Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access.
QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose overlapping espionage and ransomware intrusions
Researchers publicly reported that the overlap between QuietCrabs and Thor in the two Russian companies appeared coincidental rather than collaborative. They also noted that the ToolShell vulnerability, CVE-2025-53770, has been exploited by other Chinese and financially motivated threat actors worldwide.
Thor's noisy intrusion triggers detection before ransomware deployment
Thor's more conspicuous activity led defenders to detect the intrusion early, preventing the ransomware stage from being executed. That response also exposed QuietCrabs' previously hidden espionage foothold in the same environments.
Thor breaches the same Russian firms via SharePoint and Ivanti flaws
A separate threat group, Thor, also compromised the same two Russian companies by exploiting the same set of known SharePoint and Ivanti vulnerabilities. Thor used common tooling for reconnaissance, privilege escalation, persistence, data extraction, and exfiltration.
QuietCrabs exploits SharePoint and Ivanti flaws for initial access
QuietCrabs used known vulnerabilities in Microsoft SharePoint Server and Ivanti products, including CVE-2025-53770, CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, and CVE-2023-38035, to gain entry to victim environments. The actor then deployed KrustyLoader malware and a Sliver C2 implant to support espionage operations.
QuietCrabs establishes long-term access in two Russian companies
An Asian-origin cyber espionage group tracked as QuietCrabs compromised two Russian companies and maintained stealthy access in their networks. The group's reported average dwell time is 393 days, indicating the intrusion likely began well before the later ransomware activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Crypt Ghouls Used Shared Ransomware Tooling Against Russian Organizations
Researchers reported that a ransomware group tracked as **Crypt Ghouls** targeted Russian businesses and government agencies across mining, energy, finance, retail, and public-sector organizations. The group reportedly gained initial access through compromised contractor VPN credentials, then established persistence with **NSSM** and **Localtonet**, harvested credentials using **XenAllPasswordPro** and **Mimikatz**, and expanded access with reconnaissance and lateral-movement tools including **PingCastle**, **SoftPerfect Network Scanner**, **WMI**, **Impacket** `WmiExec.py`, and **PAExec`. The attackers deployed **LockBit 3.0** on Windows systems and **Babuk** on Linux and **ESXi** environments, indicating a multi-platform ransomware capability. Researchers also found overlaps in tooling, infrastructure, and tactics with activity linked to **MorLock**, **BlackJack**, **Twelve**, and **Shedding Zmiy/(Ex)Cobalt**, suggesting collaboration, shared tooling, or intelligence exchange among multiple groups focused on Russian targets.
May 21, 2026
Warlock ransomware exploited SharePoint ToolShell and BYOVD to breach enterprises
Sophos reported that the ransomware group **Warlock Group**, tracked as **GOLD SALEM**, has been compromising enterprise networks and deploying **Warlock ransomware** since March 2025, with 60 publicly named victims through mid-September across North America, Europe, and South America. The operation used a Tor-based leak site, activity on underground forums, and possibly relationships with initial access brokers to support intrusions and extortion. Observed attacks began with exploitation of the **SharePoint ToolShell** exploit chain, followed by deployment of an **ASPX web shell** and a Golang-based WebSockets backdoor for persistence. Sophos said the actors stole credentials with **Mimikatz**, moved laterally with **PsExec** and **Impacket**, deployed ransomware through **Group Policy Objects**, and disabled endpoint protection using a **bring-your-own-vulnerable-driver** technique involving a vulnerable **Baidu Antivirus** driver; investigators also observed abuse of **Velociraptor** to establish a **Visual Studio Code** network tunnel. Microsoft tracks the activity as **Storm-2603** and assesses it with moderate confidence as China-based, though Sophos said it could not independently confirm that attribution.
May 25, 2026
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
Mar 21, 2026