Industry-wide Ransomware Impact
Ransomware activity this week primarily concentrated in Business Services (15.17%) and Manufacturing (14.48%), making them the most targeted industries during the reporting period. These sectors continue to attract ransomware operators due to their operational dependence, broad attack surface, and the potential for significant business disruption.
The Construction and Retail sectors (7.59% each) also experienced elevated levels of activity, highlighting continued targeting of industries with distributed infrastructure and supply-chain dependencies. Healthcare (6.9%) and Architecture (6.21%) remained heavily targeted as well, reflecting ongoing interest in sectors handling sensitive operational and client data.
Moderate activity was observed across Law Firms and IT (5.52% each), followed by Education (4.14%). These industries remain attractive targets due to the value of confidential information and the impact of operational downtime.
Additional ransomware activity was distributed across Organisations, Hospitality, and Finance (3.45% each), while Consumer Services, Insurance, and Federal sectors (2.07% each) experienced lower but recurring levels of attacks.
Minimal activity was identified within Real Estate, Media & Internet, Energy, Electronics, Telecommunications, and Transportation (1.38% each), alongside isolated incidents associated with Agriculture and miscellaneous classifications (0.69%).
