ShadowSyndicate Infrastructure Used by Multiple Ransomware Groups Including Cl0p, LockBit and RansomHub

Cybersecurity researchers have uncovered significant overlaps between the attack infrastructure of ShadowSyndicate, also known as Infra Storm by Group-IB, and several prominent ransomware-as-a-service (RaaS) operations.

Active since July 2022, ShadowSyndicate has been linked to high-profile RaaS brands such as AlphaV/BlackCat, LockBit, Play, Royal, Cl0p, Cactus, and RansomHub.

The group, speculated to function more as a RaaS affiliate than a pure initial access broker (IAB), shares tactical, technical, and procedural (TTP) similarities with intrusion sets like TrickBot, Ryuk/Conti, FIN7, and TrueBot (Silence.Downloader), which are associated with Russian cyberespionage actors like Evil Corp, potentially directed by the FSB for operations against NATO allies.

To read the complete article see: GB Hackers Article

Full research here: Intrinsec Research PDF