Caliburn Active
Ransomware group first observed in 2022. Uses nltest for deployment.1
Total Victims
2022-08-01
First Seen
2026-03-05
Last Seen
19
Known TTPs
3.1d
Avg Delay
0
Negotiations
ONION URLS
xvl63cc5eswldvw5xjagmp2d2y24y4ioyak7f456dxcas5fe3oiyb55v.onion
TOOLS
nltest
Chisel
ADFind
Mimikatz
FILE EXTENSIONS
.hack
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-05 | First Consulting | United States | Legal | Published |
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1005 | Data from Local System | Collection |
| T1039 | Data from Network Shared Drive | Collection |
| T1071.001 | Web Protocols | Command and Control |
| T1090 | Proxy | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1110.003 | Password Spraying | Credential Access |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1218.011 | Rundll32 | Defense Evasion |
| T1069 | Permission Groups Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1059.005 | Visual Basic | Execution |
| T1490 | Inhibit System Recovery | Impact |
| T1531 | Account Access Removal | Impact |
| T1078 | Valid Accounts | Initial Access |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1080 | Taint Shared Content | Lateral Movement |
| T1547.001 | Registry Run Keys | Persistence |
| T1547.009 | Shortcut Modification | Persistence |
No YARA rules
No ransom notes