nightspire
NightSpire is a ransomware group that first emerged in March 2025 and rapidly claimed over 250 victims across retail, manufacturing, healthcare, finance, and education sectors in the US, France, India, Taiwan, and Japan, using aggressive double-extortion with ransom deadlines as short as two days.
- Unspecified
- Consumer Services
- Business Services
- Manufacturing
- Healthcare
- Financial Services
- Energy
- TA0001Initial Access
- T1078Valid Accounts
Compromised RDP credentials used for initial access.
- T1110Brute Force
Brute-forcing remote login credentials (RDP) and MFA fatigue attacks.
- T1190Exploit Public-Facing Application
Exploitation of CVE-2024-55591 — FortiOS/FortiProxy authentication bypass; unauthenticated attackers gain super-admin privileges via crafted POST requests to /api/v2/cmdb/.
- T1566Phishing
Malicious attachments and drive-by downloads.
- TA0002Execution
- TA0003Persistence
- T1053Scheduled Task/Job
Persistence via Windows Task Scheduler; service creation and modification.
- T1136Create Account
Administrative account creation post-exploitation on FortiGate devices.
- T1547Boot or Logon Autostart Execution
Reboot persistence mechanisms.
- T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce.
- TA0004Privilege Escalation
- T1068Exploitation for Privilege Escalation
FortiOS super-admin access via CVE-2024-55591 exploitation.
- TA0005Defense Evasion
- T1027Obfuscated Files or Information
Obfuscation techniques to evade analysis.
- T1036Masquerading
Renamed processes and use of legitimate tools (WinSCP, MEGACmd, 7-Zip, PsExec) blending into normal operations.
- T1070Indicator Removal
Removal of forensic indicators from compromised systems.
- T1218System Binary Proxy Execution
Execution via legitimate system binaries (LOLBins) to evade detection.
- TA0006Credential Access
- TA0007Discovery
- T1046Network Service Discovery
Network scanning to map internal infrastructure using Advanced IP Scanner.
- T1057Process Discovery
Process enumeration on compromised systems.
- T1082System Information Discovery
Collection of system details from compromised hosts.
- T1083File and Directory Discovery
File indexing and enumeration using Everything.exe.
- TA0008Lateral Movement
- TA0009Collection
- TA0010Exfiltration
- T1041Exfiltration Over C2 Channel
Data exfiltration over C2 channel.
- T1048Exfiltration Over Alternative Protocol
Data exfiltration via WinSCP (v6.3.7) and Rclone over encrypted channels.
- T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
MEGACmd used to upload stolen data to MEGA cloud storage. Documented exfiltration of 1.5TB from a single healthcare victim.
- TA0011Command and Control
- TA0040Impact
- T1486Data Encrypted for Impact
Hybrid AES-256 (file content) + RSA-2048 (key protection) encryption; appends .nspire extension; processes files in 1MB block chunks. Double extortion model — data theft + encryption.
- TA0042Resource Development
- T1587Develop Capabilities
Custom Go-based ransomware development with modular architecture.