The attack progression typically follows a pattern of initial SocGholish infection, deployment of the VIPERTUNNEL backdoor, lateral movement through the network, data exfiltration, and finally, RansomHub ransomware deployment. Microsoft first documented this connection on July 15, 2024, observing “RansomHub being deployed in post-compromise activity by Manatee Tempest (Microsoft’s name for EvilCorp) following initial access via SocGholish infections”. BushidoToken Threat Intel security researchers identified this collaboration through forensic analysis of recent attack campaigns, noting consistent patterns in initial access methods and post-exploitation activities. Their analysis revealed EvilCorp’s distinctive use of SocGholish malware as the primary infection vector for delivering RansomHub ransomware, confirming a formal operational relationship between the groups. Trend Micro’s March 2025 research further confirmed these findings, noting that SocGholish operators (tracked as Water Scylla) distribute their malware through the Keitaro Traffic Direction System, a legitimate marketing service repurposed for malicious delivery. The alliance combines EvilCorp’s sophisticated attack infrastructure with RansomHub’s expanding affiliate network, creating a formidable ransomware delivery ecosystem. Meanwhile, RansomHub, active since February 2024 and formerly known as Cyclops and Knight, has rapidly grown its operations by absorbing former affiliates from disbanded ransomware groups like ALPHV/BlackCat and LockBit. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This creates additional complications for cyber insurance providers, incident response teams, and ransomware negotiators who may inadvertently find themselves in violation of sanctions. A dangerous partnership has emerged in the cybercriminal landscape, as EvilCorp, a sanctioned Russia-based cybercriminal enterprise, has begun working with RansomHub, one of the most active ransomware-as-a-service (RaaS) operations. Since EvilCorp remains under US Treasury sanctions, organizations paying ransoms to RansomHub could potentially violate Office of Foreign Assets Control (OFAC) regulations if EvilCorp benefits from these payments. This backdoor provides persistent access to compromised networks and serves as the delivery mechanism for additional tools and the final RansomHub payload. The attack chain begins with SocGholish (also known as FakeUpdates), a sophisticated JavaScript malware distributed through compromised websites. EvilCorp, under sanctions since 2019 and led by Maksim Yakubets, has historically deployed ransomware variants including BitPaymer, WastedLocker, and MacawLocker. After initial compromise, attackers deploy a Python backdoor called VIPERTUNNEL, first documented by Google in January 2025. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 14:10:38 +0000