← All stories

Huntress

Obscura, an Obscure New Ransomware Variant

2025-09-02 · Read original ↗

ATT&CK techniques detected

15 predictions

T1486Data Encrypted for Impact

99%

"obscura, an obscure new ransomware variant on 29 august 2025, huntress analysts encountered a previously unseen ransomware variant called “ obscura. ” this name was taken from the ransom note ( readme _ obscura. txt ), which also made several references to obscura in its contents…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

98%

"the parameters for the chacha file encryption. before writing the encrypted file back to disk they append a 64 byte footer which is comprised of : - obscura! - 32 byte public key - 24 byte nonce figure 3 : sample of the encrypted file since they have the peer private key, they ca…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

96%

"firmware files -. boot - boot configuration files -. iso - iso disc image files -. rom - rom firmware files -. bin - binary system files system configuration and utilities : -. ini - configuration files -. cfg - configuration files -. lnk - windows shortcut files -. hosts - netwo…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

90%

": shows [ + ] detect pc in domain. run transfer to dc. suggesting transfer to domain controllers - backup domain controller : shows [ + ] detect bdc. run transfer to pdc., implying propagation to the primary domain controller - primary domain controller : displays [ + ] detect pd…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053.005Scheduled Task

83%

"##utable file was named for the domain in which it was found, in an apparent attempt to blend in ( for this reason, we are not publicly identifying the name of this executable ). the executable is a go binary ( including a go build id ), and contains a number of file paths, such …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1489Service Stop

82%

"##gures windows security constants ( 2, 32, 544 ) to create administrators group sid for privilege checking after confirming administrative privileges, the ransomware gathers critical system information by calling getsysteminfo ( ) through the windows api. it specifically extract…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

78%

"from the netlogon share. on one of the user ' s machines, the threat actor created a scheduled task named " ijhcekag ". the task runs the command cmd. exe / c netsh firewall set service type = remotedesktop mode = enable > \ windows \ temp \ sjyfxb 2 > & 1 to enable remote deskto…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1053.005Scheduled Task

76%

"from the netlogon share. on one of the user ' s machines, the threat actor created a scheduled task named " ijhcekag ". the task runs the command cmd. exe / c netsh firewall set service type = remotedesktop mode = enable > \ windows \ temp \ sjyfxb 2 > & 1 to enable remote deskto…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1134Access Token Manipulation

65%

"_ rid _ admins ( 544 ) as the subauthority, and an authority count of 2. following successful sid creation, the function calls checktokenmembership ( ) to verify if the current process token belongs to the administrators group, returning a boolean value indicating administrative …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

60%

"run ( ) function executes in daemon mode with daemon = 1 set. it retrieves the threat actor ' s 32 - byte public key by decoding a hardcoded base64 string embedded within the executable, then performs system reconnaissance by enumerating all storage devices and calculating their …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

46%

"obscura, an obscure new ransomware variant on 29 august 2025, huntress analysts encountered a previously unseen ransomware variant called “ obscura. ” this name was taken from the ransom note ( readme _ obscura. txt ), which also made several references to obscura in its contents…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

44%

"##s ( process _ handle, 1 ) to forcefully terminate the process with exit code 1 and prints a success message showing the process id and name in the format “ [ + ] killed pid % d ( % s ) ”. if termination fails, the function returns an error message stating “ failed to terminate …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1057Process Discovery

37%

"##gures windows security constants ( 2, 32, 544 ) to create administrators group sid for privilege checking after confirming administrative privileges, the ransomware gathers critical system information by calling getsysteminfo ( ) through the windows api. it specifically extract…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1134.002Create Process with Token

37%

"_ rid _ admins ( 544 ) as the subauthority, and an authority count of 2. following successful sid creation, the function calls checktokenmembership ( ) to verify if the current process token belongs to the administrators group, returning a boolean value indicating administrative …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1490Inhibit System Recovery

33%

"from the netlogon share. on one of the user ' s machines, the threat actor created a scheduled task named " ijhcekag ". the task runs the command cmd. exe / c netsh firewall set service type = remotedesktop mode = enable > \ windows \ temp \ sjyfxb 2 > & 1 to enable remote deskto…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Huntress found a previously unseen ransomware variant called Obscura on a victim company’s domain controller.