Crypto24 ransomware EDR-bypass activity
Malware Activity
Summary
Hide ▲
Show ▼
A Crypto24 ransomware operation is using a custom RealBlindingEDR variant and legitimate admin tools to disable EDR and move laterally inside compromised networks. The activity increases the risk of follow-on ransomware impact across large enterprises in Asia, Europe, and the US. It also shows how the operators are bypassing endpoint controls from nearly 30 vendors, making intrusion containment harder.
Related Happenings
Shanya packer-as-a-service becomes a stealth layer for ransomware gangs
Threat Actor Meta
First: 09.12.2025 02:00
Last: 09.12.2025 02:00
Sources 1
About this happening:
**Shanya** has become a shared packing service for **multiple ransomware gangs**, giving operators a way to **hide EDR-killing payloads** and raise the odds of successful deployme...
Shanya packer-as-a-service becomes a stealth layer for ransomware gangs
Threat Actor MetaAbout this happening: **Shanya** has become a shared packing service for **multiple ransomware gangs**, giving operators a way to **hide EDR-killing payloads** and raise the odds of successful deployme...
DragonForce rebrands as a ransomware cartel and expands its affiliate model
Threat Actor Meta
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
About this happening:
**DragonForce** rebranded itself as a **ransomware cartel** in **2025**, widening its affiliate model and lowering entry barriers for new operators. The shift matters because the...
DragonForce rebrands as a ransomware cartel and expands its affiliate model
Threat Actor MetaAbout this happening: **DragonForce** rebranded itself as a **ransomware cartel** in **2025**, widening its affiliate model and lowering entry barriers for new operators. The shift matters because the...
Kraken ransomware HelloKitty-linked double-extortion campaign
Campaign
First: 14.11.2025 00:53
Last: 14.11.2025 00:53
Sources 1
About this happening:
**Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Kraken ransomware HelloKitty-linked double-extortion campaign
CampaignAbout this happening: **Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Qilin's 2025 dominance as the most active ransomware group
Threat Actor Meta
First: 08.10.2025 04:00
Last: 08.10.2025 04:00
Sources 1
About this happening:
In **2025**, **Qilin** emerged as the most active ransomware group, signaling a high-throughput **ransomware-as-a-service** operation with broad pressure on enterprise targets. It...
Qilin's 2025 dominance as the most active ransomware group
Threat Actor MetaAbout this happening: In **2025**, **Qilin** emerged as the most active ransomware group, signaling a high-throughput **ransomware-as-a-service** operation with broad pressure on enterprise targets. It...
Latest development: 15.12.2025 13:15
Asahi Group Holdings CEO Atsushi Katsuki said on December 15 that the company is elevating cybersecurity to a top management priority, considering a dedicated cybersecurity unit, scrapping VPNs, and adopting a stricter zero-trust model after the September 29 Qilin ransomware attack disrupted main systems, automated order and shipping processes, and exposed personal data.
Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor Meta
First: 07.10.2025 20:15
Last: 07.10.2025 20:15
Sources 1
About this happening:
Qilin's **ransomware-as-a-service** model is expanding extortion reach by selling **tools and infrastructure** to affiliates and taking a **15–20%** cut of ransom payments. That a...
Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor MetaAbout this happening: Qilin's **ransomware-as-a-service** model is expanding extortion reach by selling **tools and infrastructure** to affiliates and taking a **15–20%** cut of ransom payments. That a...
Timeline
-
15.08.2025 21:49 1 articles · 9mo ago
Crypto24 EDR-bypass campaign disclosed
Initial DisclosureCrypto24 ransomware actors are using a customized RealBlindingEDR variant together with PSExec, AnyDesk, gpscript.exe, and XBCUninstaller.exe to disable EDR, remotely uninstall Trend Vision One, and move laterally on compromised Windows networks. The activity is focused on large enterprises in Asia, Europe, and the US, and the modified tool reportedly removes callbacks for security products from nearly 30 vendors, including Cisco, Kaspersky Lab, MalwareBytes, Sophos, and Trellix.
Show sources
- New Crypto24 Ransomware Attacks Bypass EDR — www.darkreading.com — 15.08.2025 21:49