Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Obscura ransomware reverse engineering and execution analysis

Technical Analysis
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Researchers reverse-engineered Obscura ransomware, exposing its DAEMON execution gate, admin-only checks, process-killing routine, and encryption flow. The findings improve detection and response by showing how the malware prepares hosts, disables recovery, and stages file encryption.

Related Happenings

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

SonicWall MySonicWall cloud backup breach exposing firewall backup files

Data Leak
First: 29.01.2026 19:57 Last: 29.01.2026 19:57 Sources 1

About this happening: **SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breac...

Open Happening

Qilin ransomware forensic reconstruction using Windows logs, PCA logs, and AmCache

Technical Analysis
First: 22.11.2025 15:45 Last: 22.11.2025 15:45 Sources 1

About this happening: **Huntress** reconstructed a **Qilin ransomware** intrusion from **Windows Event Logs**, **PCA logs**, **AmCache.hve**, and **Defender telemetry** after a **post-incident agent in...

Open Happening

Obscura ransomware multi-host deployment via NETLOGON

Malware Activity
First: 24.09.2025 17:01 Last: 24.09.2025 17:01 Sources 1

How related: The ransomware executable was first seen being executed across multiple hosts on the victim organization.

About this happening: The **Obscura** ransomware was observed executing across **multiple hosts**, increasing the risk of broad **network-wide encryption** and recovery disruption. It was staged throug...

Open Happening

SonicWall hit by network compromise

Incident
First: 18.09.2025 17:12 Last: 18.09.2025 17:12 Sources 1

About this happening: **SonicWall** said a **state-sponsored threat actor** was behind the **September** compromise of its **MySonicWall cloud backup service**, where firewall configuration backup file...

Latest development: 06.11.2025 11:51

SonicWall said a state-sponsored threat actor used an API call to access cloud backup files from a specific cloud environment tied to its MySonicWall cloud backup service, and Mandiant completed its investigation into the September compromise.

Open Happening

Timeline

  1. 24.09.2025 17:01 1 articles · 8mo ago

    Huntress identifies Obscura ransomware on a victim domain controller

    Initial Disclosure

    On 29 August 2025, Huntress analysts encountered a previously unseen ransomware variant called Obscura on a victim organization's domain controller. Limited deployment of the Huntress agent reduced detection and response visibility and left the initial access vector unclear.

    Show sources
    Open in new tab
  2. 24.09.2025 17:01 2 articles · 8mo ago

    Obscura reverse engineering exposes DAEMON gate and recovery suppression

    Technical Analysis Update

    Obscura ransomware checks the DAEMON environment variable, writes its ransom note to C:\README-OBSCURA.txt, gathers system information with GetSystemInfo(), and attempts to disable recovery with cmd.exe /c vssadmin delete shadows /all /quiet before encryption.

    Show sources
    Open in new tab