Redazione RHC : 6 August 2025 07:16
The ShadowSyndicate infrastructure, also known as Infra Storm, has come under the spotlight of security researchers after they identified significant overlap with some of the largest ransomware programs. Active since mid-2022, the group is associated with brands such as AlphaV/BlackCat, LockBit, Royal, Play, Cl0p, Cactus, and RansomHub. Unlike traditional first-access brokers (IaBs), it operates more as a participant in high-level RaaS, providing services or infrastructure to various criminal partners.
According to Intrinsec, ShadowSyndicate’s connections extend far beyond the typical cybercrime landscape, with tactics and tools in their arsenal echoing the approaches of groups such as TrickBot, Ryuk/Conti, FIN7, and TrueBot, all known for their sophisticated infiltration techniques, ability to evade detection, and use of a variety of of exploits.
The starting point of the investigation was two IP addresses using the same SSH fingerprint. Using Shodan and Fofa, the study was extended to 138 servers with similar characteristics. The identified intersections include participation in an attack that exploited the Citrix Bleed vulnerability (CVE-2023-4966), in which servers were exploited by LockBit and ThreeAM.
Matches were also found with the infrastructure used in the MOVEit and ScreenConnect attacks, with the latter exploit targeting two vulnerabilities simultaneously: CVE-2024-1708 and CVE-2024-1709. The individual ShadowSyndicate servers correspond to hosts previously associated with UAC-0056 (also known as Cadet Blizzard) and Cl0p.
The overall technical picture also revealed links to other groups collaborating with the Black Basta and Bl00dy programs, as well as suspicious activity related to Cicada3301, a possible rebranding of BlackCat. The AMOS and Poseidon infostealers, distributed via fake Google ads and LLM phishing lures, also demonstrate a connection to this infrastructure.
The technical configuration of the network is also of interest. The study highlights the presence of bulletproof hosting ( BPH ), disguised as legitimate VPN, VPS and proxy services, but which in reality provides a solid platform for criminal cyber operations. Mention is made of the autonomous systems AS209588 (Flyservers), AS209132 (Alviva Holding), and the large AS-Tamatiya structure, which unites 22 ASNs. The hosting operates under the cover of offshore jurisdictions, including Panama, Seychelles, and the Virgin Islands.
While the Intrinsec report assesses confirmed links to state actors with a moderate level of security, references to high-level figures and hybrid information manipulation operations indicate a much broader role for this infrastructure.
The study then mentions intersections with DecoyDog (a variant of PupyRAT via DNS tunneling), as well as the use of the malicious downloaders Amadey and Nitol. As of May 2025, the network remained active, continuing to scan for vulnerabilities and deploy malicious components.
Overall, these findings paint a picture of a highly technological, resilient, and multilayered ecosystem that not only supports traditional extortion schemes but is also closely linked to actors operating at the national level.
ShadowSyndicate demonstrates not only a commercial approach, but a structure capable of coordinating actions with different cyber threat segments, from infostealers and botnets to complex attack chains using zero vulnerabilities and special loaders.
RedazioneThe editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.
Lista degli articoli
