Threat Intelligence Report September 16 - September 22 2025

Coinbase Cartel Ransomware

Red Piranha assesses Coinbase Cartel as a financially motivated extortion collective operating since mid-2025, formed from ShinyHunters, Scattered Spider, and Lapsus$ affiliates. While their leak site currently emphasises data exfiltration only, intelligence indicates the group is actively developing the shinysp1d3r ESXi-targeted RaaS, suggesting an imminent transition to double-extortion ransomware operations.

Detailed TTPs

Initial Access

Coinbase Cartel gains entry through insider recruitment and bribery of third-party contractors, abuse of valid accounts, and vishing techniques that trick users into authorising malicious OAuth applications.

Detections: sudden administrative logins from Tor/VPN IPs; anomalous OAuth approvals; employee reports of bribery or coercion.

Execution

In cloud environments, custom Python scripts mimic Salesforce Data Loader to mass-exfiltrate data. On-premises, the shinysp1d3r loader executes in memory via shell scripts on ESXi hosts, retrieving the encryptor and launching parallel VMDK encryption while disabling snapshots.

Detections: unknown shell script execution on ESXi; rapid high-entropy file writes to datastore paths; snapshot disablement events.

Persistence

Persistence is achieved through long-lived OAuth tokens, malicious connected apps, or by adding SSH keys and hidden accounts on servers.

Detections: unrecognised admin users; anomalous SSH authorized_keys entries; OAuth apps not deployed by IT.

Privilege Escalation

Privilege escalation relies primarily on compromised admin credentials. In enterprise environments, escalation may also involve credential dumping or leveraging unpatched privilege escalation flaws.

Detections: abnormal LSASS access attempts; use of escalation binaries or drivers; privilege assignment to unusual accounts.

Defence Evasion

The group clears and disables logs on ESXi, disguises malicious applications as legitimate tools, and uses Tor/VPN infrastructure for anonymity.

Detections: syslog forwarding disabled; mass log truncation; newly created apps with names mimicking Salesforce Data Loader.

Discovery

Discovery includes enumeration of VMware datastores, virtual machines, Active Directory objects, and file shares to locate high-value data.

Detections: unusual vCenter API queries; enumeration of domain admin groups from non-IT accounts; aggressive SMB share enumeration.

Lateral Movement

Movement between systems is achieved using SSH with root credentials across ESXi hosts and potentially RDP or PsExec in Windows environments.

Detections: new SSH sessions between hypervisors; PsExec activity from accounts outside IT; abnormal RDP logons from Tor/VPN IPs.

Collection & Exfiltration

Data is staged and exfiltrated via cloud APIs, encrypted channels, or third-party storage. Archives are created to compress large data sets prior to transfer.

Detections: creation of large compressed archives; abnormal high-volume API exports; outbound encrypted transfers to Tor nodes.

Impact

Current operations emphasise data disclosure and extortion without encryption. With shinysp1d3r active, expected impact will include mass ESXi encryption resulting in enterprise-wide disruption.

Detections: VM snapshot disablement; datastore file renaming; ransom note artifacts once shinysp1d3r is deployed.

MITRE ATT&CK Mapping

IOCs

Leak Site: fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion

C2/Infrastructure: affiliateshinysp1d3r[.]com (payload fetch server)

Email: shinycorp@tuta[.]com, shinygroup@tuta[.]com

Mitigation Summary — Coinbase Cartel / shinysp1d3r

• Harden Access: Enforce MFA everywhere (cloud, VPN, vCenter). Limit contractor access with the least privilege and strict monitoring.
• Protect ESXi & Cloud: Disable ESXi SSH by default, push logs to secure syslog, and restrict OAuth app creation in SaaS platforms.
• Detect Early: Monitor for unusual CRM exports, OAuth approvals, large archive creation, and syslog/service tampering on ESXi. Flag logins from Tor/VPN nodes.
• Prepare Response: Maintain ransomware-specific IR playbooks, isolate compromised accounts/hosts quickly, and pre-stage regulator/customer comms.
• Backup & Recovery: Keep offline/immutable backups and regularly test ESXi restore drills to ensure rapid recovery.
• Awareness & Training: Train staff and contractors to resist bribery and vishing tactics.

Ransomware Victims Worldwide

The United States dominated the ransomware landscape this week, accounting for 52.03% of all reported victims. Its dominance highlights the continuing preference of threat actors to focus on high-value targets in North America, where the digital footprint is vast and enterprises are often pressured into ransom negotiations due to operational criticality.

Germany (4.73%) and Australia (4.73%) followed as the next most impacted nations. Both countries remain frequent targets due to their advanced industrial bases, highly digitised infrastructures, and roles as global supply chain hubs. Canada also reported 4.05%, reinforcing its steady presence among top-targeted nations.

Mid-tier targeting was observed in Italy (3.38%), France (2.7%), South Korea (2.7%), and the United Kingdom (2.7%), underscoring Europe and Asia’s continued exposure to ransomware campaigns. Additional notable activity was recorded in Sweden, Spain, Netherlands, and China (each at 2.03%).

A long tail of countries reported isolated incidents (each at 0.68–1.35%), including Thailand, Japan, Brazil, Dominican Republic, Portugal, Chile, Denmark, Singapore, Turkey, Egypt, Taiwan, Pakistan, India, Kenya, Greece, United Arab Emirates, and Namibia. While individually small, these figures emphasise ransomware’s global reach, extending beyond core Western economies into Latin America, Africa, and Asia-Pacific.

This distribution reflects ransomware’s dual strategy: a heavy concentration of attacks in the U.S. and major European economies, paired with opportunistic exploitation of smaller or emerging markets where defences may be less mature.