A new extortion campaign involving the Yurei ransomware toolkit has been detected by the research firm Team Cymru. The group behind this campaign first appeared in September 2025 and stands out not just for their aggressive tactics, but also for their unusual habit of naming malicious tools after characters and themes from the hit TV show Stranger Things.
According to Team Cymru’s research, detailed in a blog post shared with Hackread.com, this campaign follows a growing trend where instead of building their own complex software, the hackers “assemble modular toolkits using readily available resources,” making it easier and faster to launch attacks.
Gaining Initial Access
Researchers noted that the Yurei toolkit’s entry into a company’s network is quite simple, as they believe the operators buy stolen passwords from online criminal marketplaces. Once they have some access, they use a suite of tools like SoftPerfect NetScan and NetExec to map out the network and find where the most valuable data is hidden.
Further probing revealed that the group uses a tool called Rubeus to trick the system into giving them high-level Administrator powers. As we know it, when a hacker has these permissions, they gain total control. To stay connected even if they are discovered, they often install AnyDesk, a common remote-desktop app that most security software ignores because it looks like a legitimate business tool.
The Vecna Script
The most striking part of the Yurei toolkit is a PowerShell script named Vecna.ps1. Much like the villain from the show, this script is designed to stay hidden and strike when the time is right. It sets up a trigger that waits for a user to log in, which then automatically launches the main ransomware file, StrangerThings.exe.
It is worth noting that the Yurei ransomware itself isn’t a new invention. Researchers noted it is actually based on Prince Ransomware, an open-source project written in the Go programming language. This allows the Yurei operators to “enter the ransomware underground economy without the necessary development skills or even investing much effort.”
Covering Their Tracks
Before the group locks any files, they make sure the victim cannot recover them. They use a script called FixingIssues2.ps1 to essentially blind Windows Defender, turning off every major security feature. They also use a tool called SDelete to permanently wipe away evidence and delete shadow copies, which are the automatic backups most of us rely on.
Between December 2025 and January 2026, Team Cymru monitored the group’s server traffic (a technique called NetFlow) to see how they moved through systems using tools like PsExec. While the group’s public leak site currently only lists three victims, the ease with which they can launch these attacks has experts worried. As the researchers put it, the barrier to entry for cybercrime is lower than ever.
