analyst @ nohacky :~/threat-actors $
cat / threat-actors / nightspire
analyst@nohacky:~/nightspire.html
active threat profile
type ransomware
threat_level high
status active
origin Unknown (assessed non-Western)
last_updated 2026-03-26
NS
nightspire

NightSpire

also known as: Rbfs (assessed predecessor / rebrand) Operators: xdragon128 (also: xdragon333), cuteliyuan

NightSpire launched its dark web data leak site on March 12, 2025 and has since claimed over 200 victims across 33+ countries — with ransomware.live tracking 209 listed victims as of March 2026 — establishing itself as an active mid-tier ransomware operation in under a year. Multiple threat intelligence firms assess NightSpire as a rebrand of the Rbfs ransomware group based on shared operators, victim overlap, and infrastructure continuity. The group exploits CVE-2024-55591, a critical FortiOS authentication bypass that grants super-admin access without valid credentials, as its documented primary initial access vector. Notable for significant OPSEC failures — including Gmail usage for victim communication and exposed server version headers — that distinguish it from more mature operations despite its aggressive scaling.

attributed origin Unknown — assessed non-Western based on targeting patterns; no confirmed nation-state attribution
assessed lineage Rbfs ransomware (predecessor) — shared operators xdragon128 / cuteliyuan, victim overlap, infrastructure continuity, timeline correlation
first observed February 2025 (data-only operations); DLS launched March 12, 2025; double extortion from April 2025
operational model Closed group — no confirmed affiliate program; March 2025 BreachForums recruitment attempt for negotiation specialist ended in platform ban
primary targets Manufacturing, Technology/IT, Healthcare, Financial Services, Construction, Education — broadly opportunistic
confirmed victims 200+ claimed (as of March 2026); 33+ countries; US, India, Hong Kong, France, Taiwan primary targets
mitre att&ck group Unassigned (no formal G-number as of March 2026)
cisa advisory None issued as of March 2026
threat level HIGH — active, global, targeting unpatched FortiOS; OPSEC failures suggest elevated LE disruption risk

Overview

NightSpire emerged in February 2025 operating as a data-only extortion group before transitioning to a full double extortion model — encrypting files alongside data theft — within weeks of its public launch. The speed of that capability escalation, combined with infrastructure continuity and operator handle overlap with the predecessor Rbfs operation, led multiple firms including IntelFusions and Halcyon to assess NightSpire as a rebrand rather than a genuinely new group. The operators xdragon128 (who also uses the alias xdragon333, per Cyble) and cuteliyuan are publicly documented on dark and deep web forums promoting NightSpire activity, with xdragon128 further traced to prior affiliations with Paranodeus ransomware, CyberVolk, and DarkAssault during 2024 — though the exact nature of those relationships remains unconfirmed. S-RM Intelligence additionally noted in March 2025 that the NightSpire name may be a reference to World of Warcraft lore, consistent with gaming-adjacent handle choices seen across other cybercrime operators.

The group's trajectory from launch is notable. Within six weeks of the DLS going live, NightSpire had claimed victims across multiple continents. By mid-2025, the group had expanded its geographic footprint to 33 countries. S-RM Intelligence first profiled the group in late March 2025 when only 11 victims had been claimed, flagging the operators as "inexperienced" with a "low level of sophistication." That assessment has proven partially accurate — NightSpire continues to exhibit meaningful tradecraft failures — but the group's operational tempo has been higher than a "low sophistication" characterization would predict.

Several OPSEC failures documented across sources are worth flagging explicitly because they distinguish NightSpire from more mature operations and create law enforcement opportunities. The group has used Gmail addresses for victim communications alongside privacy-focused platforms — a major failure that creates a persistent digital footprint. The leak site exposes Apache, OpenSSL, and PHP version information in server headers. The server hostname XDRAGON-SERVER1 directly mirrors the operator handle xdragon128, creating a clear attribution link. A second infrastructure hostname, WINDOWS-DTX-8GB, has also been attributed to NightSpire activity (Xcitium, 2026). A BreachForums recruitment post on March 14, 2025 seeking a "negotiation specialist" at 20% commission — posted by xdragon128 — resulted in a permanent platform ban; BreachForums had already banned ransomware recruitment following a law enforcement takedown in May 2024. Halcyon has also identified tactical infrastructure overlaps connecting NightSpire to Storm-1567, UNC4393, and TA2101, though the precise nature of those connections remains under investigation. Stylistic similarities to BlackCat/ALPHV branding and intimidation rhetoric have been noted by IntelFusions, with apparent inspiration drawn from LockBit and Conti operational models. Collectively these failures represent a group that is operationally ambitious but not yet operationally mature — creating a plausibly higher disruption risk than established groups.

One analytical note on victim count accuracy: RedPacket Security and other tracking platforms have flagged that some NightSpire leak site listings include unverified or potentially fabricated victim claims. As with many newer groups, the DLS victim count should be treated as an upper bound on confirmed breaches, with independent corroboration required before treating individual claims as confirmed incidents. The 200+ figure reflects leak site claims; confirmed breaches with independent evidence number substantially lower.

CVE-2024-55591 — FortiOS authentication bypass

CVE-2024-55591 is a critical (CVSS 9.6) authentication bypass in FortiOS and FortiProxy affecting the Node.js WebSocket module. An unauthenticated attacker can send crafted requests to gain super-admin privileges on the device with no valid credentials required. Fortinet disclosed the vulnerability on January 14, 2025, by which point hundreds of thousands of internet-facing FortiGate appliances running vulnerable versions were already exposed. NightSpire began exploiting this CVE almost immediately after public disclosure. Any organization running FortiOS 7.0.0–7.0.16 or FortiProxy 7.0.0–7.0.19 without applying the patch is actively exposed to NightSpire initial access.

Target Profile

NightSpire's targeting is broadly opportunistic, driven by the availability of unpatched FortiOS appliances and exposed VPN/RDP endpoints rather than sector-specific mandates. The group explicitly goes after organizations S-RM describes as "soft targets" — organizations with exposed external assets and weak security postures — with SMBs making up the large majority of confirmed victims.

  • Manufacturing: The single highest-volume target sector across all tracking data — accounting for over 20% of NightSpire's confirmed DLS victims. Manufacturing organizations often run operational technology environments requiring high uptime, driving payment urgency. Many manufacturing SMBs lack the dedicated security teams and patching discipline of enterprise-scale organizations.
  • Technology and IT Services: The second highest-volume sector. Technology companies hold valuable IP and client data. IT service providers carry downstream client risk analogous to MSP targeting by SafePay and Play.
  • Healthcare: Healthcare organizations — hospitals in particular — appear consistently across NightSpire's victim list. Notable incidents include attacks against healthcare institutions in the UAE, Taiwan, and Peru. NightSpire's willingness to target hospitals distinguishes it from some operators who avoid healthcare for reputational or legal risk management reasons.
  • Government and Public Administration: Government entities in South Africa and Taiwan have been confirmed victims. NightSpire's claim of a Taiwanese government breach attracted particular attention in the threat intelligence community, alongside claims involving a Taiwanese hospital.
  • Geographic spread: The United States accounts for the largest share of victims (approximately 25%), followed by India, Hong Kong, France, and Taiwan. NightSpire maintains a broad geographic spread across North America, Europe, Asia-Pacific, Middle East, Africa, and Latin America — consistent with opportunistic targeting of any unpatched FortiOS device regardless of geography, with no apparent geopolitical motivation.

Tactics, Techniques & Procedures

TTPs sourced from SOCRadar dark web profile analysis, Cyble threat actor profile, S-RM Intelligence initial analysis (March 2025), ProvenData technical analysis, Halcyon threat group profile, and IntelFusions group assessment. NightSpire's TTPs are notable for relying entirely on widely available tools rather than custom-developed malware — with the exception of the Go-based ransomware payload itself.

mitre id technique description
T1190 Exploit Public-Facing Application CVE-2024-55591 (FortiOS / FortiProxy Node.js WebSocket module authentication bypass, CVSS 9.6) is the primary documented initial access vector. An unauthenticated attacker can send crafted requests to gain super-admin privileges on the FortiGate device without valid credentials, then make configuration changes that allow lateral movement into the victim network. Fortinet disclosed January 14, 2025; NightSpire exploitation began shortly after. RDP brute force and phishing campaigns are also documented as supplementary initial access methods.
T1059.001 PowerShell / Windows Command Shell PowerShell and cmd.exe used throughout post-access phases for discovery, lateral movement preparation, and payload staging — standard LOTL approach that blends with legitimate administrative activity. WMI used for system information queries and remote command execution.
T1021.001 Remote Services: RDP / PsExec PsExec used for remote execution and lateral movement across domain-joined systems. RDP used for interactive operator access. NightSpire relies entirely on legitimate tools for lateral movement rather than deploying custom implants — consistent with the LOTL approach.
T1003 OS Credential Dumping Mimikatz used for credential harvesting from LSASS memory, providing domain-wide credential access to enable unrestricted lateral movement. No custom credential tool observed — standard Mimikatz deployment consistent with the group's reliance on public tooling.
T1083 / T1119 File System Enumeration / Automated Collection Everything.exe (a legitimate Windows file indexing tool) used to rapidly enumerate and identify high-value files across the filesystem before exfiltration targeting. This is an unusual but effective reconnaissance technique — Everything.exe builds a full filesystem index far faster than standard directory enumeration, allowing NightSpire to identify the most valuable data for exfiltration before deploying ransomware.
T1048 Exfiltration Over Alternative Protocol MEGACmd and WinSCP used to exfiltrate data to MEGA cloud storage via encrypted channels. Rclone is also documented as an exfiltration tool across multiple sources. MEGA is a legitimate cloud storage service — traffic to MEGA blends with legitimate business use and avoids triggering IDS rules targeting known C2 infrastructure. Data is packaged into archives using 7-Zip before upload. The use of a legitimate public cloud service for exfiltration is a documented evasion technique across multiple ransomware operations.
T1486 Data Encrypted for Impact Go-based ransomware payload using hybrid AES-256/RSA-2048 encryption. Uses obfuscation methods including RC4 and XOR to evade static detection. Block-level encryption (in 1 MB chunks via main_EncryptFilev2 function) for large files (.iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, .ldf); full encryption via main_EncryptFilev1 for smaller files. Each file receives a unique AES symmetric key encrypted with the attacker's RSA public key, appended to the file tail. Appends .nspire extension to encrypted files. Drops nightspire_readme.txt ransom note containing contact instructions and leak site URL. The payload also uses extended sleep intervals between encryption operations to reduce behavioral detection likelihood, and performs log manipulation and temporary file cleanup after execution (ProvenData, 2026). Ransom demands range from approximately $150,000 to $2 million USD depending on assessed victim revenue. Countdown timers as short as two days have been documented — aggressive deadlines designed to maximize payment urgency. NightSpire also targets OneDrive cloud sync in parallel with local encryption, creating simultaneous disruption of both local and cloud copies. Notably, NightSpire does NOT delete VSS shadow copies (confirmed Halcyon full profile, ProvenData, Xcitium) — prioritizing encryption speed over complete recovery prevention, which creates a partial recovery path for prepared defenders. Note: Halcyon's Q2 2025 Power Rankings entry contradicts this, stating VSS is deleted — this specific claim is not corroborated by Halcyon's own dedicated NightSpire profile or other recent sources and should be treated with caution.
T1657 Financial Theft — Extortion Double extortion model: data exfiltrated to MEGA before encryption, then threatened for publication on the Tor DLS. Victim communications via ProtonMail, OnionMail, and Telegram for legitimately privacy-focused channels — but Gmail has also been documented, representing a significant OPSEC failure. Staged data releases used to escalate pressure. Public shaming via Telegram channels. The DLS displays victim name, breach date, data size, and countdown timer toward public disclosure.

Known Campaigns

NightSpire does not publicize named campaigns. The following represents documented high-profile or analytically significant incidents from the group's leak site and independent reporting. Note that some DLS claims are flagged as unverified — independently corroborated incidents are noted where known.

Taiwanese Government and Hospital Claims 2025

NightSpire claimed breaches of Taiwanese government entities and at least one hospital in Taiwan, drawing significant threat intelligence attention given the geopolitical sensitivity of Taiwan as a target. The Taiwan government claim was noted by SOCRadar as among the group's "major claims." Independent confirmation of the specific entities and scope of these breaches has not been fully established in open-source reporting — consistent with the broader caveat that NightSpire DLS claims require independent corroboration.

South Africa Government Entities 2025

NightSpire confirmed attacks against government entities in South Africa — representing the group's reach into African public sector targets and consistent with the broadly opportunistic geographic targeting observed across the victim portfolio. Public sector organizations in emerging markets are frequently targeted by opportunistic ransomware groups due to lower patching cadence and limited security resources relative to Western counterparts.

Healthcare Institutions — UAE, Taiwan, Peru 2025

Healthcare institutions across three continents — UAE, Taiwan, and Peru — appeared on NightSpire's DLS, confirming the group's willingness to target patient-care facilities. Healthcare attacks by relatively new and less technically mature groups carry elevated risk because the group's OPSEC failures (Gmail, exposed server headers) make their infrastructure more likely to be disrupted mid-incident, potentially leaving encrypted systems without a functional decryptor contact path.

Global Manufacturing Targeting — March–December 2025 Ongoing since March 2025

Manufacturing has been NightSpire's highest-volume target sector throughout its operational history, accounting for over 20% of DLS postings. Victims span automotive components, construction materials, industrial equipment, food processing, and chemical manufacturing across the US, Europe, APAC, and emerging markets. The consistent manufacturing targeting reflects the sector's broad footprint of internet-facing FortiGate appliances — many deployed for operational technology network segmentation — that are often on extended patching cycles due to uptime requirements.

Tools & Malware

  • NightSpire ransomware (Go-based): Written in Go with obfuscation via RC4 and XOR. Hybrid encryption: block-level encryption (1 MB chunks) for large files (.iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, .ldf) and full encryption for smaller files, using AES-256 with RSA-2048 key protection. Appends .nspire extension. Drops nightspire_readme.txt ransom note per directory. Countdown timers as short as two days on DLS listings. Uses extended sleep intervals between encryption operations to reduce real-time behavioral detection. Performs log manipulation and temporary file cleanup post-execution. Targets OneDrive cloud sync in parallel with local encryption. Does not delete VSS shadow copies — an unusual design choice that creates a partial recovery path. Linux/ESXi variants reportedly in development but not yet widely deployed as of early 2026.
  • CVE-2024-55591 exploitation: Primary initial access method — FortiOS / FortiProxy authentication bypass via crafted WebSocket requests targeting the Node.js module. Grants super-admin privileges without valid credentials. Enables full device configuration access, which NightSpire then uses to create access paths into the internal network.
  • Everything.exe: Legitimate Windows file indexing tool repurposed for rapid filesystem enumeration and high-value file identification. Builds a complete filesystem index rapidly, enabling NightSpire to target the most valuable data for exfiltration before deploying ransomware.
  • Advanced IP Scanner: Legitimate network scanning tool documented in NightSpire intrusions for network reconnaissance — identifying live hosts, open ports, and accessible shares across the victim environment. Execution outside IT admin contexts is a meaningful alert signal.
  • MEGACmd / WinSCP / Rclone: MEGA cloud storage command-line client, FTP/SFTP tool, and open-source cloud sync utility used for data exfiltration to attacker-controlled storage. Traffic to MEGA blends with legitimate business cloud usage, reducing IDS detection probability. Rclone can target multiple cloud destinations. Data packaged with 7-Zip before upload.
  • Mimikatz: Standard Windows credential dumping tool for LSASS memory extraction and domain credential harvesting.
  • PowerShell / PsExec / WMI: Legitimate Windows tools used throughout post-access phases for lateral movement, discovery, and remote execution — standard LOTL approach with no custom tooling observed beyond the ransomware payload itself.
  • ProtonMail / OnionMail / Telegram: Privacy-focused communication channels used for victim ransom negotiations. Gmail also documented — a significant OPSEC failure creating a persistent digital footprint. When payment deadlines expire, NightSpire publishes victim data as free downloads on its DLS and in some cases threatens to sell the data to third parties (ProvenData, 2026).
  • Tor DLS (leak site): Dark web data leak site listing victim name, breach date, data volume, and countdown timer. Infrastructure exposes Apache, OpenSSL, and PHP version headers — a meaningful OPSEC failure providing defenders and law enforcement with technical intelligence about the server environment. Server hostname XDRAGON-SERVER1 directly mirrors operator handle xdragon128. A second attributed hostname, WINDOWS-DTX-8GB, has been identified in NightSpire attack infrastructure (Xcitium, 2026).

Indicators of Compromise

No government advisory has been issued for NightSpire as of March 2026. IOCs below are sourced from Cyble, SOCRadar, ProvenData, and Halcyon field reporting. Given NightSpire's use of entirely commodity tools, behavioral IOCs are more reliable than tool-presence indicators since the same tooling appears across many ransomware groups.

indicators of compromise — NightSpire (structural and behavioral)
file ext .nspire — appended to all encrypted files
ransom note nightspire_readme.txt — dropped per encrypted directory; contains contact info (ProtonMail/OnionMail) and Tor DLS link with countdown timer
vuln (exploited) CVE-2024-55591 — FortiOS / FortiProxy Node.js WebSocket auth bypass (CVSS 9.6); check FortiOS 7.0.0–7.0.16 and FortiProxy 7.0.0–7.0.19 for patch status
tool pattern Everything.exe execution for filesystem indexing — unusual in non-IT-admin contexts; alert on execution followed by large archive creation or outbound MEGA / Rclone transfers
tool pattern Advanced IP Scanner execution on production servers — legitimate network scanning tool with no standard business use on production servers; indicates active internal reconnaissance phase
exfiltration MEGACmd (mega.exe), WinSCP, and Rclone executing with large outbound transfers to MEGA cloud storage endpoints (g.api.mega.co.nz, *.mega.nz) or other cloud destinations via Rclone
targeted filetypes Block encryption (1 MB chunks) targets: .iso, .vhdx, .vmdk, .zip, .vib, .bak, .mdf, .flt, .ldf — virtual machine images, backup files, and database files are priority targets; all other files receive full encryption
cloud impact NightSpire targets OneDrive cloud sync in parallel with local encryption — .nspire files appearing locally while OneDrive files simultaneously become inaccessible indicates active NightSpire encryption
recovery note NightSpire does NOT delete VSS shadow copies (Halcyon full profile, ProvenData, Xcitium — majority consensus) — organizations with recent VSS backups may have a partial recovery path without paying ransom; test before assuming VSS is unavailable. One conflicting source (Halcyon Q2 2025 Power Rankings) claims VSS deletion — verify forensically before concluding VSS is intact.
operator handles xdragon128 (also: xdragon333), cuteliyuan — dark/deep web forum handles attributed to NightSpire operators; infrastructure hostnames XDRAGON-SERVER1 and WINDOWS-DTX-8GB attributed to NightSpire attack infrastructure
network Gmail addresses in ransom negotiation emails — flag any ransomware contact via Gmail for law enforcement reporting; higher LE disruption probability than Proton/Onion contacts

Mitigation & Defense

  • Patch CVE-2024-55591 immediately — this is the primary entry point: Any FortiOS device running versions 7.0.0 through 7.0.16, or FortiProxy 7.0.0 through 7.0.19, accessible from the internet is vulnerable to NightSpire's primary initial access technique. The patch has been available since January 14, 2025. This is not a complex remediation — it is a firmware update. Organizations with internet-facing FortiGate appliances that have not applied this patch should treat the system as potentially compromised and conduct a forensic review of FortiOS admin logs for unauthorized super-admin activity or unexpected configuration changes before and after patching.
  • Audit FortiGate admin logs for unauthorized super-admin access: CVE-2024-55591 exploitation leaves traces in FortiOS logs as unexpected super-admin authentication events, particularly from external IP addresses or at unusual hours. Review logs for admin account creation, VPN configuration changes, and policy modifications not authorized by your change management process. Fortinet published specific log indicators for CVE-2024-55591 exploitation activity in their advisory.
  • Block or monitor MEGA cloud storage traffic from production systems: NightSpire exfiltrates data exclusively to MEGA (mega.nz / g.api.mega.co.nz). While MEGA has legitimate business uses, production servers and workstations have no legitimate reason to make large outbound transfers to MEGA. Block MEGA from all systems where it is not explicitly approved software, and alert on any MEGA traffic from systems where it is approved if the transfer volume is anomalous.
  • Alert on Everything.exe execution in non-admin contexts: Everything.exe is a legitimate file indexing tool but has no typical business use on production servers or standard user workstations. Its execution — especially if followed by archive creation or MEGA transfers — is a reliable NightSpire pre-encryption indicator. Add it to your unauthorized software alert list unless there is a specific approved use case.
  • Check VSS before assuming total data loss: Unlike most ransomware operators, NightSpire does not delete Volume Shadow Copies before encryption. If your organization has been hit by NightSpire and has recent VSS backups, test VSS restoration before engaging the ransom negotiation process. This is an unusual defensive opportunity that does not exist against operators like Play, Akira, or Medusa who explicitly target and destroy VSS copies as part of their pre-encryption routine.
  • Report Gmail-based ransom contacts to law enforcement: NightSpire's use of Gmail for victim communication is an OPSEC failure with law enforcement implications. Gmail headers and account metadata can provide actionable attribution intelligence. Organizations receiving NightSpire ransom communications via Gmail should preserve the full email headers and report them to the FBI Internet Crime Complaint Center (IC3) and CISA alongside the incident report — this information has a higher investigative value against NightSpire than against groups using properly anonymized communication channels.
  • Treat DLS victim claims as unverified until corroborated: If your organization or a partner appears on NightSpire's DLS, do not assume the breach claim is fully accurate before independent verification. RedPacket Security and other trackers have flagged NightSpire for including potentially fabricated or exaggerated victim claims. Conduct your own forensic review to determine the actual scope of any access before making public disclosures or ransom payment decisions based solely on the group's claims.

Sources & Further Reading

— end of profile — last updated 2026-03-26