[ad_1]
A sophisticated new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP has emerged, featuring AI-powered negotiation systems and mobile control panels for affiliates.
The group, operated by threat actor “$$$,” has already compromised 17 victims across healthcare, automotive, and industrial sectors in the United States, Europe, and Australia since its June 2025 launch.
Advanced Technical Infrastructure Exposed
GLOBAL GROUP operates through a dedicated leak site (DLS) on the Tor network at vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion.
However, operational security failures have exposed critical infrastructure details. An unprotected API endpoint /posts revealed the group’s real IP address 193.19.119[.]4 hosted on Russian VPS provider, IpServer under port 3304.
The ransomware payload, compiled in the Go programming language, utilizes the ChaCha20-Poly1305 encryption algorithm for cross-platform compatibility.
Technical analysis reveals that the malware uses the mutex key Global\Fxo16jmdgujs437 and includes automated domain-wide deployment capabilities through SMB connections and malicious Windows service creation.
Sample hash a8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73 demonstrates the group’s technical sophistication.
Connections to Previous Ransomware Operations
EclecticIQ analysts have established strong technical connections between GLOBAL GROUP and the defunct Mamona ransomware operation.
Both groups share identical infrastructure patterns, utilizing the same IpServer VPS provider previously used for Mamona operations at IP 185.158.113[.]114.
The threat actor “$$$” also maintains connections to Black Lock ransomware through a qTOX encrypted messaging ID: 667798F921A68529C74094664C1B890D4E1156C4588906071398FA4F76C2095C2B3AC79FF086.
This suggests GLOBAL GROUP represents a rebranding effort to rebuild reputation and expand affiliate networks while maintaining operational continuity.
Sophisticated RaaS Platform with AI Integration
GLOBAL GROUP distinguishes itself through advanced affiliate management features, including AI-driven chatbots for automated ransom negotiations.
The platform offers an unprecedented 85% revenue share to affiliates, significantly higher than competing RaaS operations.
The negotiation portal, accessible at gdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd[.]onion, supports mobile device management and targets seven-figure ransom demands.
The group actively collaborates with Initial Access Brokers (IABs), purchasing access to enterprise networks through compromised VPN appliances, including Fortinet, Palo Alto, and Cisco devices.
They also employ brute-force tools targeting Microsoft Outlook Web Access (OWA) and RDWeb portals for high-privilege initial access.
Recent victims span healthcare providers in the United States and Australia, automotive services in the United Kingdom, and business process outsourcing in Brazil, demonstrating the group’s global reach and cross-sector targeting capabilities.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
[ad_2]
Source link
