Intrinsec Links Eye Pyramid C2 to Ransomware Networks in New Infrastructure Mapping Report

In a comprehensive new report, cybersecurity firm Intrinsec has detailed how infrastructure used by RansomHub and the Eye Pyramid C2 framework is converging into a broader, interconnected web of malicious activity. The findings reveal how ransomware actors are increasingly reusing or sharing infrastructure, a trend that complicates attribution efforts and increases post-compromise risk.

The investigation was sparked by GuidePoint Security’s analysis of a Python backdoor used by RansomHub affiliates. Intrinsec pivoted from that infrastructure and discovered that several connected IP addresses were also exposing a banner associated with the open-source C2 tool Eye Pyramid, available on GitHub.

“Eye Pyramid was identified in a case disclosed by The DFIR Report in December 2024, which ties this case to a threat actor associated with Fog ransomware,” the report notes.

Eye Pyramid is a post-exploitation toolkit written in Python that abuses signed binaries like python.exe to stay under the radar, bypass EDRs, and deliver additional payloads in-memory — including tools like Cobalt Strike, Sliver, LaZagne, and ransomware like Rhysida.

Intrinsec found a JSON error file returned from both Eye Pyramid and RansomHub-related servers, suggesting similarities in how these backdoors are configured. This could imply code reuse or shared development between operators.

“This JSON file was identified as being a default error response of Eye Pyramid servers. It could indicate similarity in the configuration of the servers of these clusters of activity,” the report explains.

Multiple C2 servers were hosted on bulletproof hosting providers like Limenet, AEZA, and Railnet, often advertised under benign names such as “gaming hosting.”

“The IP address 193.58.121[.]231 is hosted on AS 215439 (Play2go International Limited). It is advertised as a ‘Gaming hosting’ solution but was abused to host Eye Pyramid C2 server components.”

Other infrastructure linked to CrazyRDP—a well-known bulletproof provider—has also re-emerged under newly branded ASNs in Bulgaria.

The report linked this infrastructure to an evolving group of actors who may be shifting between ransomware strains like Vice Society, Rhysida, and BlackCat, or simply leveraging a common arsenal of post-compromise tools.

“A documented affiliate/cluster, who switched from Vice Society to Rhysida, was also related to this infrastructure via a specific JSON file,” the report concludes.

Even more alarming, Intrinsec found infrastructure also tied to stealers (Lumma, Purelogs) and loaders like Bumblebee, Silent Skimmer, and various Cobalt Strike beacons.

Related Posts:

• Thousands of Fake Crypto Investment Platforms Uncovered in Widespread Scam Campaign
• Amazon Eyes TikTok: Acquisition Race Heats Up
• Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks