DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/NIGHTSPIRE
TLP:WHITETHREAT ACTOR DOSSIER // NIGHTSPIREFIRST SEEN: FEB 2025

NIGHTSPIRE

ALSO KNOWN AS: Rbfs (probable predecessor)
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Unknown (infrastructure indicators suggest India-linked operator nexus with possible Chinese-speaking involvement; no formal attribution)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:FEB 2025
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL60/100
RESOURCES60/100
PERSISTENCE63/100
STEALTH55/100
IMPACT69/100

SUBJECT PROFILE

A rapidly maturing ransomware group first observed in February 2025 and strongly assessed as a rebrand of the defunct Rbfs operation, based on overlapping victims, shared infrastructure, and synchronized activity cessation. NightSpire reached 259 claimed victims across 30+ countries by May 2026, posting 74 victims in Q1 2026 alone to rank among the top active groups. In April 2026, the group publicly announced a shift toward a RaaS affiliate model, marking a structural evolution from its closed in-house operation.

Financial extortion via double-extortion ransomware

OPERATIONAL HISTORY

Exploitation of exposed perimeter assets (VPNs, RDP), credential stuffing, double extortion (encryption + data theft), Go-based ransomware payload (.nspire extension), VSS deletion, WinSCP exfiltration, MEGASync data staging, 7Zip/Everything for data collection, AnyDesk/Chrome Remote Desktop for persistence, Mimikatz credential dumping, PAExec lateral movement, ransom deadline pressure tactics

MANUFACTURING
TECHNOLOGY
HEALTHCARE
CONSTRUCTION
BUSINESS SERVICES

KNOWN INFRASTRUCTURE

Tor-based data leak site; Go (Golang) ransomware payload; WinSCP server (IP: 14.139.185[.]60 identified by S-RM); MEGASync for exfiltration; RaaS recruitment pages emerging on Tor onion domains (Feb–Mar 2026)

ATTRIBUTED CAMPAIGNS

FILE DATE: FEB 2025
Initial Operations (Closed Group)
Emerged as a closed, self-managed operation immediately adopting double extortion, with rapid victim accumulation across manufacturing, technology, and healthcare sectors.
FILE DATE: Q1 2026
Operational Scale-Up
Posted 74 victims in Q1 2026 alone across 28 industries and ███████████████████ notable attacks including a 350GB data theft from an engineering firm in March 2026.
FILE DATE: APR 2026
RaaS Affiliate Program Launch
NightSpire publicly announced affiliate recruitment on its data leak site, signaling a structural shift from closed operations to a scalable RaaS model.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn