Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Spirals: New Stealthy Ransomware Deployed Against Asian IT Company

0
Medium
Published: 07/16/2026 (07/16/2026, 11:39:23 UTC)
Source: AlienVault OTX General

Description

Spirals is a newly identified ransomware family deployed in a double extortion attack against an IT services company in South Asia in June 2026. The Rust-based ransomware exhibits advanced capabilities such as defense evasion, lateral movement, privilege escalation, and network-wide file encryption using AES-128. Initial access was gained through a compromised internet-facing IIS web server via an ASP.NET web shell. The attackers rapidly deployed the ransomware within 24 hours, established persistence with tunneling tools, disabled endpoint security, harvested credentials from SAM and LSASS, and used reverse-SOCKS proxies for covert command-and-control. The ransomware was distributed using PsExec and threatened data publication within six days. The threat actor remains unidentified, but the sophistication suggests potential for broader campaigns.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:49:04 UTC

Technical Analysis

The Spirals ransomware is a sophisticated Rust-based malware family observed in a targeted double extortion attack against a South Asian IT services company. Attackers gained initial access through a compromised IIS web server using an ASP.NET web shell, enabling rapid deployment of ransomware within 24 hours. The malware employs multiple advanced techniques including defense evasion, lateral movement across the network, privilege escalation, credential dumping from SAM hive and LSASS processes, and persistence via multiple tunneling tools. Command-and-control communications are maintained covertly using reverse-SOCKS proxies. Network-wide ransomware distribution leveraged PsExec to encrypt files with AES-128 encryption keys. The attackers also threatened to publish stolen data within six days, indicating a double extortion strategy. No known threat actor attribution or public exploits are currently identified.

Potential Impact

The Spirals ransomware can cause significant operational disruption by encrypting files across a network and threatening data publication, which can lead to data loss, reputational damage, and financial impact. The use of advanced techniques such as privilege escalation, credential dumping, and disabling endpoint security increases the difficulty of detection and mitigation. The rapid deployment within 24 hours and use of lateral movement tools facilitate widespread infection. The double extortion tactic adds pressure on victims to pay ransom to prevent data leakage.

Mitigation Recommendations

No official patch or fix is available for this ransomware as it is malware rather than a software vulnerability. Organizations should focus on preventing initial access by securing internet-facing IIS web servers and detecting ASP.NET web shells. Monitoring for unusual use of tunneling tools, PsExec, and credential dumping activities can aid in early detection. Endpoint security solutions should be kept updated and configured to detect and block ransomware behaviors. Incident response plans should include procedures for containment and recovery from ransomware attacks. Given the threat actor is unidentified and no known exploits are public, vigilance and layered defense are critical.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.security.com/threat-intelligence/ransomware-spirals-extortion"]
Adversary
null
Pulse Id
6a58c2ecd43c8e98d4bdd2e0
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip185.141.216.194

Hash

ValueDescriptionCopy
hash26a15a6a9bea58e9ad2ada9a6c8606b5
hashe25c56bd13eff7280e493bf58501c47891fe63bf
hash0f9574dc38e5c34a31153f0bcc603c6ec29cb3bf65c3d25380dbe86d42573141
hash4cab935d0ec400059a3fcdc95b6623efdd51a61dff401fba8d5da244cc2de649
hash7f0d49b11d0a3697685622ce510c570199bf2dc76515b3f9a6b6735de8c9134b
hash83a7e51f3787ac5a8a9884edd0a58ddbef380969aa6529d282a461a1a614a892
hash84b9a9a1668145df04faa3d0e118e2f0acbebd3d9d260baf3a355b44c815c22d
hash862a3ca7e944ccf0ff3a6d556b34faade4b68343015c35a014a43725ac14a2a1
hashb5d598b00cc3a28cabc5812d9f762819334614bae452db4e7f23eefe7b081556

Url

ValueDescriptionCopy
urlhttps://beta.padmin.com/mybenefits/Templates/cd.zip
urlhttps://computer.kplus.com/cd.zip

Domain

ValueDescriptionCopy
domainbeta.padmin.com
domaincomputer.kplus.com

Threat ID: 6a59782068715ace4305c1a8

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:49:04 UTC

Last updated: 07/17/2026, 03:34:26 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses