Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
Essential information
- Published
- 16/07/2026 13:39
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asp.net web shell chisel cloudflare tunnel credential dumping double extortion it services lateral movement revsocks rust-based ransomware south asia spirals web shell
- Related entities
- 12 indicators, 5 observables, 19 techniques (mitre), 5 malware
Description
A previously unseen ransomware family named Spirals was deployed in a double extortion attack against an IT services company in South Asia in June 2026. The Rust-based payload demonstrated sophisticated capabilities including defense evasion, encryption, lateral movement, and privilege escalation. Attackers gained initial access through a compromised internet-facing IIS web server via an ASP.NET web shell, moving rapidly to deploy ransomware within 24 hours. They established persistence using multiple tunneling tools, disabled endpoint security, harvested credentials through SAM hive and LSASS dumps, and deployed reverse-SOCKS proxies for covert command-and-control. The ransomware was distributed across the network using PsExec, encrypting files with AES-128 keys and threatening data publication within six days. The skilled execution suggests potential for wider campaigns, though the threat actor remains unidentified.