Do Son 
Attack Capture File Manager page | Image: Goyaramen
At a glance
- Malware Family: INC Ransomware
- Threat Actor: Unknown INC affiliate (Suspected)
- Targets: APAC manufacturing, Japanese food companies
- Delivery Vector: Group Policy Objects (GPO)
- Capabilities: Multi-architecture encryption, DPAPI key theft
- Source: Threat researcher Goyaramen
TL;DR
Threat researchers discovered exposed staging servers in mid-June 2026. These servers revealed an active INC ransomware affiliate operation. Specifically, the operators developed a Linux encryptor suite cross-compiled for 14 distinct CPU architectures. This toolkit deliberately targets critical enterprise infrastructure. As a result, INC ransomware targets mainframes, including IBM POWER and SPARC64 systems.
Delivery
The exact initial delivery vector remains unconfirmed. However, researchers identified deployment scripts on exposed bulletproof hosting infrastructure. Threat actors hosted these files on an internet node located in Finland. Furthermore, the operators used Windows Group Policy Objects to distribute the encryptors internally. The overarching threat group claims nearly 1,000 victims since its inception. Therefore, this wide delivery net indicates a highly active affiliate.
Infection Chain
Once inside a network, the attackers launch an extensive enumeration process. They target Active Directory containers, domains, and organizational groups. Next, the operators deploy cross-platform ransomware payloads across the wider environment. According to a recent report by threat researcher Goyaramen, “these completed samples represent a deliberate expansion into core enterprise infrastructure.” They systematically compile binaries for ARM, PowerPC, RISC-V, and IBM z/Architecture hardware.
Escalation Tactics
Consequently, the infection reaches systems traditionally ignored by modern threat groups. The attackers rely on a containerized Rust build pipeline to create these specific payloads. They also utilize the Curve25519/Salsa20 encryption scheme across all their binaries.
Command-and-Control and Data-Exfiltration Behaviour
The exposed servers functioned directly as active working environments for the attackers. Operators maintained persistent access using custom OpenVPN profiles. They cleverly named these routing scripts after specific victim organizations. Meanwhile, a custom Python exfiltration script facilitated massive data theft. The script heavily prioritized Chrome credentials and executive desktop files. After that, it targeted human resources and sales databases.
Most importantly, the attackers specifically stole Active Directory DPAPI backup master keys. Possession of these keys enables offline decryption across the compromised domain. Ultimately, the malware communicates with established Tor-based companion domains to finalize the extortion.
Defense or Detection Guidance
Because INC ransomware targets mainframes, defenders must expand their monitoring efforts immediately. Security teams should monitor internal network traffic for unusual OpenVPN session tokens. Also, administrators must audit Group Policy Objects for unauthorized deployment scripts. Protect your Active Directory DPAPI backup master keys vigorously. Finally, organizations running legacy hardware must apply modern endpoint detection tools, as the report notes “the expansion of the ransomware’s Linux payloads to cover mainframe, POWER, and SPARC64 platforms warrants more attention than the ESXi variants.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
