CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Obscura ransomware variant discovered in August 2025

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

On 29 August 2025, Huntress analysts identified a previously unknown ransomware variant named Obscura. The ransomware was executed across multiple hosts within a victim organization, impacting the SOC's ability to respond effectively due to limited deployment of the Huntress agent. The ransomware executable was found on the domain controller in the NETLOGON share, which automatically replicated the malware across the infrastructure. The ransomware is a Go binary that disables recovery options, terminates security and database processes, and encrypts files using ChaCha20 encryption. It targets a wide range of security and backup applications, aiming to maximize damage to user data while preserving system functionality. The ransom note, embedded in the binary, demands payment in exchange for decryption tools and stolen data. The ransomware's deployment and execution involved creating scheduled tasks and enabling Remote Desktop Protocol access. The attack highlights the importance of monitoring domain controllers and endpoints for unusual activities.

Timeline

  1. 24.09.2025 17:01 πŸ“° 1 articles Β· ⏱ 1h ago

    Obscura ransomware variant discovered in August 2025

    On 29 August 2025, Huntress analysts identified a previously unknown ransomware variant named Obscura. The ransomware was executed across multiple hosts within a victim organization, impacting the SOC's ability to respond effectively due to limited deployment of the Huntress agent. The ransomware executable was found on the domain controller in the NETLOGON share, which automatically replicated the malware across the infrastructure. The ransomware is a Go binary that disables recovery options, terminates security and database processes, and encrypts files using ChaCha20 encryption. It targets a wide range of security and backup applications, aiming to maximize damage to user data while preserving system functionality. The ransom note, embedded in the binary, demands payment in exchange for decryption tools and stolen data. The ransomware's deployment and execution involved creating scheduled tasks and enabling Remote Desktop Protocol access. The attack highlights the importance of monitoring domain controllers and endpoints for unusual activities.

    Show sources
    Open in new tab

Information Snippets

  • The ransomware variant was named Obscura, derived from the ransom note README_Obscura.txt.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware executable was found on the domain controller in the NETLOGON share, automatically replicating across the infrastructure.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware is a Go binary that includes a Go build ID and several file paths related to its operation.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware disables recovery options by running the command vssadmin delete shadows /all /quiet.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware terminates a predefined list of 120 security and database processes to interfere with the encryption process.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware uses ChaCha20 encryption with a 32-byte public key and a 24-byte random nonce.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware appends a 64-byte footer to encrypted files, including the public key and nonce for decryption.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware filters out specific file extensions to preserve system functionality while encrypting user data.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware creates scheduled tasks named SystemUpdate and iJHcEkAG to execute the malware and enable Remote Desktop Protocol access.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

  • The ransomware checks for administrative privileges before proceeding with encryption and process termination.

    First reported: 24.09.2025 17:01
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

Brickstorm malware used in long-term espionage against U.S. organizations

Suspected Chinese hackers used the Brickstorm malware in long-term espionage operations against U.S. organizations in the technology and legal sectors, as well as SaaS providers and BPOs. The Go-based backdoor was used to silently siphon data from victim networks for an average of 393 days. The malware was deployed on appliances that do not support EDR, such as VMware vCenter/ESXi endpoints, and masqueraded as legitimate traffic to establish communication with command and control (C2) servers. The attackers, attributed to the UNC5221 activity cluster, exploited vulnerabilities in edge devices and used anti-forensics scripts to obscure their entry path. The primary objective of the malware was to exfiltrate emails via Microsoft Entra ID Enterprise Apps, utilizing a SOCKS proxy to tunnel into internal systems and code repositories. The attackers used a malicious Java Servlet filter for the Apache Tomcat server, dubbed BRICKSTEAL, to capture vCenter credentials for privilege escalation. The attackers cloned Windows Server VMs for key systems such as Domain Controllers, SSO Identity Providers, and secret vaults. The attackers leveraged valid credentials for lateral movement to pivot to the VMware infrastructure and establish persistence by modifying init.d, rc.local, or systemd files. The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets. Mandiant has released a free scanner script to help defenders detect Brickstorm malware.

Open in new tab