Shadow Active

Ransomware group first observed in 2020. Uses Process Hacker for deployment.
PDF Report Back to Groups
1
Total Victims
2020-06-01
First Seen
2026-03-06
Last Seen
0
Known TTPs
15.8d
Avg Delay
0
Negotiations
ONION URLS
lc65fb3wrvox6xlyn4hklwjcojau55diqxxylqs4qsfng23ftzijnxad.onion
TOOLS
Process Hacker GMER Mimikatz SharpDPAPI Rubeus
FILE EXTENSIONS
.ransom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
2026-03-06 Bay Dynamics United States Automotive Published

No TTPs data

No YARA rules

TypeValueDescriptionCopy
sha256 8389b2b48bb27d992d22adc836deae1afc9f4cea247e6518d4ff9eeb0dcc8814 Ransomware binary hash - Shadow campaign
tox 3BFDA37D3BAB90CCF8797E743DDAED5AD7B0EBA7EF77CCF6DC20E32E8A71C4085CFEFD3C60A1 Associated with Shadow ransomware
md5 b15ef0070ec726a9926cb4998ede378b Malware sample hash observed in Shadow attacks
ip 49.113.110.224 C2 server IP - Shadow campaign
sha256 913a6c5d621ac39bd2e24f8b5f3323e2a17450acc92a49382ee3cd67bf1e8781 Ransomware binary hash - Shadow campaign
tox 790B449DD1B8151C7AEB2E7C7AE3C0C9E809BBB169BCC55DAF9DEE7FBFF70A3E033D9AE90CB5 Tox messenger ID observed in Shadow attacks
ip 78.70.114.93 C2 server IP observed in Shadow attacks
tox CDC3DA4360CA3FB4DF5FA94F7AAB6B7431DDFBD8F26B4DA7E4CEECF740722D1FB8F3EEF8FBB9 Tox messenger ID observed in Shadow attacks

No ransom notes