NightSpire Ransomware Posts Fresh Victims on May 25–26; Group Now at 265 Claimed Victims Across 52 Countries Amid Suspected RaaS Pivot

NightSpire posted new victims on May 25–26 including Egyptian entity basatamfi, Spanish industrial distributor Bresme Madrid, and multiple others, bringing its total claimed victim count to 265 across 52 countries since March 2025. The group, assessed as a rebrand of Rbfs ransomware with likely India-linked operators, achieves initial access primarily via CVE-2024-55591 (FortiOS/FortiProxy auth bypass) and RDP brute force, and has been accelerating toward a RaaS model after publicly inviting affiliates in April 2026. Defenders should note the group's Go-based payload, sub-two-day ransom deadlines, and a pattern of directly emailing victim employees to apply pressure — telemetry also shows 17.7% of victim domains have associated infostealer infection history, suggesting credential theft as a parallel entry vector.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.