Security Affairs
Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hades ransomware gang targets big organizations in the US

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020.  Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis of the latest campaign conducted by financially motivated threat group Hades which have been operating since at least December 2020.  Experts discovered that threat actors targeted […]

Hades ransomware ransom-note

Accenture security researchers published an analysis of the latest Hades campaign, which is ongoing since at least December 2020. 

Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis of the latest campaign conducted by financially motivated threat group Hades which have been operating since at least December 2020. 

Experts discovered that threat actors targeted a large US transportation & logistics organization, a large US consumer products organization, and a global manufacturing organization. At the time of this writing, it is unclear if the Hades gang operates a ransom-as-a-service model.

The profile of the victims suggests the attackers are focusing on Big Game Hunting, targeted organizations with annual revenues exceeding $1 billion USD.

Experts identified Tor hidden services and clearnet URLs via various open-source reporting that could be associated with the activity of the Hades ransomware. The ransom note left by the malware points to Tor pages that are uniquely generated for each victim. 

Accenture researchers also noticed that the Hades ransom notes share portions with the one used by the REvil ransomware operators, unique differences are the operators’ contact information and the formatting of the ransom notes. While the ransom notes are similar, we do not have any evidence to suggest the threat groups or operations have any overlap at this time.

Researchers from Crowdstrike speculate that the new variant is a successor to WastedLocker ransomware and linked the operations to Evil Corp operations.

The attack chain begins with attacks to internet-facing systems via Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) using legitimate credentials.

Upon running on the victim’s machine, the malicious code creates a copy of itself and relaunches itself via the command line. The copy is then deleted and an executable is unpacked in memory. Then the malware perform a scan in local directories and network shares for content to encrypt. Experts noticed that each Hades ransomware sample uses a different extension to files that it encrypts and drops a ransom note with file name “HOW-TO-DECRYPT-[extension].txt”

“The use of legitimate credentials, service creation, and distribution of Command and Control (C2) beacons across victim environments through the use of Cobalt Strike and Empire, so far appear to be the predominant approach used by the unknown threat group to further their foothold and maintain persistence. In addition, the threat actors operated out of the root of C:\ProgramData where several executables tied to the intrusion set were found.” reads the analysis published by Accenture.

Hades ransomware ransom-note

The analysis of the malware revealed the use of code obfuscation to avoid detection, while privilege escalation is achieved through credential harvesting and the use of tooling and manual enumeration of credentials. 

Like other ransomware, Hades ransomware steal data before starting the encryption process and send them back to the C2.

“Prior to deploying Hades ransomware, the unknown threat group has employed the 7zip utility to archive data that was then staged and exfiltrated to an attacker-controlled server hosted in Mega[.]nz cloud infrastructure, leveraging the MEGAsync utility.” concludes the report. “In addition to data theft, actors deploy Hades ransomware to encrypt files identified on the victim network. Hades operators leverage this approach for “double-extortion” tactics.”

CIFR and ACTI also provided Indicators of Compromise (IoC) for the Hades attacks. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hades ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]