PFCloud · Bulletproof Hosting · Datacarry Ransomware
Datacarry ransomware is associated with PFCloud bulletproof hosting services and targets multiple sectors including civil aviation, education, finance, health, insurance, legal, pharmacy, sport, technology, and tourism. The ransomware employs various attack techniques such as exploiting public-facing applications, PowerShell execution, remote desktop protocol access, disabling or modifying security tools, system checks, protocol tunneling, and data exfiltration over command and control channels. It ultimately encrypts data to impact victim organizations. There is no patch available for this threat, and no known exploits in the wild have been reported. The threat has been observed across multiple countries including Belgium, Denmark, France, Greece, Italy, Lithuania, South Africa, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.
AI Analysis
Technical Summary
Datacarry ransomware is a malware threat linked to PFCloud bulletproof hosting infrastructure. It targets a broad range of sectors and uses multiple MITRE ATT&CK techniques such as T1190 (exploit public-facing application), T1059.001 (PowerShell), T1021.001 (remote desktop protocol), T1562.001 (disable or modify tools), T1497.001 (system checks), T1071.001 (web protocols), T1572 (protocol tunneling), T1041 (exfiltration over C2 channel), T1486 (data encrypted for impact), and T1567 (exfiltration over web service). The ransomware campaign is ongoing with no official patch or fix available. No confirmed exploits in the wild have been documented. The threat affects multiple countries and sectors, indicating a wide targeting scope.
Potential Impact
The impact involves data encryption leading to operational disruption and potential data loss across multiple critical sectors. The ransomware's use of various attack vectors and exfiltration techniques increases the risk of data compromise and prolonged recovery efforts. No known exploits in the wild have been confirmed, but the presence of the ransomware in multiple sectors and countries suggests a credible medium-level threat.
Mitigation Recommendations
No patch or official fix is currently available for this ransomware threat. Organizations should focus on preventive measures such as securing public-facing applications, restricting PowerShell and remote desktop protocol usage, monitoring for unusual tool modifications, and controlling data exfiltration channels. Since no vendor advisory indicates mitigation or patching, continuous monitoring and incident response preparedness are recommended.
Affected Countries
Belgium, Denmark, France, Greece, Italy, Lithuania, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom
Indicators of Compromise
- link: https://www.ccitic.org/assets/reports/CCITIC_CASE-RANS-01_TLP-CLEAR_EN.pdf
- text: PFCloud · Bulletproof Hosting · Datacarry Ransomware
- text: Report
- text: CCITIC : CASE-RANS-01 — TLP:CLEAR
- vulnerability: CVE-2023-48788
- ip: 185.216.70.170
- as: 135357
- text: SHELL-CN-1
- datetime: 2024-06-19T00:00:00+00:00
- ip: 77.90.38.170
- as: 135357
- text: SHELL-CN-1
- datetime: 2024-08-01T00:00:00+00:00
- ip: 154.216.19.224
- as: 135357
- text: SHELL-CN-1
- datetime: 2024-11-15T00:00:00+00:00
- ip: 154.216.17.157
- as: 135357
- text: SHELL-CN-1
- datetime: 2025-01-19T00:00:00+00:00
- ip: 176.65.141.201
- as: 214717
- text: SHELL-UK-2
- datetime: 2025-05-18T00:00:00+00:00
- ip: 176.65.141.232
- as: 214717
- text: SHELL-UK-2
- datetime: 2025-05-18T00:00:00+00:00
- ip: 206.123.145.13
- as: 207184
- text: SHELL-UK-3
- datetime: 2025-06-13T00:00:00+00:00
- file: sos.exe
- hash: fa3654b740b3d7b6ab2e097b262f1e4ec70f48a8f76d385fb08c9a66ed0c161d
- file: sos.exe
- hash: 78f234a399b75241f8e961b4a0ff78439fa024d265a70af1a16e167c6cd0f50e
- file: audiodg.exe
- hash: 6b93afe89d923d9694c660d4271f850a5534b7308b1902f4547d841ecea11d42
- file: audiofg.exe
- hash: b1cf41363401fe5671e24fd55ee89b0c177140c482a8dab1b9891db509df52f6
- file: audiodg.exe
- hash: 9b4e60fc6089912f84c96e77f8d905a6c1e9e76d15fdce96958a45ad0e8e6108
- file: KB332.ps1
- hash: a1b1a4aa5e90404a55d1fdf16f53b3689f3f2d62dfeec4d8c324d445a1e29db1
- ip: 154.216.19.224
- as: 135357
- text: SHELL-CN-1
- ip: 154.216.17.157
- as: 135357
- text: SHELL-CN-1
- ip: 176.65.141.201
- as: 214717
- text: SHELL-UK-2 / SHELL-UK-1
- ip: 176.65.141.232
- as: 214717
- text: SHELL-UK-2
- ip: 206.123.145.13
- as: 207184
- text: SHELL-UK-3
- text: Datacarry_Chisel_Tunneling
- yara: rule Datacarry_Chisel_Tunneling {meta:author = "CCITIC ASBL" date = "2025-11-21" description = "Chisel tunneling Datacarry detection" tlp = "TLP:CLEAR" confidence = "A1" strings: $s1 = "server34787" ascii wide $s2 = "GenuineIntel" ascii wide $s3 = "chisel" ascii wide nocase condition: uint16(0) == 0x5A4D and filesize < 50MB and 2 of them }
- text: Datacarry
- sigma: title: Datacarry - RDP Backdoor KB332.ps1 id: ccitic-case-rans-01-rdp status: experimental description: Unauthorized RDP activation author: CCITIC ASBL date: 2025-11-21 tags: - attack.t1021.001 - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'Set-ExecutionPolicy Unrestricted' - 'fDenyTSConnections' - 'Allow RDP' condition: selection level: critical
PFCloud · Bulletproof Hosting · Datacarry Ransomware
Description
Datacarry ransomware is associated with PFCloud bulletproof hosting services and targets multiple sectors including civil aviation, education, finance, health, insurance, legal, pharmacy, sport, technology, and tourism. The ransomware employs various attack techniques such as exploiting public-facing applications, PowerShell execution, remote desktop protocol access, disabling or modifying security tools, system checks, protocol tunneling, and data exfiltration over command and control channels. It ultimately encrypts data to impact victim organizations. There is no patch available for this threat, and no known exploits in the wild have been reported. The threat has been observed across multiple countries including Belgium, Denmark, France, Greece, Italy, Lithuania, South Africa, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Datacarry ransomware is a malware threat linked to PFCloud bulletproof hosting infrastructure. It targets a broad range of sectors and uses multiple MITRE ATT&CK techniques such as T1190 (exploit public-facing application), T1059.001 (PowerShell), T1021.001 (remote desktop protocol), T1562.001 (disable or modify tools), T1497.001 (system checks), T1071.001 (web protocols), T1572 (protocol tunneling), T1041 (exfiltration over C2 channel), T1486 (data encrypted for impact), and T1567 (exfiltration over web service). The ransomware campaign is ongoing with no official patch or fix available. No confirmed exploits in the wild have been documented. The threat affects multiple countries and sectors, indicating a wide targeting scope.
Potential Impact
The impact involves data encryption leading to operational disruption and potential data loss across multiple critical sectors. The ransomware's use of various attack vectors and exfiltration techniques increases the risk of data compromise and prolonged recovery efforts. No known exploits in the wild have been confirmed, but the presence of the ransomware in multiple sectors and countries suggests a credible medium-level threat.
Mitigation Recommendations
No patch or official fix is currently available for this ransomware threat. Organizations should focus on preventive measures such as securing public-facing applications, restricting PowerShell and remote desktop protocol usage, monitoring for unusual tool modifications, and controlling data exfiltration channels. Since no vendor advisory indicates mitigation or patching, continuous monitoring and incident response preparedness are recommended.
Technical Details
- Uuid
- f88ee265-c1d6-4642-824a-986dae80c7b6
- Original Timestamp
- 1772455068
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.ccitic.org/assets/reports/CCITIC_CASE-RANS-01_TLP-CLEAR_EN.pdf | — |
Text
| Value | Description | Copy |
|---|---|---|
textPFCloud · Bulletproof Hosting · Datacarry Ransomware | — | |
textReport | — | |
textCCITIC : CASE-RANS-01 — TLP:CLEAR | — | |
textSHELL-CN-1 | — | |
textSHELL-CN-1 | — | |
textSHELL-CN-1 | — | |
textSHELL-CN-1 | — | |
textSHELL-UK-2 | — | |
textSHELL-UK-2 | — | |
textSHELL-UK-3 | — | |
textSHELL-CN-1 | — | |
textSHELL-CN-1 | — | |
textSHELL-UK-2 / SHELL-UK-1 | — | |
textSHELL-UK-2 | — | |
textSHELL-UK-3 | — | |
textDatacarry_Chisel_Tunneling | — | |
textDatacarry | — |
Vulnerability
| Value | Description | Copy |
|---|---|---|
vulnerabilityCVE-2023-48788 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.216.70.170 | — | |
ip77.90.38.170 | — | |
ip154.216.19.224 | — | |
ip154.216.17.157 | — | |
ip176.65.141.201 | — | |
ip176.65.141.232 | — | |
ip206.123.145.13 | — | |
ip154.216.19.224 | — | |
ip154.216.17.157 | — | |
ip176.65.141.201 | — | |
ip176.65.141.232 | — | |
ip206.123.145.13 | — |
As
| Value | Description | Copy |
|---|---|---|
as135357 | — | |
as135357 | — | |
as135357 | — | |
as135357 | — | |
as214717 | — | |
as214717 | — | |
as207184 | — | |
as135357 | — | |
as135357 | — | |
as214717 | — | |
as214717 | — | |
as207184 | — |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2024-06-19T00:00:00+00:00 | — | |
datetime2024-08-01T00:00:00+00:00 | — | |
datetime2024-11-15T00:00:00+00:00 | — | |
datetime2025-01-19T00:00:00+00:00 | — | |
datetime2025-05-18T00:00:00+00:00 | — | |
datetime2025-05-18T00:00:00+00:00 | — | |
datetime2025-06-13T00:00:00+00:00 | — |
File
| Value | Description | Copy |
|---|---|---|
filesos.exe | — | |
filesos.exe | — | |
fileaudiodg.exe | — | |
fileaudiofg.exe | — | |
fileaudiodg.exe | — | |
fileKB332.ps1 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfa3654b740b3d7b6ab2e097b262f1e4ec70f48a8f76d385fb08c9a66ed0c161d | — | |
hash78f234a399b75241f8e961b4a0ff78439fa024d265a70af1a16e167c6cd0f50e | — | |
hash6b93afe89d923d9694c660d4271f850a5534b7308b1902f4547d841ecea11d42 | — | |
hashb1cf41363401fe5671e24fd55ee89b0c177140c482a8dab1b9891db509df52f6 | — | |
hash9b4e60fc6089912f84c96e77f8d905a6c1e9e76d15fdce96958a45ad0e8e6108 | — | |
hasha1b1a4aa5e90404a55d1fdf16f53b3689f3f2d62dfeec4d8c324d445a1e29db1 | — |
Yara
| Value | Description | Copy |
|---|---|---|
yararule Datacarry_Chisel_Tunneling {meta:author = "CCITIC ASBL" date = "2025-11-21"
description = "Chisel tunneling Datacarry detection"
tlp = "TLP:CLEAR" confidence = "A1" strings: $s1 = "server34787" ascii wide $s2 =
"GenuineIntel" ascii wide $s3 = "chisel" ascii wide nocase condition: uint16(0) ==
0x5A4D and filesize < 50MB and 2 of them } | — |
Sigma
| Value | Description | Copy |
|---|---|---|
sigmatitle: Datacarry - RDP Backdoor KB332.ps1 id: ccitic-case-rans-01-rdp status: experimental
description: Unauthorized RDP activation author: CCITIC ASBL date: 2025-11-21 tags: -
attack.t1021.001 - attack.t1059.001 logsource: category: process_creation product: windows
detection: selection: CommandLine|contains: - 'Set-ExecutionPolicy Unrestricted'
- 'fDenyTSConnections' - 'Allow RDP' condition: selection level: critical | — |
Threat ID: 6a435d8527e9c7971930154e
Added to database: 06/30/2026, 06:09:09 UTC
Last enriched: 06/30/2026, 06:21:44 UTC
Last updated: 07/03/2026, 06:42:51 UTC
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.