1 malware family

QuadSwitcher

Also known asQuadSwitcher

QuadSwitcher is identified in the provided content as an affiliate linked to multiple ransomware groups, including Play and RansomHub. The content directly associates QuadSwitcher with Play reporting, where it is listed among reported associations to the Play ransomware operation (also known as PlayCrypt). No additional high-confidence details about QuadSwitcher’s independent operations, targeting, tooling, or TTPs are directly provided beyond this affiliate linkage and association. Known alias from the content: quadswitcher.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

manufacturing

MITRE ATT&CK

Tradecraft

15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics24 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

1 technique

T1078×2

Valid Accounts

T1078.002

Domain Accounts

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

TA0003

Persistence

1 technique

T1078×2

Valid Accounts

T1078.002

Domain Accounts

TA0004

Privilege Escalation

1 technique

T1078×2

Valid Accounts

T1078.002

Domain Accounts

TA0005

Stealth

2 techniques

T1078×2

Valid Accounts

T1078.002

Domain Accounts

T1218

System Binary Proxy Execution

TA0006

Credential Access

1 technique

T1110

Brute Force

TA0007

Discovery

1 technique

T1087

Account Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1132

Data Encoding

T1132.002

Non-Standard Encoding

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1537

Transfer Data to Cloud Account

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PLAYPlay (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid.1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

blackpoint cyberNews

Mar 18, 2026

Affiliate linked to Play and Ransomhub; attributed with targeting a manufacturing company in 2024, suggesting cross-group cooperation/affiliate reuse.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping15

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.