Cybersecurity researchers have uncovered vital overlaps between the assault infrastructure of ShadowSyndicate, also referred to as Infra Storm by Group-IB, and a number of other distinguished ransomware-as-a-service (RaaS) operations.
Energetic since July 2022, ShadowSyndicate has been linked to high-profile RaaS manufacturers akin to AlphaV/BlackCat, LockBit, Play, Royal, Cl0p, Cactus, and RansomHub.
The group, alleged to perform extra as a RaaS affiliate than a pure preliminary entry dealer (IAB), shares tactical, technical, and procedural (TTP) similarities with intrusion units like TrickBot, Ryuk/Conti, FIN7, and TrueBot (Silence.Downloader), that are related to Russian cyberespionage actors like Evil Corp, doubtlessly directed by the FSB for operations in opposition to NATO allies.
The probe started with two scanning IP addresses (91.238.181[.]225 and 5.188.86[.]169) that exhibited a typical Safe Shell (SSH) fingerprint (b5:4c:ce:68:9e:91:39:e8:24:b6:e5:1a:84:a7:a1:03), increasing to 138 servers by way of instruments like Shodan and Fofa.
This fingerprint aligns with a TTP beforehand reported by Group-IB in September 2023, enabling persistent monitoring of the group’s resilient infrastructure.
Overlaps with Prime-Tier Ransomware Ecosystems
Reasonable overlaps have been recognized with LockBit 3.0’s Citrix Bleed (CVE-2023-4966) exploitation marketing campaign from October 2023, the place associates deployed LockBit and ThreeAM ransomware.
Roughly 40 IP addresses intersected, together with Cobalt Strike beacons on servers like 147.78.47[.]226 and 147.78.47[.]231, tied to watermarks linking to UAC-0056 (Cadet Blizzard, GRU-affiliated) and Cl0p operations exploiting MOVEit vulnerabilities.
Additional connections emerged with Cicada3301, a possible rebrand of BlackCat/ALPHV, sharing exfiltration servers and exploiting ScreenConnect flaws (CVE-2024-1708/1709), alongside Black Basta and Bl00dy ransomware.
Infrastructure ties additionally prolonged to state-sponsored superior persistent threats (APTs), together with Chinese language actors by way of ToneShell backdoor variants and North Korean teams like Andariel (Onyx Sleet) utilizing RustDoor and Maui ransomware.
Overlaps with infostealers akin to Atomic (AMOS) and Poseidon, distributed by way of pretend Google Adverts and DeepSeek LLM lures, recommend ShadowSyndicate’s function in broader cybercrime ecosystems, doubtlessly facilitating entry for APTs by means of brute-force botnets like Brutus.
Community of Bulletproof Hosters
In response to the report, Researchers assess with average confidence that ShadowSyndicate accesses a community of personal bulletproof internet hosting suppliers (BPHs) in Europe, exhibiting traits of intelligence company internet hosting (IAH), operated from Russia by way of offshore entities in Panama, Seychelles, and the U.S. Virgin Islands.
These BPHs, disguised as VPS, VPN, or proxy companies, guarantee takedown resilience by means of imbricated autonomous system numbers (ASNs) like AS209588 (Flyservers S.A.), AS209132 (Alviva Holding Restricted), and AS-Tamatiya (encompassing 22 ASNs).
Hyperlinks to Kremlin pursuits, together with oligarchs like Mikhail Slipenchuk, underscore potential state alignment.
Low-confidence ties to overseas data manipulation and interference (FIMI) operations, such because the Hunter Biden laptop computer leak by way of hunterlap.high, aimed toward influencing the 2024 U.S. presidential elections, spotlight hybrid threats mixing cybercrime with geopolitical disruption.
The infrastructure additionally intersects with DecoyDog (PupyRAT over DNS tunneling) and campaigns involving Amadey loaders and Nitol malware. As of Could 2025, the community stays energetic, scanning for vulnerabilities and deploying payloads.
ShadowSyndicate’s innovator-level sophistication, leveraging zero-days and organization-scale assets, positions it as a hybrid IAB fueling Russian, North Korean, and probably Chinese language APTs, echoing battlefield alliances in Ukraine.
Indicators of Compromise (IOCs)
| Worth | Kind | Description |
|---|---|---|
| 47890 | ASN | UNMANAGED LTD |
| 215540 | ASN | GLOBAL CONNECTIVITY SOLUTIONS LLP |
| 209272 | ASN | Alviva Holding Restricted |
| 209132 | ASN | Alviva Holding Restricted |
| 59580 | ASN | Batterflyai Media ltd. |
| 273045 | ASN | DataHome S.A. |
| 57043 | ASN | HOSTKEY B.V. |
| 50867 | ASN | HOSTKEY B.V. |
| 49453 | ASN | World layer B.V. |
| 43350 | ASN | NForce Leisure B.V. |
| AS-TAMATIYA | AS-SET | 22 ASNs (previous, created in 2014) |
| AS-4VENDETA | AS-SET | 22 ASNs (new AS-SET cloned from AS-TAMATIYA created in early 2021) |
| 88.214.25.246 | IPv4-Addr | Safe Shell (SSH) fingerprint of ShadowSyndicate (extracted from FOFA the 2nd Could 2025) |
| 147.78.46.104 | IPv4-Addr | Safe Shell (SSH) fingerprint of ShadowSyndicate (extracted from FOFA the 2nd Could 2025) |
| 193.142.30.96 | IPv4-Addr | Safe Shell (SSH) fingerprint of ShadowSyndicate (extracted from FOFA the 2nd Could 2025) |
| 200.107.207.13 | IPv4-Addr | Safe Shell (SSH) fingerprint of ShadowSyndicate (extracted from FOFA the 2nd Could 2025) |
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates!
