Skip to content
The Nexus
Group profile30 claimed in last 30d41 total tracked

nightspire

Forward this

NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing, healthcare, finance, and education sectors in the US, France, India, Taiwan, and Japan, using aggressive double-extortion with ransom deadlines as short as two days.

First seen: May 18 · 00:00 UTCLast seen: Jul 8 · 00:00 UTCTracked since: 2025-03-12
Sectors hit
  • Unspecified10
  • Consumer Services2
  • Business Services2
  • Manufacturing1
  • Healthcare1
  • Financial Services1
  • Energy1
Countries hit
  • United States6
  • Egypt2
  • Spain1
MITRE ATT&CK · observed TTPs13 tactics

Tactics and techniques attributed to NIGHTSPIRE by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      Compromised RDP credentials used for initial access.

    • T1110Brute Force

      Brute-forcing remote login credentials (RDP) and MFA fatigue attacks.

    • T1190Exploit Public-Facing Application

      Exploitation of CVE-2024-55591 — FortiOS/FortiProxy authentication bypass; unauthenticated attackers gain super-admin privileges via crafted POST requests to /api/v2/cmdb/.

    • T1566Phishing

      Malicious attachments and drive-by downloads.

  • TA0002Execution
    • T1059Command and Scripting Interpreter

      PowerShell scripts, batch files, PsExec, WMI; conhost.exe command execution window.

    • T1072Software Deployment Tools

      Abuse of legitimate tools (WinSCP, MEGACmd, 7-Zip, PsExec) across the attack chain.

  • TA0003Persistence
    • T1053Scheduled Task/Job

      Persistence via Windows Task Scheduler; service creation and modification.

    • T1136Create Account

      Administrative account creation post-exploitation on FortiGate devices.

    • T1547Boot or Logon Autostart Execution

      Reboot persistence mechanisms.

    • T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

      Persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce.

  • TA0004Privilege Escalation
    • T1068Exploitation for Privilege Escalation

      FortiOS super-admin access via CVE-2024-55591 exploitation.

  • TA0005Defense Evasion
    • T1027Obfuscated Files or Information

      Obfuscation techniques to evade analysis.

    • T1036Masquerading

      Renamed processes and use of legitimate tools (WinSCP, MEGACmd, 7-Zip, PsExec) blending into normal operations.

    • T1070Indicator Removal

      Removal of forensic indicators from compromised systems.

    • T1218System Binary Proxy Execution

      Execution via legitimate system binaries (LOLBins) to evade detection.

  • TA0006Credential Access
    • T1003OS Credential Dumping

      Credential dumping via Mimikatz.

    • T1003.001OS Credential Dumping: LSASS Memory

      LSASS memory extraction for credential harvesting.

    • T1552Unsecured Credentials

      Harvesting of stored credentials within the environment.

  • TA0007Discovery
    • T1046Network Service Discovery

      Network scanning to map internal infrastructure using Advanced IP Scanner.

    • T1057Process Discovery

      Process enumeration on compromised systems.

    • T1082System Information Discovery

      Collection of system details from compromised hosts.

    • T1083File and Directory Discovery

      File indexing and enumeration using Everything.exe.

  • TA0008Lateral Movement
    • T1021.001Remote Services: Remote Desktop Protocol

      RDP-based lateral movement across compromised network.

    • T1021.002Remote Services: SMB/Windows Admin Shares

      Lateral movement via PsExec over SMB.

    • T1047Windows Management Instrumentation

      WMI-based execution and lateral movement.

  • TA0009Collection
    • T1119Automated Collection

      Automated sensitive data gathering from compromised systems.

    • T1560Archive Collected Data

      Compression of collected data using 7-Zip (7z2408-x64.exe) prior to exfiltration.

    • T1560.001Archive Collected Data: Archive via Utility

      7-Zip archiving of stolen data prior to exfiltration.

  • TA0010Exfiltration
    • T1041Exfiltration Over C2 Channel

      Data exfiltration over C2 channel.

    • T1048Exfiltration Over Alternative Protocol

      Data exfiltration via WinSCP (v6.3.7) and Rclone over encrypted channels.

    • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

      MEGACmd used to upload stolen data to MEGA cloud storage. Documented exfiltration of 1.5TB from a single healthcare victim.

  • TA0011Command and Control
    • T1071Application Layer Protocol

      Standard web protocols and Tor-based communication. Multi-channel comms: ProtonMail, OnionMail, Gmail, Telegram, qTox.

    • T1573Encrypted Channel

      Asymmetric encrypted non-C2 protocols used to evade IDS.

  • TA0040Impact
    • T1486Data Encrypted for Impact

      Hybrid AES-256 (file content) + RSA-2048 (key protection) encryption; appends .nspire extension; processes files in 1MB block chunks. Double extortion model — data theft + encryption.

  • TA0042Resource Development
    • T1587Develop Capabilities

      Custom Go-based ransomware development with modular architecture.

Recent claimed victims
Jul 8 · 14:56 UTC

PCCC Realty LLC

Consumer ServicesUnited StatesJul 8 · 12:29 UTC

PCCC Realty LLC

Jun 25 · 23:50 UTC

Grupo Riquelme

Jun 21 · 10:48 UTC

Artistic Smiles

Consumer ServicesUnited StatesJun 21 · 08:06 UTC

Artistic Smiles

artisticsmiles.org
Jun 18 · 22:48 UTC

legendsmn(Blue Ox, Paul Bunyan, Lumberjack Electric)

Jun 18 · 22:48 UTC

dean cosmetic dentistry

EnergyUnited StatesJun 18 · 19:54 UTC

legendsmn(Blue Ox, Paul Bunyan, Lumberjack Electric)

legendsmn.com
Jun 16 · 13:46 UTC

Central Texas ***** *****

Jun 16 · 13:46 UTC

Ri***** Co**** Europe S.r.l.

Jun 16 · 12:45 UTC

Guy E******* & F*******, P.A

Jun 16 · 10:53 UTC

Central Texas ***** *****

Jun 16 · 10:53 UTC

Ri***** Co**** Europe S.r.l.

Jun 15 · 21:49 UTC

B****S I******t***l

Jun 15 · 21:49 UTC

Sheraton Miramar Resort El Gouna

Jun 15 · 21:49 UTC

G**** R****l*e

Jun 14 · 13:48 UTC

Silsbee Police Department

Jun 14 · 13:48 UTC

K****** County. Mi**e**ta

Jun 14 · 12:45 UTC

WaxWorks Inc

Jun 14 · 12:45 UTC

Blue Nile Medical Center

Jun 12 · 04:42 UTC

Pattono S.r.l

Jun 12 · 04:42 UTC

Sierra West Jewelers

Jun 8 · 14:49 UTC

GRIP Outreach For Youth

Jun 8 · 14:49 UTC

Unique Litho, Inc

Jun 8 · 14:49 UTC

A*** G*** A*S*

Jun 8 · 14:49 UTC

ASIA STRATEGIC

ManufacturingUnited StatesJun 8 · 12:59 UTC

Unique Litho, Inc

uniquelitho.com
Business ServicesJun 8 · 12:59 UTC

ASIA STRATEGIC

Jun 5 · 16:45 UTC

First Mutual Holdings

Jun 5 · 15:45 UTC

Krum Public Library

HealthcareUnited StatesMay 24 · 17:26 UTC

la familia adualt day center

www.lafamiliaadultdaycenter.com
Business ServicesSpainMay 24 · 16:54 UTC

Bresme Madrid S.L.

www.bresme.com/en
Financial ServicesEgyptMay 24 · 16:23 UTC

Rawaj Consumer Finance

www.rawaj-finance.com
NIGHTSPIRE · Underground group profile · The Nexus