Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Obscura ransomware multi-host deployment via NETLOGON

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Obscura ransomware was observed executing across multiple hosts, increasing the risk of broad network-wide encryption and recovery disruption. It was staged through the NETLOGON share and a scheduled task, showing how the malware was being deployed inside the environment. The binary also kills security and backup tools and runs vssadmin delete shadows /all /quiet to undermine restoration.

Related Happenings

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Obscura ransomware reverse engineering and execution analysis

Technical Analysis
First: 24.09.2025 17:01 Last: 24.09.2025 17:01 Sources 1

How related: When the binary is launched, it will check the status of an environment variable called DAEMON.

About this happening: Researchers reverse-engineered **Obscura ransomware**, exposing its **DAEMON** execution gate, admin-only checks, process-killing routine, and encryption flow. The findings improv...

Open Happening

Timeline

  1. 24.09.2025 17:01 2 articles · 8mo ago

    Obscura ransomware executes across multiple hosts

    Exploitation Observed

    Obscura ransomware was observed executing across multiple hosts on a victim organization’s network on a domain controller, with the binary staged through the NETLOGON share and a SystemUpdate scheduled task used to launch it. A separate scheduled task on one user machine enabled Remote Desktop Protocol access through the Windows firewall, and the malware attempted to run cmd.exe /c vssadmin delete shadows /all /quiet to hinder recovery.

    Show sources
    Open in new tab
  2. 24.09.2025 17:01 1 articles · 8mo ago

    Huntress identifies a previously unseen Obscura ransomware variant

    Initial Disclosure

    Huntress identified a previously unseen ransomware variant called Obscura on a victim organization’s domain controller, found no public references to the family, and noted that limited Huntress agent deployment reduced detection and response visibility. The ransom note name README_Obscura.txt and the Obscura references in the note tied the sample to the new family name.

    Show sources
    Open in new tab