MalwareRansomwareUsed by 4 actors

PingCastle

PingCastle is a legitimate Active Directory security assessment and reconnaissance utility. In the provided reporting, it is described as being used for Active Directory reconnaissance, including by the financially motivated threat actor Octo Tempest alongside ADRecon, and it is also listed by Kaspersky as a utility shared across ransomware-linked groups including Crypt Ghouls, MorLock, BlackJack, and Twelve. The cited use cases are focused on post-compromise enumeration of Active Directory environments. No specific infection vector, persistence mechanism, or indicators of compromise for PingCastle itself are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BlackJack

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

Twelve

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

Crypt Ghouls

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

MorLock

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Discovery

3 techniques

T1016System Network Configuration DiscoveryEvidence2

Tools Used ... Discovery ... PingCastle

T1018Remote System DiscoveryEvidence4

Additional tradecraft and techniques: PingCastle and ADRecon to perform reconnaissance of Active Directory.

T1033System Owner/User DiscoveryEvidence1

Initial bulk-export of users, groups, and device information is closely followed by enumerating data and resources readily available to the user’s profile... AAD bulk downloads of user, groups, and devices.

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence1

The threat actor moved cab files to the remote hosts using SMB and then expanded and ran them using wmiexec.py commands.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

security online infoNews

Oct 21, 2024

Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Active Directory assessment/recon tool used to enumerate AD posture and identify paths for privilege escalation and lateral movement.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.