ShadowSyndicate Expands Infrastructure with Reused SSH Fingerprints

First reported

04.02.2026 17:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

ShadowSyndicate, a cybercrime cluster linked to multiple ransomware groups, has expanded its infrastructure. Researchers identified new technical markers, including reused SSH fingerprints, that connect dozens of servers to the same operator. The group has been active since 2023 and maintains a consistent infrastructure pattern. New SSH fingerprints and server transfers between internal clusters were observed, linking previously known servers to newly deployed infrastructure. The group uses commercial red-team frameworks and open-source post-exploitation tools, with ties to ransomware groups like Cl0p, ALPHV/BlackCat, and Ryuk. Group-IB recommends monitoring IoCs, autonomous systems, and unusual login activities to defend against this threat.

Timeline

04.02.2026 17:00 1 articles · 7h ago

ShadowSyndicate Expands Infrastructure with Reused SSH Fingerprints
Researchers identified new technical markers, including reused SSH fingerprints, that connect dozens of servers to the same operator. The group has been active since 2023 and maintains a consistent infrastructure pattern. New SSH fingerprints and server transfers between internal clusters were observed, linking previously known servers to newly deployed infrastructure. The group uses commercial red-team frameworks and open-source post-exploitation tools, with ties to ransomware groups like Cl0p, ALPHV/BlackCat, and Ryuk.
Show sources

New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
Open in new tab

Information Snippets

ShadowSyndicate uses reused SSH fingerprints, allowing researchers to correlate infrastructure across campaigns.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
Two additional SSH fingerprints tied to ShadowSyndicate activity were identified, confirming continued coordination.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
Servers appear to be transferred between internal infrastructure clusters, mimicking legitimate ownership changes.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
At least 20 servers associated with ShadowSyndicate were identified as command-and-control (C2) nodes for various offensive tools.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
ShadowSyndicate has links to multiple ransomware groups, including Cl0p, ALPHV/BlackCat, Black Basta, Ryuk, and Malsmoke.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00
Group-IB recommends incorporating IoCs into threat intelligence platforms and monitoring activity linked to frequently used autonomous systems.
First reported: 04.02.2026 17:00

1 source, 1 article
Show sources
- New Technical Markers Reveal Expanding ShadowSyndicate Cybercriminal Infrastructure — www.infosecurity-magazine.com — 04.02.2026 17:00