Threat Actor Profile
Medium Cybercriminal
Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (10)
T1070 - Indicator Removal
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1490 - Inhibit System Recovery
Impact
T1021.001 - Remote Desktop Protocol
Lateral Movement
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': '2025-10-23',
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': None,
 'firstseen': '2025-10-23T14:54:39.890229+00:00',
 'group': 'tengu',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2026-03-07T12:36:14.655160+00:00',
 'locations': [{'available': True,
                'fqdn': 'longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion',
                'slug': 'http://longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion',
                'title': 'Shisa Ransomware Blog',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 3,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': True,
                                    'fqdn': 'longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion',
                                    'slug': 'http://longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion',
                                    'title': 'Shisa Ransomware Blog',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 3,
                     'ransomware_live_group': 'tengu',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/tengu',
                     'victims': 49,
                     'vulnerabilities': [{'CVE': 'CVE-2025-43995',
                                          'CVSS': 9.8,
                                          'Product': 'DSM Data Collector',
                                          'Vendor': 'DSM',
                                          'severity': 'CRITICAL'},
                                         {'CVE': 'CVE-2024-38178',
                                          'CVSS': 7.5,
                                          'Product': 'Windows Scripting Engine',
                                          'Vendor': 'Microsoft',
                                          'severity': 'HIGH'},
                                         {'CVE': 'CVE-2025-55754',
                                          'CVSS': 9.6,
                                          'Product': 'Console (ANSI Injection)',
                                          'Vendor': 'Other',
                                          'severity': 'CRITICAL'}]},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [{'tactic_id': 'TA0001',
           'tactic_name': 'Initial Access',
           'techniques': [{'technique_details': 'Abuse of valid accounts '
                                                '(obtained via infostealers or '
                                                'IABs).',
                           'technique_id': 'T1078',
                           'technique_name': 'Valid Accounts'}]},
          {'tactic_id': 'TA0002',
           'tactic_name': 'Execution',
           'techniques': [{'technique_details': 'Intensive use of PowerShell '
                                                'for command and script '
                                                'execution.',
                           'technique_id': 'T1059.001',
                           'technique_name': 'Command and Scripting '
                                             'Interpreter: PowerShell'},
                          {'technique_details': 'Use of CMD for command '
                                                'execution.',
                           'technique_id': 'T1059.003',
                           'technique_name': 'Command and Scripting '
                                             'Interpreter: Windows Command '
                                             'Shell'}]},
          {'tactic_id': 'TA0003',
           'tactic_name': 'Persistence',
           'techniques': [{'technique_details': 'Creation of Scheduled Tasks '
                                                'that run with SYSTEM '
                                                'privileges to ensure '
                                                're-infection.',
                           'technique_id': 'T1053.005',
                           'technique_name': 'Scheduled Task/Job: Scheduled '
                                             'Task'}]},
          {'tactic_id': 'TA0005',
           'tactic_name': 'Defense Evasion',
           'techniques': [{'technique_details': 'Use of rundll32.exe for proxy '
                                                'execution.',
                           'technique_id': 'T1218',
                           'technique_name': 'System Binary Proxy Execution'},
                          {'technique_details': 'Cleaning of event logs.',
                           'technique_id': 'T1070',
                           'technique_name': 'Indicator Removal'}]},
          {'tactic_id': 'TA0008',
           'tactic_name': 'Lateral Movement',
           'techniques': [{'technique_details': 'Lateral movement via RDP '
                                                'after compromising '
                                                'administrative credentials.',
                           'technique_id': 'T1021.001',
                           'technique_name': 'Remote Services: Remote Desktop '
                                             'Protocol'}]},
          {'tactic_id': 'TA0010',
           'tactic_name': 'Exfiltration',
           'techniques': [{'technique_details': 'Data exfiltration via C2 '
                                                'channels before starting the '
                                                'encryption routine.',
                           'technique_id': 'T1041',
                           'technique_name': 'Exfiltration Over C2 Channel'}]},
          {'tactic_id': 'TA0040',
           'tactic_name': 'Impact',
           'techniques': [{'technique_details': 'File encryption.',
                           'technique_id': 'T1486',
                           'technique_name': 'Data Encrypted for Impact'},
                          {'technique_details': 'Deletion of Shadow Copies to '
                                                'prevent local recovery.',
                           'technique_id': 'T1490',
                           'technique_name': 'Inhibit System Recovery'}]}],
 'url': 'https://www.ransomware.live/group/tengu',
 'victims': 49,
 'vulnerabilities': [{'CVE': 'CVE-2025-43995',
                      'CVSS': 9.8,
                      'Product': 'DSM Data Collector',
                      'Vendor': 'DSM',
                      'severity': 'CRITICAL'},
                     {'CVE': 'CVE-2024-38178',
                      'CVSS': 7.5,
                      'Product': 'Windows Scripting Engine',
                      'Vendor': 'Microsoft',
                      'severity': 'HIGH'},
                     {'CVE': 'CVE-2025-55754',
                      'CVSS': 9.6,
                      'Product': 'Console (ANSI Injection)',
                      'Vendor': 'Other',
                      'severity': 'CRITICAL'}]}
Quick Actions
Related TTPs (10)
Indicator Removal
Defense Evasion
Valid Accounts
Defense Evasion
System Binary Proxy Execution
Defense Evasion
Scheduled Task
Execution
PowerShell
Execution
View All 10 TTPs
Back to Threat Actors
Dashboard Home