Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
12 malware families

ShadowSyndicate

Also known asShadowSyndicate

ShadowSyndicate is a cybercrime cluster first publicly disclosed in 2023 and assessed to have been active since at least July 2022. Reporting consistently describes it as an affiliate across multiple ransomware-as-a-service ecosystems and/or as infrastructure support for other actors, with Group-IB assessing that it most likely functions as either an Initial Access Broker (IAB) or a bulletproof hosting (BPH) provider. Its exact role remains unconfirmed. ShadowSyndicate has been linked with high confidence to Quantum ransomware activity in September 2022, Nokoyawa activity in October 2022, November 2022, and March 2023, and ALPHV/BlackCat activity in February 2023. Lower-confidence reporting also associates it with Royal, Cl0p, Cactus, and Play. Other reporting describes it as an ALPHV affiliate and notes use of RansomHub. The group is notable for operating and reusing a large server and access infrastructure. Multiple reports describe dozens of servers under its control, including at least 20 command-and-control nodes and 52 systems with SSH fingerprints tied to the cluster. ShadowSyndicate has repeatedly reused OpenSSH, the same access keys, and rotating SSH fingerprints across servers, with overlaps in infrastructure observed over time. Researchers linked additional SSH markers and OpenVPN infrastructure to the cluster, and reporting notes server transfers between SSH clusters. Infrastructure associated with ShadowSyndicate has been connected to malicious activity involving Cl0p, BlackCat/ALPHV, Ryuk, Black Basta, Malsmoke, and other ransomware ecosystems. ShadowSyndicate has been observed using or hosting offensive tooling including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, Brute Ratel, AsyncRAT, and MeshAgent, as well as open-source post-exploitation and red-team frameworks. Reporting also notes connections between ShadowSyndicate infrastructure and malware families including TrueBot and AMOS Stealer. One report states the group has used seven different ransomware families over recent years. Targeting and victimology are not consistently defined in the provided content, but ShadowSyndicate-linked activity appears tied to broad financially motivated ransomware operations rather than a single vertical. The content also states ShadowSyndicate scanned servers vulnerable to CVE-2024-23334. There is no high-confidence evidence in the provided material that ShadowSyndicate is a nation-state actor; it is described as a cybercrime cluster.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004
SSH
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1090
Proxy
ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
8BaseIt appears this IP address is hosting the 8Base Ransomware group’s Data Leak Site.1Jun 25, 2026
AsyncRATFirst released in 2019, AsyncRAT enables long-term unauthorized access and post-compromise control, making it a reliable tool for credential theft, lateral movement staging, and follow-on payload delivery.1Mar 8, 2026
BlackCat“Alphv (AKA BlackCat, Noberus) is a ransomware variant that has been active since at least November 2021 and operates using the double extortion method – where victim data is stolen and leaked if a ransom is not paid. Alphv operates as a RaaS…”1Mar 18, 2026
Brute Ratel C4ShadowSyndicate continues to be associated with toolkits including ... Brute Ratel.1Mar 8, 2026
Cobalt StrikeShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.1Mar 8, 2026

7 additional families tracked in Mallory.

IOCS

Observables

39 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

39 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
scworldNews
Feb 6, 2026
Augmented ShadowSyndicate cybercrime infrastructure uncovered | SC Media

A cybercrime activity cluster that has expanded and maintained coordinated SSH-based infrastructure (reused access keys, consistent OpenSSH usage) and operates servers used as C2 nodes for open-source post-exploitation tools and red team frameworks; assessed as potentially functioning as an Initial Access Broker and/or a bulletproof hosting provider.

Read more
the hacker newsNews
Feb 5, 2026
ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

Cybercrime activity cluster operating shared/reused infrastructure (SSH-keyed server clusters) that supports multiple downstream threat clusters; associated with a broad post-exploitation toolkit and infrastructure handoffs between SSH clusters.

Read more
theravenfile blogNews
Nov 4, 2025
CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE

Mentioned only as an additional threat cluster seen in overlapping/shared subnet infrastructure; no further details provided.

Read more
the hacker newsNews
Aug 4, 2025
⚡ Weekly Recap: VPN 0-Day, Encryption Backdoor, AI Malware, macOS Flaw, ATM Hack & More

Operating as an initial access broker, providing access to various APTs and cybercrime groups, and linked to infrastructure supporting multiple malware and ransomware families.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables39

Domains, IPs, and hashes tied to this actor, refreshed continuously.

ShadowSyndicate | Mallory