Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
Pietro Melillo : 12 March 2025 23:57
During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: NightSpire.
NightSpire is a new ransomware group that has recently emerged on the cybercrime scene. Although no previous information is available about this actor, an analysis of their data leak site (DLS) and their communication provides some key insights into their strategy and operational methods.
The group portrays itself as an unstoppable threat to businesses and promises to exploit every vulnerability to their advantage. Below, we analyze the details of their portal and the potential implications of their activities.
Iscriviti GRATIS alla RHC Conference 2025 (Venerdì 9 maggio 2025)
Il giorno Venerdì 9 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà
la RHC Conference 2025. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico.
La giornata inizierà alle 9:30 (con accoglienza dalle 9:00) e sarà interamente dedicata alla RHC Conference, un evento di spicco nel campo della sicurezza informatica. Il programma prevede un panel con ospiti istituzionali che si terrà all’inizio della conferenza. Successivamente, numerosi interventi di esperti nazionali nel campo della sicurezza informatica si susseguiranno sul palco fino alle ore 19:00 circa, quando termineranno le sessioni. Prima del termine della conferenza, ci sarà la premiazione dei vincitori della Capture The Flag prevista per le ore 18:00.
Potete iscrivervi gratuitamente all'evento utilizzando questo link.
Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
The “About” section of NightSpire’s website contains an intimidating message, typical of ransomware groups aiming to instill fear among businesses. The language used is reminiscent of well-known actors like BlackCat, LockBit, and Conti, emphasizing their intent to target vulnerable organizations and threaten them for ransom.
Text from the “About” section:
“NightSpire, the shadowy architects of digital chaos, thrive on shattering the sanctity of corporate fortresses. With ruthless precision, we infiltrate the deepest vaults of data, leaving no byte untouched. Fear us, for NightSpire is the harbinger of your downfall, the unseen hand that will exploit your every vulnerability until you kneel before our demands.”
This rhetoric is a clear example of cyber-intimidation, aimed at reinforcing the group’s image as an unstoppable threat and destabilizing their victims.
NightSpire operates a data leak site, where they publish information about compromised companies—a common practice among ransomware groups. The portal has a “Databases” section, listing victims along with details such as:
Based on the analyzed images, some of the affected companies include:
Some of these leaks are still on a countdown, suggesting that the group follows the double extortion strategy: threatening to publish stolen data if the ransom is not paid. When the timer reaches zero, the data is made public.
This technique is used to exert additional pressure on victims, forcing them to pay to avoid reputational damage and loss of sensitive data.
NightSpire offers multiple contact methods on their dedicated page. In addition to classic email services such as ProtonMail and OnionMail, they also have a Telegram channel, which ransomware groups often use to communicate leak updates, negotiate ransoms, and provide instructions to victims.
Identified contact methods:
The Telegram channel is likely used to announce new attacks, interact with victims, and manage communications with potential affiliates or data buyers.
Although detailed information about their origin or attack techniques is not yet available, some elements suggest that NightSpire could be an emerging group with strong influences from existing RaaS (Ransomware-as-a-Service) models.
Possible operational characteristics:
It remains to be seen whether this is an entirely new group or a rebrand of an existing actor.
NightSpire presents itself as a new ransomware threat. The lack of references to previously known groups makes it difficult to draw a direct line to existing actors, but their modus operandi is clearly inspired by well-established techniques.
Organizations must adopt cyber resilience strategies, strengthening endpoint protection, implementing incident response plans, and improving staff training to mitigate the risk of compromise.
We will continue monitoring NightSpire to identify their tactics and operational procedures, assessing their impact on the global cybercrime landscape.
Pietro Melillo