8base

8Base

payload basis: Phobos v2.9.1 operation: Operation Phobos Aetor similarity: RansomHouse (noted)

A prolific RaaS operation built on Phobos ransomware infrastructure that became one of the most active groups targeting small and medium-sized businesses in 2023. Operating quietly from March 2022, 8Base went public with a data leak site in June 2023 and rapidly escalated — indiscriminately targeting manufacturing, finance, IT, healthcare, and government organizations across the US, Brazil, and Europe. Alongside Cl0p and LockBit, 8Base accounted for 48 percent of all recorded ransomware attacks in July 2023 alone. The group was dismantled on February 10, 2025 in Operation Phobos Aetor, with four suspects arrested in Phuket, Thailand, 27 servers seized, and charges brought against two named Russian nationals.

attributed originUnknown — Russian-language operators (confirmed nationals)

operation modelPhobos RaaS — double extortion affiliate structure

active periodMarch 2022 – February 10, 2025

primary motivationFinancial extortion — encryption + data publication threat

primary targetsSMBs — Manufacturing, Finance, IT, Healthcare, Government

confirmed impact1,000+ victims, 80 countries, $16M extorted

le actionOperation Phobos Aetor — Feb 10, 2025

arrests4 suspects (Phuket, Thailand); 27 servers seized

current statusDISMANTLED — February 10, 2025

Overview

8Base emerged in March 2022 as a ransomware affiliate operation built on the infrastructure of the Phobos ransomware-as-a-service ecosystem. For more than a year, the group operated with minimal public presence — compromising organizations and encrypting data but not publicly disclosing victims. In May 2023 the group launched a Telegram channel, and in June 2023 it activated a TOR-based data leak site and began a rapid escalation that immediately drew attention from researchers. VMware Carbon Black, Cisco Talos, and others observed a dramatic spike in activity between May and June 2023, with the group publishing victims at a pace that placed it among the top five most active ransomware operations globally by monthly victim count.

The group's technical foundation was Phobos ransomware version 2.9.1 — a RaaS framework that allowed affiliates to customize payloads, set file extensions, and brand their ransom notes independently. 8Base added its own identity layer: the ".8base" extension on encrypted files, a purple-themed ransom note with the "cartilage" branding string in the top corner, and a data leak site whose layout and copy bore strong similarities to RansomHouse. This branding overlap led early researchers to consider a possible connection between 8Base and RansomHouse, though no formal operational tie was confirmed. 8Base denied any connection when questioned. SmokeLoader served as the primary delivery mechanism, embedding the Phobos ransomware component in encrypted payloads that were decrypted and loaded into memory rather than written to disk as a standalone executable.

The group positioned itself with a cynical self-description: its leak site stated that 8Base were "honest and simple pentesters" who only targeted companies that had "neglected the privacy and importance of the data of their employees and customers." Despite this framing, the group's targeting was indiscriminate — manufacturing, finance, IT, healthcare, government, construction, and transportation organizations all appeared among its victims. The US was the most heavily targeted country by a significant margin, followed by Brazil and the United Kingdom. The Netherlands was notably also in the top five targeted countries in Trend Micro's tracking data.

The dismantling came through Operation Phobos Aetor, a Germany-led international law enforcement action coordinated by Europol and involving 15 countries including the US, UK, France, Switzerland, Thailand, Japan, and Romania. On February 10, 2025, Thai authorities arrested four suspects in Phuket across separate locations. Europol confirmed all four were Russian nationals. The US Department of Justice subsequently unsealed charges against two of them: Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), alleged to have operated the 8Base and Affiliate 2803 ransomware affiliate organizations and deployed Phobos ransomware on victims' networks between May 2019 and October 2024. Twenty-seven servers were seized, dark web leak and negotiation sites were replaced with seizure banners, and over 400 organizations were warned of ongoing or imminent attacks identified through the investigation. A free decryptor for Phobos and 8Base victims was later released.

The operation did not emerge in isolation. A key Phobos affiliate had been arrested in Italy in 2023 following a French warrant. Phobos administrator Evgenii Ptitsyn was arrested in South Korea in June 2024 and extradited to the United States in November 2024 — an event researchers noted was followed by a measurable decrease in 8Base activity, suggesting operational dependence on Ptitsyn's infrastructure. The Phuket arrests in February 2025 completed the largest coordinated action against the Phobos/8Base ecosystem to date.

Target Profile

8Base's targeting was deliberately indiscriminate and volume-driven, consistent with the high-frequency low-selectivity model typical of Phobos affiliates. Any SMB with insufficient backup and recovery infrastructure and sensitive data to threaten was a viable target.

Manufacturing: The sector with the highest number of detected 8Base attack attempts in Trend Micro's tracking data (January 2023 to March 2024), both by infected machine count and leak site publication. Industrial manufacturers, component suppliers, and production companies across North America and Europe were regularly targeted.
Finance and Business Services: Financial services organizations — including accounting firms, insurance companies, and business process providers — were among the earliest and most consistent 8Base targets, leveraging the high sensitivity of financial data as extortion leverage.
Information Technology: IT service providers, managed service providers, and technology companies were targeted both for their own sensitive data and as potential access points to downstream clients — a supply chain risk dimension consistent with how many RaaS affiliates approach IT sector targeting.
Healthcare and Public Health: In October 2023, 8Base attacks on US healthcare organizations prompted the HHS Health Sector Cybersecurity Coordination Center (HC3) to publish an analyst note specifically about the group. Healthcare data — patient records, insurance information, treatment histories — carries high extortion leverage due to HIPAA liability and public disclosure sensitivity.
Government and Critical Infrastructure: Notable high-profile victims included Croatia's Port of Rijeka, the United Nations Development Programme, and the Atlantic States Marine Fisheries Commission (a US East Coast fisheries management body). These attacks demonstrated the group's willingness to target public institutions despite the heightened law enforcement scrutiny such attacks typically attract.
Geographic Distribution: The United States accounted for the largest share of 8Base victims by a substantial margin. Brazil and the United Kingdom followed. The Netherlands appeared in the top five targeted countries in Trend Micro data. Confirmed victims spanned at least 80 countries across North America, Europe, Latin America, and the Asia-Pacific region.

Tactics, Techniques & Procedures

8Base's TTP set combined the established Phobos ransomware delivery chain with a toolkit of credential theft and evasion tools. The group operated efficiently, applying a tested affiliate playbook rather than developing novel techniques — consistent with experienced operators working within a mature RaaS framework.

mitre id	technique	description
T1566.001	Spear-Phishing Attachment	The primary initial access method. 8Base affiliates sent phishing emails with malicious attachments delivering SmokeLoader, which then decrypted and loaded the Phobos ransomware component in memory. Phishing lures were adapted to appear as business communications relevant to target industries.
T1078	Valid Accounts — Initial Access Brokers	SentinelOne documented 8Base affiliates purchasing initial access from initial access brokers (IABs) — operators who maintain access to pre-compromised networks and sell it to ransomware affiliates. RDP and VPN credentials were the most common access type, consistent with the Phobos ecosystem's documented preference for compromised remote access.
T1021.001	Remote Services: RDP	Phobos ransomware operators used IP scanning tools including Angry IP Scanner to identify systems with exposed or vulnerable RDP ports, then leveraged compromised RDP credentials for initial access and lateral movement. RDP access was documented as a primary initial vector across the broader Phobos ecosystem that 8Base operated within.
T1055	Process Injection — SmokeLoader	SmokeLoader delivered the Phobos ransomware component by embedding it in encrypted payloads that were decrypted and loaded into the SmokeLoader process memory — avoiding writing the ransomware binary as a standalone file on disk. This in-memory delivery method reduced the footprint detectable by file-based scanning.
T1003	OS Credential Dumping	8Base operators used Mimikatz, LaZagne, WebBrowserPassView, VNCPassView, PasswordFox, and ProcDump to extract credentials from compromised systems. Harvested credentials were used to authenticate to additional systems, escalate privileges, and access sensitive data repositories before encryption.
T1090	Proxy — SystemBC	SystemBC was used to establish encrypted C2 channels and proxy traffic, concealing the origin of operator communications. VMware documented 8Base's use of SystemBC for traffic encryption alongside SmokeLoader for payload delivery, providing a layered communication infrastructure.
T1562.001	Defense Evasion — Security Tool Disabling	A batch file named defoff.bat (detected as KILLAV) was dropped and executed to disable Windows Defender components before ransomware deployment. The group also used PCHunter, GMER, and Process Hacker for additional security tool enumeration and disabling, and cleared Windows event logs to hinder post-incident investigation.
T1486	Data Encrypted for Impact	The Phobos v2.9.1 payload encrypted files using AES-256 in CBC mode with randomly generated IV keys, encrypted by RSA and appended to each file. Files below 1.5MB were fully encrypted; files above 1.5MB received partial encryption of scattered blocks to maximize encryption speed across the filesystem. Network shares on the local network were scanned and encrypted alongside local drives. The ".8base" extension was appended, along with a victim-specific ID and contact email.
T1490	Inhibit System Recovery — VSS Deletion	Shadow copies were deleted to prevent file restoration without paying the ransom. The Phobos ransomware also established persistence via the Startup folder and Run registry key, ensuring re-execution on reboot if the initial encryption pass was interrupted.
T1567	Exfiltration — Double Extortion	Data was exfiltrated to actor-controlled infrastructure before encryption, providing the leverage for the secondary extortion threat: pay or have the stolen data published on the 8Base TOR leak site. The group also pursued what has been characterized as triple extortion in some cases — separately approaching individuals whose data appeared in exfiltrated tranches.

high-volume SMB targeting model

8Base's business model was built on volume rather than high-value individual targets. The group attacked small and medium-sized businesses across many sectors simultaneously, relying on the statistical probability that a significant fraction would pay rather than face data publication. Organizations without mature incident response capabilities, offline backups, or legal and PR resources to manage a public breach disclosure were the most vulnerable — and the most likely to pay.

Known Campaigns & Milestones

Key operational milestones and confirmed high-profile attacks across 8Base's active period.

Quiet Phase — Initial Operations March 2022 – May 2023

8Base operated without public disclosure for over a year after its March 2022 launch. Victims were compromised and data exfiltrated, but no leak site was active and no public attribution was made. A Phobos sample using the ".8base" file extension was later recovered by VMware, with a compilation timestamp of June 23, 2022, confirming the group had been active for months before gaining public attention. The group's Twitter account, created in 2014 and repurposed for ransomware operations, announced the publication of data from the prior year's quiet operation when the leak site launched in 2023.

Public Launch and Escalation May – July 2023

In May 2023, 8Base launched its Telegram channel and began escalating public victim disclosures. In June 2023, the TOR leak site went live and attack volume surged dramatically. By July 2023, 8Base was responsible — alongside Cl0p and LockBit — for 48 percent of all recorded ransomware attacks globally that month. In June alone, the group hit nearly 40 victims, placing second only to LockBit. VMware Carbon Black published a detailed technical analysis in June 2023, documenting the Phobos/SmokeLoader delivery chain and the RansomHouse similarities for the first time.

Nidec Corporation — Japan 2024

8Base attacked Nidec Corporation, a major Japanese manufacturer of electric motors and industrial components with global operations. The attack on a large multinational manufacturer represented one of the group's higher-profile corporate victims and demonstrated that the group's "SMB focus" did not prevent it from targeting enterprise-scale organizations when opportunity presented.

Port of Rijeka — Croatia 2024

8Base compromised Croatia's Port of Rijeka, a major Adriatic maritime logistics hub. The attack on critical port infrastructure demonstrated the group's willingness to target entities whose disruption carried significant economic and operational consequences for supply chains and national infrastructure.

United Nations Development Programme 2024

8Base claimed an attack on the United Nations Development Programme (UNDP), adding an international organization to its victim roster alongside corporate and infrastructure targets. The UNDP breach highlighted the group's indiscriminate approach — no category of organization was treated as off-limits.

Operation Phobos Aetor — Dismantlement February 10, 2025

A Germany-led international operation coordinated by Europol, involving 15 countries, dismantled 8Base's infrastructure and arrested four suspects in Phuket, Thailand. The US DOJ unsealed charges against Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39), both Russian nationals, for operating 8Base and Affiliate 2803 and deploying Phobos ransomware between May 2019 and October 2024. Twenty-seven servers were seized. Dark web leak and negotiation sites were replaced with Bavarian State Criminal Police Office seizure banners. Over 400 organizations were notified of ongoing or planned attacks identified through the investigation. A free decryptor was subsequently released for Phobos and 8Base victims. The operation followed the November 2024 extradition of Phobos administrator Evgenii Ptitsyn from South Korea to the United States, which had already produced a measurable slowdown in 8Base operational activity.

Tools & Malware

8Base's toolkit combined Phobos ransomware infrastructure with commodity credential theft tools and a proxy/C2 layer. The group refined its payload over time — early versions closely matched Phobos, while later iterations showed increasing code divergence as ransomware payments funded technical development.

Phobos Ransomware (v2.9.1, customized): The core payload, customized with the ".8base" file extension, a purple-themed ransom note including the "cartilage" branding string, and victim-specific ID and contact email in the encrypted filename. AES-256-CBC encryption with RSA-protected keys. Full encryption for files under 1.5MB; partial block encryption for larger files to improve speed. Persistence via Startup folder and Run registry key. Network share scanning via Phobos's built-in enumeration capability. Later variants (discovered November 2023) were rewritten in C rather than .NET, dropped Jabber contact instructions, and introduced a longer ransom note format with TOR site address.
SmokeLoader: The primary delivery mechanism. SmokeLoader variants embedded the Phobos ransomware component in encrypted payloads that were decrypted and loaded into the SmokeLoader process memory — an in-memory delivery approach that avoided writing the ransomware binary as a standalone disk artifact. SmokeLoader also provided backdoor functions for additional C2 capability and data exfiltration.
SystemBC: A proxy and remote administration tool used to establish encrypted C2 channels and conceal operator traffic origins. SystemBC was observed encrypting command-and-control communications alongside SmokeLoader's primary payload delivery role.
Mimikatz / LaZagne / WebBrowserPassView / PasswordFox / VNCPassView / ProcDump: The credential harvesting toolkit deployed post-initial-access. These tools extracted credentials from Windows credential stores, browser password managers, VNC clients, and process memory, providing the authentication material needed to move laterally and access backup systems before encryption.
defoff.bat (KILLAV): A batch script that disabled Windows Defender components before ransomware deployment. Alongside PCHunter, GMER, and Process Hacker, this provided security tool disabling and event log clearing to reduce detection likelihood during the attack and complicate post-incident investigation.
PsExec: Used to remotely deploy the defoff.bat disabling script and the ransomware binary across network hosts, consistent with its widespread use across RaaS affiliate operations for lateral movement at scale.
Angry IP Scanner: An IP range scanning tool used to identify systems with exposed RDP ports for credential-based initial access, consistent with documented Phobos ecosystem initial access methodology.
Cobalt Strike / Bloodhound: Observed in broader Phobos ecosystem intrusions including 8Base-affiliated operations, providing post-exploitation capability and Active Directory enumeration for privilege escalation and lateral movement planning.

Indicators of Compromise

8Base's infrastructure was seized in February 2025. A free decryptor for victims was released following the Operation Phobos Aetor arrests. The indicators below are retained for retrospective investigation of historical incidents.

group dismantled — decryptor available

8Base's infrastructure was seized on February 10, 2025. A free decryptor for Phobos and 8Base victims was released following the operation. Organizations that were compromised by 8Base and did not pay the ransom should contact law enforcement about accessing decryption tools. The Phobos ransomware ecosystem as a whole — including other affiliates not arrested in this operation — remains an active threat.

behavioral indicators — 8base / phobos ransomware pattern

file ext.id[victim-id].[contact-email].8base — encrypted file extension format

ransom notesinfo.hta and info.txt — dropped in C:\ and C:\Users\[user]\Desktop

scriptdefoff.bat (KILLAV) — Windows Defender disabling script executed pre-encryption

behaviorSmokeLoader process loading Phobos payload in memory without standalone executable on disk

behaviorMimikatz, LaZagne, WebBrowserPassView executed post-initial-access for credential harvesting

behaviorPsExec used to deploy defoff.bat and ransomware binary remotely across network hosts

behaviorAngry IP Scanner executed to enumerate RDP-exposed hosts in victim network ranges

behaviorWindows event log clearing and VSS deletion (vssadmin delete shadows /all /quiet) shortly before encryption

persistence%AppData%\Local\ — ransomware copies itself to AppData before encryption

persistenceStartup folder entry + Run registry key — Phobos establishes dual persistence mechanisms

c2 toolSystemBC — encrypted proxy C2 channel for operator communications

Mitigation & Defense

8Base's TTP set reflects the standard Phobos affiliate playbook. The same defensive measures apply against the remaining Phobos ecosystem affiliates who were not arrested in Operation Phobos Aetor.

Disable or restrict external RDP access: RDP exposure was the most documented initial access vector across the Phobos ecosystem. RDP should not be directly accessible from the internet under any circumstances. Where remote access is required, require MFA and connect via VPN. Angry IP Scanner detection rules on the network can identify active reconnaissance.
Enforce MFA on VPN and all remote access portals: Initial access broker-purchased credentials are only useful if the credentials can authenticate directly without a second factor. MFA on all externally exposed authentication endpoints eliminates the entire IAB-sourced credential class of initial access.
Monitor for SmokeLoader and SystemBC indicators: SmokeLoader is the primary 8Base payload delivery mechanism. Network and endpoint detection rules for SmokeLoader behavior — particularly process injection patterns and encrypted communications consistent with SystemBC — provide early warning before ransomware deployment begins.
Alert on credential dumping tool execution: Mimikatz, LaZagne, and the WebBrowser credential extraction tools have documented behavioral signatures. EDR solutions should alert on their execution regardless of whether the tools are brought by the attacker or accessed from the system. ProcDump targeting LSASS should generate an immediate alert.
Maintain offline, immutable, tested backups: 8Base deleted VSS and used PsExec to deploy across the network, meaning online and shadow copy backups were targeted. Offline backups stored on systems isolated from the production network are the only reliable recovery mechanism without paying the ransom or using the law enforcement decryptor.
Patch and harden internet-facing systems continuously: The Phobos ecosystem leveraged vulnerable RDP, unpatched VPN appliances, and phishing as initial access vectors. Attack surface reduction — closing unnecessary external services, enforcing patching cadences, and removing legacy remote access configurations — reduces the available entry points for IAB-sourced access and direct exploitation.
If compromised by 8Base, contact law enforcement about the decryptor: Following Operation Phobos Aetor, a free decryptor was released for Phobos and 8Base victims. Organizations that suffered 8Base encryption and did not pay may be able to recover files without ransom payment. Contact the FBI or local law enforcement equivalent for access to recovery resources.

analyst note — phobos ecosystem persists

The dismantlement of 8Base's operators does not end the threat from Phobos ransomware. Phobos operates as a RaaS framework — its code and infrastructure are available to any affiliate who chooses to use them. The arrests in Operation Phobos Aetor targeted two affiliate organizations (8Base and Affiliate 2803) and the Phobos administrator Ptitsyn. Other Phobos affiliates operating under different branding remain active. Defenders should treat Phobos-based indicators as ongoing threats rather than historical artifacts of a closed operation. CISA, the FBI, and MS-ISAC issued a joint advisory on Phobos variants in March 2024 that remains current guidance.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile