{
  "name": "Stranger Strings: Yurei Ransomware Operator Toolkit Exposed",
  "slug": "stranger-strings-yurei-ransomware-operator-toolkit-exposed",
  "description": "Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string \u201cD:\\satanlockv2\u201d present in the Yurei samples.",
  "published": "2026-04-01T18:38:57.381000+00:00",
  "created_at": "2026-04-01T19:58:57.879000+00:00",
  "modified_at": "2026-04-01T17:58:57+00:00",
  "created_at_opencti": "2026-04-01T19:58:57.879000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "anydesk",
    "infostealers",
    "netexec",
    "netscan",
    "yurei ransomware"
  ],
  "tags": [
    "2026-04-01",
    "anydesk",
    "infostealers",
    "netexec",
    "netscan",
    "yurei ransomware"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "441d10ca-1ed6-41a8-a601-de791d0bf029",
        "name": "1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5"
      },
      {
        "id": "470bdc1c-3b6b-42b4-9929-bb1f2f2db86e",
        "name": "ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea"
      },
      {
        "id": "3c4e9fb4-7b7d-4d42-8751-68a5e72ec03b",
        "name": "4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461"
      },
      {
        "id": "7df00bcd-8d8d-4b8c-8586-b2339d0f16c5",
        "name": "26f51df1a12230b6bb583f3003c102a79106b049f89d9b9d43c6e85e072bd99e"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "f7bc1740-747c-458e-aca7-fd05c60f06f3",
        "name": "T1550.002"
      }
    ],
    "observables": [
      {
        "id": "",
        "name": "1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5"
      },
      {
        "id": "",
        "name": "ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea"
      },
      {
        "id": "",
        "name": "4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461"
      },
      {
        "id": "",
        "name": "26f51df1a12230b6bb583f3003c102a79106b049f89d9b9d43c6e85e072bd99e"
      }
    ]
  },
  "external_refs": [
    {
      "id": "cace7489-7ffc-4671-8f1a-39f6e9390aff",
      "standard_id": "external-reference--23b2098a-8c46-51c0-a8d3-38a632de80ab",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69cd66412a30a525e66b507d",
      "hash": null,
      "external_id": "69cd66412a30a525e66b507d",
      "created": "2026-04-01T19:58:57.802Z",
      "modified": "2026-04-01T19:58:57.802Z",
      "createdById": null
    },
    {
      "id": "0eb9a3f9-e8ea-4cda-8729-2996e59f8316",
      "standard_id": "external-reference--83692399-ff18-5669-98d9-32cd5cec2b7c",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.team-cymru.com/post/yurei-double-extortion-ransomware-campaign-toolkit",
      "hash": null,
      "external_id": null,
      "created": "2026-04-01T19:58:57.832Z",
      "modified": "2026-04-01T19:58:57.832Z",
      "createdById": null
    }
  ]
}