Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

PFCloud · Bulletproof Hosting · Datacarry Ransomware

0
Medium
Published: 02/18/2026 (02/18/2026, 00:00:00 UTC)
Source: CIRCL OSINT Feed

Description

Datacarry ransomware is associated with PFCloud bulletproof hosting services and targets multiple sectors including civil aviation, education, finance, health, insurance, legal, pharmacy, sport, technology, and tourism. The ransomware employs various attack techniques such as exploiting public-facing applications, PowerShell execution, remote desktop protocol access, disabling or modifying security tools, system checks, protocol tunneling, and data exfiltration over command and control channels. It ultimately encrypts data to impact victim organizations. There is no patch available for this threat, and no known exploits in the wild have been reported. The threat has been observed across multiple countries including Belgium, Denmark, France, Greece, Italy, Lithuania, South Africa, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 06:21:44 UTC

Technical Analysis

Datacarry ransomware is a malware threat linked to PFCloud bulletproof hosting infrastructure. It targets a broad range of sectors and uses multiple MITRE ATT&CK techniques such as T1190 (exploit public-facing application), T1059.001 (PowerShell), T1021.001 (remote desktop protocol), T1562.001 (disable or modify tools), T1497.001 (system checks), T1071.001 (web protocols), T1572 (protocol tunneling), T1041 (exfiltration over C2 channel), T1486 (data encrypted for impact), and T1567 (exfiltration over web service). The ransomware campaign is ongoing with no official patch or fix available. No confirmed exploits in the wild have been documented. The threat affects multiple countries and sectors, indicating a wide targeting scope.

Potential Impact

The impact involves data encryption leading to operational disruption and potential data loss across multiple critical sectors. The ransomware's use of various attack vectors and exfiltration techniques increases the risk of data compromise and prolonged recovery efforts. No known exploits in the wild have been confirmed, but the presence of the ransomware in multiple sectors and countries suggests a credible medium-level threat.

Mitigation Recommendations

No patch or official fix is currently available for this ransomware threat. Organizations should focus on preventive measures such as securing public-facing applications, restricting PowerShell and remote desktop protocol usage, monitoring for unusual tool modifications, and controlling data exfiltration channels. Since no vendor advisory indicates mitigation or patching, continuous monitoring and incident response preparedness are recommended.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Uuid
f88ee265-c1d6-4642-824a-986dae80c7b6
Original Timestamp
1772455068

Indicators of Compromise

Link

ValueDescriptionCopy
linkhttps://www.ccitic.org/assets/reports/CCITIC_CASE-RANS-01_TLP-CLEAR_EN.pdf

Text

ValueDescriptionCopy
textPFCloud · Bulletproof Hosting · Datacarry Ransomware
textReport
textCCITIC : CASE-RANS-01 — TLP:CLEAR
textSHELL-CN-1
textSHELL-CN-1
textSHELL-CN-1
textSHELL-CN-1
textSHELL-UK-2
textSHELL-UK-2
textSHELL-UK-3
textSHELL-CN-1
textSHELL-CN-1
textSHELL-UK-2 / SHELL-UK-1
textSHELL-UK-2
textSHELL-UK-3
textDatacarry_Chisel_Tunneling
textDatacarry

Vulnerability

ValueDescriptionCopy
vulnerabilityCVE-2023-48788

Ip

ValueDescriptionCopy
ip185.216.70.170
ip77.90.38.170
ip154.216.19.224
ip154.216.17.157
ip176.65.141.201
ip176.65.141.232
ip206.123.145.13
ip154.216.19.224
ip154.216.17.157
ip176.65.141.201
ip176.65.141.232
ip206.123.145.13

As

ValueDescriptionCopy
as135357
as135357
as135357
as135357
as214717
as214717
as207184
as135357
as135357
as214717
as214717
as207184

Datetime

ValueDescriptionCopy
datetime2024-06-19T00:00:00+00:00
datetime2024-08-01T00:00:00+00:00
datetime2024-11-15T00:00:00+00:00
datetime2025-01-19T00:00:00+00:00
datetime2025-05-18T00:00:00+00:00
datetime2025-05-18T00:00:00+00:00
datetime2025-06-13T00:00:00+00:00

File

ValueDescriptionCopy
filesos.exe
filesos.exe
fileaudiodg.exe
fileaudiofg.exe
fileaudiodg.exe
fileKB332.ps1

Hash

ValueDescriptionCopy
hashfa3654b740b3d7b6ab2e097b262f1e4ec70f48a8f76d385fb08c9a66ed0c161d
hash78f234a399b75241f8e961b4a0ff78439fa024d265a70af1a16e167c6cd0f50e
hash6b93afe89d923d9694c660d4271f850a5534b7308b1902f4547d841ecea11d42
hashb1cf41363401fe5671e24fd55ee89b0c177140c482a8dab1b9891db509df52f6
hash9b4e60fc6089912f84c96e77f8d905a6c1e9e76d15fdce96958a45ad0e8e6108
hasha1b1a4aa5e90404a55d1fdf16f53b3689f3f2d62dfeec4d8c324d445a1e29db1

Yara

ValueDescriptionCopy
yararule Datacarry_Chisel_Tunneling {meta:author = "CCITIC ASBL" date = "2025-11-21" description = "Chisel tunneling Datacarry detection" tlp = "TLP:CLEAR" confidence = "A1" strings: $s1 = "server34787" ascii wide $s2 = "GenuineIntel" ascii wide $s3 = "chisel" ascii wide nocase condition: uint16(0) == 0x5A4D and filesize < 50MB and 2 of them }

Sigma

ValueDescriptionCopy
sigmatitle: Datacarry - RDP Backdoor KB332.ps1 id: ccitic-case-rans-01-rdp status: experimental description: Unauthorized RDP activation author: CCITIC ASBL date: 2025-11-21 tags: - attack.t1021.001 - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'Set-ExecutionPolicy Unrestricted' - 'fDenyTSConnections' - 'Allow RDP' condition: selection level: critical

Threat ID: 6a435d8527e9c7971930154e

Added to database: 06/30/2026, 06:09:09 UTC

Last enriched: 06/30/2026, 06:21:44 UTC

Last updated: 07/03/2026, 06:42:51 UTC

Views: 23

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses