Typhon Active

Ransomware group first observed in 2019. Uses LaZagne for deployment.
PDF Report Back to Groups
0
Total Victims
2019-06-01
First Seen
2026-01-25
Last Seen
24
Known TTPs
31.2d
Avg Delay
0
Negotiations
ONION URLS
kkh4kglw6a2x6mlsiqlv5yjcv3nskukukp54ddwe2jzt634bdyid2r6j.onion
TOOLS
LaZagne AnyDesk Atera PowerTool
FILE EXTENSIONS
.666
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded
Technique ID Technique Name Tactic
T1039 Data from Network Shared Drive Collection
T1071.001 Web Protocols Command and Control
T1219 Remote Access Software Command and Control
T1558.003 Kerberoasting Credential Access
T1027 Obfuscated Files or Information Defense Evasion
T1055 Process Injection Defense Evasion
T1070.004 File Deletion Defense Evasion
T1140 Deobfuscate/Decode Files Defense Evasion
T1049 System Network Connections Discovery Discovery
T1069 Permission Groups Discovery Discovery
T1053.005 Scheduled Task Execution
T1204.002 Malicious File Execution
T1041 Exfiltration Over C2 Channel Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1567.002 Exfiltration to Cloud Storage Exfiltration
T1486 Data Encrypted for Impact Impact
T1491.001 Internal Defacement Impact
T1561.001 Disk Wipe Impact
T1190 Exploit Public-Facing Application Initial Access
T1566.001 Spearphishing Attachment Initial Access
T1136.001 Local Account Persistence
T1547.009 Shortcut Modification Persistence
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1548.002 Bypass UAC Privilege Escalation

No YARA rules

TypeValueDescriptionCopy
md5 8181674ad3d6f5d9bfd90221d80290dd Associated with Typhon ransomware
sha256 2c39b85160b329559906aed4fee771e29c3f666c43529903530f2a84072ca553 Ransomware binary hash observed in Typhon attacks
sha1 10d20d2757dbbeab4debda34a6dada7807a3bd1a Dropper hash observed in Typhon attacks
tox D596AB52D26E1E6A6BFDACFC0EEAA0E3ACDE4DAE7DDD703B6FDAC5FF5FCAEEDB00DF69E12CA4 Tox messenger ID observed in Typhon attacks
btc bc1qe6v0o8hmbdqfieqpjaicyinien54wk3bhwr154 Associated with Typhon ransomware
sha1 12cdad8b26f1e353faf27d44d6c41007c88eb77e Associated with Typhon ransomware
email payment660@tuta.io Contact email observed in Typhon attacks
email recover473@protonmail.com Infrastructure linked to Typhon

No ransom notes