216.73.217.19

Spirals: New Stealthy Ransomware Deployed Against Asian IT Company

· Published 16/07/2026 13:39

Export JSON

Essential information

Published
16/07/2026 13:39
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
asp.net web shell chisel cloudflare tunnel credential dumping double extortion it services lateral movement revsocks rust-based ransomware south asia spirals web shell
Related entities
12 indicators, 5 observables, 19 techniques (mitre), 5 malware

Description

A previously unseen ransomware family named Spirals was deployed in a attack against an company in in June 2026. The Rust-based payload demonstrated sophisticated capabilities including defense evasion, encryption, , and privilege escalation. Attackers gained initial access through a compromised internet-facing IIS web server via an ASP.NET , moving rapidly to deploy ransomware within 24 hours. They established persistence using multiple tunneling tools, disabled endpoint security, harvested credentials through SAM hive and LSASS dumps, and deployed reverse-SOCKS proxies for covert command-and-control. The ransomware was distributed across the network using PsExec, encrypting files with AES-128 keys and threatening data publication within six days. The skilled execution suggests potential for wider campaigns, though the threat actor remains unidentified.

External references