Google’s Threat Analysis Group has unveiled information about a previously unknown threat actor group known as TRIPLESTRENGTH, which has been active since 2020. The group consists of only a handful of individuals, yet the scale of their operations is very broad.
The criminals employ a multifaceted approach to their attacks, simultaneously deploying ransomware to infect victims’ computers while seizing control of cloud accounts for illicit cryptocurrency mining. Additionally, they maintain a strong presence on hacker forums, where they offer access to compromised servers.
The group has targeted the servers of major cloud service providers, including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean. Investigations have revealed that they obtain user credentials via Raccoon, a malware strain designed to siphon sensitive data from infected Windows systems.
Analysts highlight that TRIPLESTRENGTH deliberately segregates its ransomware and cryptomining activities. Their encryption-based attacks are confined to local systems, leaving cloud infrastructure untouched. Unlike contemporary cybercriminal syndicates that engage in double extortion by stealing and threatening to leak data, TRIPLESTRENGTH solely encrypts files and demands ransom for their decryption.
For encryption, the attackers employ various ransomware strains, including Phobos, LokiLocker, and RCRU64. These tools operate under the Ransomware-as-a-Service (RaaS) model, yet, unlike more established offerings such as RansomHub and Lockbit, they do not provide additional services—such as dark web leak sites for publishing stolen data or negotiation assistance for ransom payments.
Their initial access methods are relatively unsophisticated. The group does not exploit zero-day vulnerabilities or employ advanced privilege escalation techniques. Instead, their primary tactic revolves around automated brute-force attacks to gain access to remote desktop servers. Once inside, they move laterally through corporate networks, disable antivirus defenses, and leverage publicly available tools like Mimikatz and NetScan.
One notable attack took place in May 2024, when the hackers gained access to an RDP server via password brute-forcing. From there, they infiltrated the corporate network, disabled security mechanisms, and deployed RCRU64 across multiple Windows machines.
Details of TRIPLESTRENGTH’s operations were first disclosed in Google Threat Horizons’ inaugural report for 2025. The link between their ransomware and cryptomining activities was established through Telegram advertisements, where the group sought affiliates to help distribute RCRU64. The accounts used for these advertisements were traced back to the same individuals orchestrating illicit mining operations.
The group’s foray into cryptocurrency mining began around 2022. Initially, they exploited victims’ local computing resources, but they later pivoted to cloud-based infrastructure. To mine digital assets, they utilize the unMiner application in conjunction with the unMineable mining pool.
Although each individual attack yields the criminals relatively modest profits—ranging from a few hundred to several thousand dollars—the financial toll on victimized organizations is significantly higher. In some cases, cloud resource bills have soared into the hundreds of thousands of dollars.
Google researchers have identified numerous TRX cryptocurrency addresses linked to TRIPLESTRENGTH’s activities. These were uncovered in configuration files, transactions from the unMineable mining pool, and payment logs on various cryptocurrency exchanges. During the latest audit conducted several months ago, more than 600 transactions were traced to these wallets, suggesting a likely surge in activity since then.
Victims of TRIPLESTRENGTH span diverse industries and geographic regions. Despite their small numbers, the group exhibits remarkable organization and operational efficiency, continuously expanding the scope of their cybercriminal enterprise.
Related Posts:
- 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining
- Google will ban all cryptocurrency mining extensions in the Chrome Store
- Kaspersky Report: Criminals earning millions through mining malware
- McAfee: Mining cryptocurrencies with a PC is dangerous
- Spanish Police Bust €3M Online Scam Syndicate: 34 Arrested
