NightSpire
NightSpire is an emerging ransomware operation first observed in early 2025, with reporting indicating discovery around February 2025 and operation of a leak site from March 12, 2025. It evolved from exfiltration-only extortion into a double-extortion model, stealing data and then encrypting victim systems while threatening publication of stolen information on a Tor-based leak site if payment is not made. Multiple sources describe it as a closed-group operation rather than a public RaaS platform, although some reporting has characterized it as operating under a RaaS model, so its exact operating structure is not fully settled.
Observed tradecraft shows broad, opportunistic targeting across countries and sectors. Reported victims span at least 33 countries, with the United States most affected, and sectors including healthcare, education, government, financial services, manufacturing, hospitality, IT services, logistics, and industrial organizations. Mentioned victim organizations or claims include hospitals, schools, government offices, financial institutions, Hyatt Place Chelsea New York, Pioneer Ocean Freight, and Nippon Ceramic.
Documented intrusion activity indicates initial access commonly via Remote Desktop Protocol (RDP). For persistence and remote access, operators used legitimate administration tools including Chrome Remote Desktop and AnyDesk rather than custom backdoors. In observed incidents, Chrome Remote Desktop ran as the Windows service "Chrome Remote Desktop Service," and the email prince1990905@gmail[.]com was associated with a Chrome Remote Desktop deployment. Operators used Everything (voidtools) for file discovery, 7-Zip to create password-protected archives, and MEGAsync/MEGA for likely exfiltration. Huntress also observed use of VMware Workstation and WPS Office in a March 2026 intrusion. Reporting notes that some public descriptions referenced LOLBins such as WMI or PsExec, but in the March 2026 Huntress case the actor instead downloaded external tools.
The encryptor has been reported as Go-based. It traverses accessible drives and paths, appends the .nspire extension to encrypted files, and drops ransom notes in affected folders. NightSpire also has reported capability to encrypt OneDrive files without changing their extensions. Observed ransom note filenames include _nightspire_readme.txt and [nspire_msg].txt. In one March 2026 case, the ransom note claimed theft of 2.5 TB of data, though that volume was not independently validated.
High-confidence indicators from reporting include SHA256 bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355 for an enc.exe sample dated 2025-12-02 and SHA256 ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7 for an enc.exe sample dated 2026-03-25. Additional observed artifacts include the ransom note names _nightspire_readme.txt and [nspire_msg].txt, the .nspire encrypted-file extension, the Chrome Remote Desktop-associated email prince1990905@gmail[.]com, and the staging path C:\Users[REDACTED]\Downloads.
The content also notes that NightSpire communications have used ProtonMail, OnionMail, and Telegram. Reporting further places NightSpire among the active ransomware groups of 2025-2026, with rapid growth in victim volume and repeated inclusion in ransomware ecosystem tracking.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Nightspire, a closed-group operation with OneDrive cloud encryption capability, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based ransomware family that uses double extortion: attackers steal sensitive files, exfiltrate them, then encrypt victim systems and threaten to publish stolen data on a Tor-based leak site if payment is not made. It appends the .nspire extension to encrypted files, drops ransom notes, and has been observed encrypting OneDrive files without changing their extensions.
A closed-group ransomware operation with OneDrive cloud encryption capability and exploitation tied to FortiGate access.
A ransomware family first reported in February 2025. The content discusses uncertainty over whether it operates as RaaS or as a closed in-house operation. Observed activity included RDP access, persistence via Chrome Remote Desktop and AnyDesk, use of Everything and 7Zip for staging, MEGASync for exfiltration, and deployment of a file encryptor that used extensions such as .nspire and ransom notes including _nightspire_readme.txt and [nspire_msg].txt.
Ransomware operation claiming to have breached Hyatt and offering a free download of 48.5 GB of allegedly stolen data (data-theft/extortion behavior).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.