Stranger Strings: Yurei Ransomware Operator Toolkit Exposed
Essential information
- Published
- 01/04/2026 20:38
- Modified
- 01/04/2026 19:58
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- anydesk infostealers netexec netscan yurei ransomware
- Tags
- 2026-04-01 anydesk infostealers netexec netscan yurei ransomware
- Related entities
- 4 indicators, 4 observables, 4 techniques (mitre)
Description
Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.