ShadowSyndicate infrastructure Used by Multiple ransomware Groups Including Cl0p, LockBit and RansomHub

Cybersecurity researchers have uncovered significant overlaps between the attack infrastructure of ShadowSyndicate, also known as Infra Storm by Group-IB, and several prominent ransomware-as-a-service (RaaS) operations.

Active since July 2022, ShadowSyndicate has been linked to high-profile RaaS brands such as AlphaV/BlackCat, LockBit, Play, Royal, Cl0p, Cactus, and RansomHub.

The group, speculated to function more as a RaaS affiliate than a pure initial access broker (IAB), shares tactical, technical, and procedural (TTP) similarities with intrusion sets like TrickBot, Ryuk/Conti, FIN7, and TrueBot (Silence.Downloader), which are associated with Russian cyberespionage actors like Evil Corp, potentially directed by the FSB for operations against NATO allies.

The probe began with two scanning IP addresses (91.238.181[.]225 and 5.188.86[.]169) that exhibited a common Secure Shell (SSH) fingerprint (b5:4c:ce:68:9e:91:39:e8:24:b6:e5:1a:84:a7:a1:03), expanding to 138 servers via tools like Shodan and Fofa.

This fingerprint aligns with a TTP previously reported by Group-IB in September 2023, enabling persistent tracking of the group’s resilient infrastructure.

Overlaps with Top-Tier Ransomware Ecosystems

Moderate overlaps were identified with LockBit 3.0’s Citrix Bleed (CVE-2023-4966) exploitation campaign from October 2023, where affiliates deployed LockBit and ThreeAM ransomware.

Approximately 40 IP addresses intersected, including Cobalt Strike beacons on servers like 147.78.47[.]226 and 147.78.47[.]231, tied to watermarks linking to UAC-0056 (Cadet Blizzard, GRU-affiliated) and Cl0p operations exploiting MOVEit vulnerabilities.

Further connections emerged with Cicada3301, a potential rebrand of BlackCat/ALPHV, sharing exfiltration servers and exploiting ScreenConnect flaws (CVE-2024-1708/1709), alongside Black Basta and Bl00dy ransomware.

Infrastructure ties also extended to state-sponsored advanced persistent threats (APTs), including Chinese actors via ToneShell backdoor variants and North Korean groups like Andariel (Onyx Sleet) using RustDoor and Maui ransomware.

Overlaps with infostealers such as Atomic (AMOS) and Poseidon, distributed via fake Google Ads and DeepSeek LLM lures, suggest ShadowSyndicate’s role in broader cybercrime ecosystems, potentially facilitating access for APTs through brute-force botnets like Brutus.

Network of Bulletproof Hosters

According to the report, Researchers assess with moderate confidence that ShadowSyndicate accesses a network of private bulletproof hosting providers (BPHs) in Europe, exhibiting traits of intelligence agency hosting (IAH), operated from Russia via offshore entities in Panama, Seychelles, and the U.S. Virgin Islands.

These BPHs, disguised as VPS, VPN, or proxy services, ensure takedown resilience through imbricated autonomous system numbers (ASNs) like AS209588 (Flyservers S.A.), AS209132 (Alviva Holding Limited), and AS-Tamatiya (encompassing 22 ASNs).

Links to Kremlin interests, including oligarchs like Mikhail Slipenchuk, underscore potential state alignment.

Low-confidence ties to foreign information manipulation and interference (FIMI) operations, such as the Hunter Biden laptop leak via hunterlap.top, aimed at influencing the 2024 U.S. presidential elections, highlight hybrid threats blending cybercrime with geopolitical disruption.

The infrastructure also intersects with DecoyDog (PupyRAT over DNS tunneling) and campaigns involving Amadey loaders and Nitol malware. As of May 2025, the network remains active, scanning for vulnerabilities and deploying payloads.

ShadowSyndicate’s innovator-level sophistication, leveraging zero-days and organization-scale resources, positions it as a hybrid IAB fueling Russian, North Korean, and possibly Chinese APTs, echoing battlefield alliances in Ukraine.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!