216.73.217.50

Stranger Strings: Yurei Ransomware Operator Toolkit Exposed

· Published 01/04/2026 20:38 · Modified 01/04/2026 19:58

Export JSON

Essential information

Published
01/04/2026 20:38
Modified
01/04/2026 19:58
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
anydesk infostealers netexec netscan yurei ransomware
Tags
2026-04-01 anydesk infostealers netexec netscan yurei ransomware
Related entities
4 indicators, 4 observables, 4 techniques (mitre)

Description

Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.

External references