Do Son 
Security analysts at Huntress reported the discovery of a previously unseen ransomware variant, named Obscura. The malware takes its name from its ransom note (README_Obscura.txt), which repeatedly references the word “Obscura” and sets the tone for a campaign targeting corporate networks.
According to Huntress, “the ransomware executable was first seen being executed across multiple hosts on the victim organization.” Limited deployment of the Huntress agent within the affected network hampered detection and response, obscuring the initial access vector. However, analysts observed the ransomware executable placed in the NETLOGON folder of the domain controller:
This placement was strategic. As Huntress explains, “the folder contents are automatically replicated across all domain controllers to maintain consistency. However, this also meant that the ransomware executable was automatically deployed throughout the infrastructure.”
To ensure persistence and execution, attackers created scheduled tasks such as SystemUpdate on multiple hosts. They also enabled Remote Desktop Protocol (RDP) through firewall modifications, expanding their control over compromised endpoints.
The ransom note—embedded within the binary as a base64 string—follows the typical double extortion model. It bluntly states:
“Your network has been completely encrypted by our software.”
“All information has been stolen.”
“You have about 240 hours to respond. If there is no response, all stolen information will be distributed.”
The note further warns victims against law enforcement or recovery agencies:
“Recovery agencies, the police, and other services will NOT HELP you. Agencies want your money, but they do not know how to negotiate.”
Obscura is a Go-based binary that requires administrative privileges to operate. Huntress highlights that, “when the privilege check determines the process lacks administrative rights, the ransomware prints ‘[!!!] user not admin. exit [!!!]’ and immediately terminates execution.” This ensures the malware runs only in high-privilege contexts.
Key technical features include:
- Volume Shadow Copy deletion: Executes vssadmin delete shadows /all /quiet to prevent file recovery.
- Aggressive process termination: Kills more than 120 processes, targeting antivirus, backup, and database software.
- Cryptography: Uses Curve25519 with XChaCha20 for encryption. Each encrypted file is appended with an “OBSCURA!” footer, a public key, and nonce to facilitate decryption—only possible with the attacker’s private key.
- Exclusion filters: Preserves system-critical files (.exe, .dll, .sys, .efi, etc.) while encrypting data-heavy and sensitive files to maximize damage.
Although some functions hint at lateral movement, Huntress noted incomplete development. For example, the ransomware displays messages such as:
“[+] detect PDC. run transfer to all pc in domain.”
Yet no actual propagation code beyond domain controller deployment was observed. This suggests either unfinished features or early testing stages.
Obscura is not an isolated case. Huntress points out that “Obscura is one of several newer ransomware variants that Huntress has seen popping up in recent months, including Crux ransomware and Cephalus ransomware.” Such activity reflects an evolving ransomware landscape where groups frequently rebrand and release new malware strains to evade detection and law enforcement takedowns.
By leveraging domain controller replication, disabling backups, and weaponizing advanced cryptography, this variant represents a dangerous escalation in the ransomware threat landscape. As Huntress warns, “organizations should monitor their domain controllers closely and look for the addition of new files, as well as the modification of existing files, including GPOs.”
Related Posts:
- Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours
- ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
- Hackers Exploit Foundation Software, Exposing Sensitive Contractor Data
- APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
- Researchers Detail Critical Vulnerability in AI-as-a-Service Provider Replicate
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
