Threat Actor Profile
High
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (35)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-03-12',
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2025-02-17T00:00:00+00:00',
'group': 'nightspire',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2026-04-27T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion',
'slug': 'http://a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion',
'title': 'NightSpire',
'type': 'DLS'},
{'available': True,
'fqdn': 'nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion',
'slug': 'http://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/database',
'title': 'RaaS Service Started',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspirebcv4sy3yydtaercuut34hwc4fsxqqv4b4ye4xmo6qp3vxhulqd.onion',
'slug': 'http://nspirebcv4sy3yydtaercuut34hwc4fsxqqv4b4ye4xmo6qp3vxhulqd.onion/database',
'title': 'Database | NightSpire',
'type': 'DLS'},
{'available': True,
'fqdn': 'nspire7lugml7ybqyjaaxtsgrs4qn3fcon3lrjbih6wamttvdm5ke4qd.onion',
'slug': 'http://nspire7lugml7ybqyjaaxtsgrs4qn3fcon3lrjbih6wamttvdm5ke4qd.onion',
'title': 'Verify human - NightSpire',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion',
'slug': 'http://nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion/database',
'title': 'Database | NightSpire',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion',
'slug': 'http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion/database',
'title': 'NightSpire',
'type': 'DLS'}],
'negotiation_count': 11,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion',
'slug': 'http://a2lyiiaq4n74tlgz4fk3ft4akolapfrzk772dk24iq32cznjsmzpanqd.onion',
'title': 'NightSpire',
'type': 'DLS'},
{'available': True,
'fqdn': 'nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion',
'slug': 'http://nspirep7orjq73k2x2fwh2mxgh74vm2now6cdbnnxjk2f5wn34bmdxad.onion/database',
'title': 'RaaS Service Started',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspirebcv4sy3yydtaercuut34hwc4fsxqqv4b4ye4xmo6qp3vxhulqd.onion',
'slug': 'http://nspirebcv4sy3yydtaercuut34hwc4fsxqqv4b4ye4xmo6qp3vxhulqd.onion/database',
'title': 'Database | NightSpire',
'type': 'DLS'},
{'available': True,
'fqdn': 'nspire7lugml7ybqyjaaxtsgrs4qn3fcon3lrjbih6wamttvdm5ke4qd.onion',
'slug': 'http://nspire7lugml7ybqyjaaxtsgrs4qn3fcon3lrjbih6wamttvdm5ke4qd.onion',
'title': 'Verify human - NightSpire',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion',
'slug': 'http://nspiremkiq44zcxjbgvab4mdedyh2pzj5kzbmvftcugq3mczx3dqogid.onion/database',
'title': 'Database | NightSpire',
'type': 'DLS'},
{'available': False,
'fqdn': 'nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion',
'slug': 'http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion/database',
'title': 'NightSpire',
'type': 'DLS'}],
'negotiation_count': 11,
'ransomnotes_count': 3,
'ransomware_live_group': 'nightspire',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Everything.exe'],
'Exfiltration': ['MEGA', 'WinSCP'],
'LOLBAS': [],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/nightspire',
'victims': 256,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['Everything.exe'],
'Exfiltration': ['MEGA', 'WinSCP'],
'LOLBAS': [],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'ttps': [{'tactic_id': 'TA0042',
'tactic_name': 'Resource Development',
'techniques': [{'technique_details': 'Custom Go-based ransomware '
'development with modular '
'architecture.',
'technique_id': 'T1587',
'technique_name': 'Develop Capabilities'}]},
{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Exploitation of '
'CVE-2024-55591 — '
'FortiOS/FortiProxy '
'authentication bypass; '
'unauthenticated attackers '
'gain super-admin privileges '
'via crafted POST requests to '
'/api/v2/cmdb/.',
'technique_id': 'T1190',
'technique_name': 'Exploit Public-Facing '
'Application'},
{'technique_details': 'Compromised RDP credentials '
'used for initial access.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'},
{'technique_details': 'Brute-forcing remote login '
'credentials (RDP) and MFA '
'fatigue attacks.',
'technique_id': 'T1110',
'technique_name': 'Brute Force'},
{'technique_details': 'Malicious attachments and '
'drive-by downloads.',
'technique_id': 'T1566',
'technique_name': 'Phishing'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'PowerShell scripts, batch '
'files, PsExec, WMI; '
'conhost.exe command execution '
'window.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_details': 'Abuse of legitimate tools '
'(WinSCP, MEGACmd, 7-Zip, '
'PsExec) across the attack '
'chain.',
'technique_id': 'T1072',
'technique_name': 'Software Deployment Tools'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Administrative account '
'creation post-exploitation on '
'FortiGate devices.',
'technique_id': 'T1136',
'technique_name': 'Create Account'},
{'technique_details': 'Reboot persistence '
'mechanisms.',
'technique_id': 'T1547',
'technique_name': 'Boot or Logon Autostart '
'Execution'},
{'technique_details': 'Persistence via '
'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run '
'and RunOnce.',
'technique_id': 'T1547.001',
'technique_name': 'Boot or Logon Autostart '
'Execution: Registry Run Keys / '
'Startup Folder'},
{'technique_details': 'Persistence via Windows Task '
'Scheduler; service creation '
'and modification.',
'technique_id': 'T1053',
'technique_name': 'Scheduled Task/Job'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'FortiOS super-admin access '
'via CVE-2024-55591 '
'exploitation.',
'technique_id': 'T1068',
'technique_name': 'Exploitation for Privilege '
'Escalation'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Renamed processes and use of '
'legitimate tools (WinSCP, '
'MEGACmd, 7-Zip, PsExec) '
'blending into normal '
'operations.',
'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_details': 'Execution via legitimate '
'system binaries (LOLBins) to '
'evade detection.',
'technique_id': 'T1218',
'technique_name': 'System Binary Proxy Execution'},
{'technique_details': 'Obfuscation techniques to '
'evade analysis.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'Removal of forensic '
'indicators from compromised '
'systems.',
'technique_id': 'T1070',
'technique_name': 'Indicator Removal'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Credential dumping via '
'Mimikatz.',
'technique_id': 'T1003',
'technique_name': 'OS Credential Dumping'},
{'technique_details': 'LSASS memory extraction for '
'credential harvesting.',
'technique_id': 'T1003.001',
'technique_name': 'OS Credential Dumping: LSASS '
'Memory'},
{'technique_details': 'Harvesting of stored '
'credentials within the '
'environment.',
'technique_id': 'T1552',
'technique_name': 'Unsecured Credentials'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Network scanning to map '
'internal infrastructure using '
'Advanced IP Scanner.',
'technique_id': 'T1046',
'technique_name': 'Network Service Discovery'},
{'technique_details': 'Process enumeration on '
'compromised systems.',
'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_details': 'Collection of system details '
'from compromised hosts.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_details': 'File indexing and enumeration '
'using Everything.exe.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'RDP-based lateral movement '
'across compromised network.',
'technique_id': 'T1021.001',
'technique_name': 'Remote Services: Remote Desktop '
'Protocol'},
{'technique_details': 'Lateral movement via PsExec '
'over SMB.',
'technique_id': 'T1021.002',
'technique_name': 'Remote Services: SMB/Windows '
'Admin Shares'},
{'technique_details': 'WMI-based execution and '
'lateral movement.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'Automated sensitive data '
'gathering from compromised '
'systems.',
'technique_id': 'T1119',
'technique_name': 'Automated Collection'},
{'technique_details': 'Compression of collected data '
'using 7-Zip (7z2408-x64.exe) '
'prior to exfiltration.',
'technique_id': 'T1560',
'technique_name': 'Archive Collected Data'},
{'technique_details': '7-Zip archiving of stolen '
'data prior to exfiltration.',
'technique_id': 'T1560.001',
'technique_name': 'Archive Collected Data: Archive '
'via Utility'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Data exfiltration via WinSCP '
'(v6.3.7) and Rclone over '
'encrypted channels.',
'technique_id': 'T1048',
'technique_name': 'Exfiltration Over Alternative '
'Protocol'},
{'technique_details': 'MEGACmd used to upload stolen '
'data to MEGA cloud storage. '
'Documented exfiltration of '
'1.5TB from a single '
'healthcare victim.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service: '
'Exfiltration to Cloud Storage'},
{'technique_details': 'Data exfiltration over C2 '
'channel.',
'technique_id': 'T1041',
'technique_name': 'Exfiltration Over C2 Channel'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Standard web protocols and '
'Tor-based communication. '
'Multi-channel comms: '
'ProtonMail, OnionMail, Gmail, '
'Telegram, qTox.',
'technique_id': 'T1071',
'technique_name': 'Application Layer Protocol'},
{'technique_details': 'Asymmetric encrypted non-C2 '
'protocols used to evade IDS.',
'technique_id': 'T1573',
'technique_name': 'Encrypted Channel'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Hybrid AES-256 (file content) '
'+ RSA-2048 (key protection) '
'encryption; appends .nspire '
'extension; processes files in '
'1MB block chunks. Double '
'extortion model — data theft '
'+ encryption.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/nightspire',
'victims': 256,
'vulnerabilities': []}