#threatreport #HighCompleteness Dark Web Profile: Tengu Ransomware (Shisa) | 14-06-2026 Source: socradar.io/blog/dark-web-pr… Key details below ↓ 💀Threats: Tengu_ransomware, Stealtengu_tool, Stealtg_tool, Rclone_tool, Edr-killer, Salatstealer, Residential_proxy_technique, Spear-phishing_technique, Fortirdp_tool, Shadow_copies_delete_technique, Zerologon_vuln, Netexec_tool, Wevtutil_tool, Lolbin_technique, Screenconnect_tool, Credential_dumping_technique, Password_spray_technique, 🎯Victims: Technology, Manufacturing, Construction and real estate, Automotive, Hospital sector, Agriculture and food production 🏭Industry: Transport, Entertainment, Foodtech 🌐Geo: India, Japanese, Indonesia, Morocco, Iranian, Brazil, Iran, Middle east, Asia, Spain, Russia, African, Mexico, Poland, Africa, Qatar, Italy, United states, America, Thailand 🔓CVEs: CVE-2020-1472 \[[Vulners](vulners.com/cve/CVE-2020-147…)] - CVSS V3.1: *10.0*, - Vulners: Exploitation: True Soft: - microsoft windows_server_1903 (*) - microsoft windows_server_1909 (*) - microsoft windows_server_2004 (-) - microsoft windows_server_2008 (r2) ... 📚TTPs: ⚔️Tactics: 13 🛠️Technics: 26 🧨IOCs: - File: 13 - Hash: 1 - Email: 1 - IP: 8 💽Software: Linux, ESXi, WinSCP, PixelDrain, Active Directory, Windows Defender, Windows Security Center, Windows Update service, wuauserv 🔢Algorithms: sha256 🗂️Win API: README ⚙️Win Services: wscsvc, wuauserv 📜Programming Languages: powershell #threatreport: Tengu Ransomware, which rebranded to Shisa Ransomware in March 2026, is a financially motivated Ransomware-as-a-Service (RaaS) organization first identified in late 2025. This group utilizes a double-extortion strategy by stealing sensitive data and encrypting system files, thereby pressuring victims to comply with ransom demands. Tengu notably targets organizations across a wide geographical range, initially focusing on the Middle East and North Africa, and then expanding to include victims in North America, Europe, and Asia. The RaaS program operates on a structured model, featuring an 80/20 revenue split favoring affiliates, utilizing encrypted communication via TOX, and offering builds compatible with Windows, Linux, and ESXi systems. Their malware operates through an intermittent encryption technique which targets file headers, allowing for rapid encryption of large datasets. A notable incident involved the encryption of 22.9TB of data in just 14 hours, showcasing their efficiency. For data exfiltration, Tengu employs custom tools such as StealTENGU and StealTG, along with general-purpose applications like Rclone and WinSCP. Additionally, they make use of MEGA for primary storage and various other services for secondary usage. The threat actors have designed their operational framework to maintain a low profile, leveraging common tools and methods to mimic legitimate activities, thus complicating detection efforts. Tengu’s initial access methods largely revolve around credential exploitation, conducting brute-force attacks against poorly secured RDP and SMB interfaces, and spear phishing campaigns. They also leverage known vulnerabilities such as ZeroLogon (CVE-2020-1472) for privilege escalation. Following this, they perform lateral movement within compromised networks using tools like NetExec over SMB and RDP, blending their activities with normal administrative traffic. An essential aspect of Tengu's methodology includes defense evasion tactics where they disable security measures such as Windows Defender and clear event logs to avoid detection prior to executing their ransomware payload. This strategy ensures that data exfiltration occurs undetected before initiating full system encryption, with affected files marked with the .tengu extension. To mitigate threats from Tengu Ransomware, organizations are advised to implement multi-factor authentication for remote access services, patch known vulnerabilities, and enhance monitoring for irregular authentication attempts. Security teams should also track Tengu-related infrastructure and shared indicators in threat intelligence databases, alerting on unusual tool usage patterns indicative of ransomware activity. By focusing on these areas, organizations can better defend against this emerging threat.

Claude Desktop connected to an MCP Kali Server to orchestrate a full lab pentest with Nmap, sqlmap, Hydra, Metasploit, John the Ripper, WPScan, and NetExec, ending in root, WordPress, and domain admin access. #ClaudeDesktop #Metasploit #WPScan ift.tt/rYhC6Jp

A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal. core-jmp.org/2026/06/weaponi… #ActiveDirectory #CredentialTheft #DomainCredentials #ForcedAuthentication #LNK #NetNTLMv2 #NetExec #NTLMCoercion #NTLMRelay #ntlm_theft #PasstheHash #Pentesting #Responder #SCF #SMB #SMBShareMisconfiguration #SMBSigning #Sysmon

AdStrike — AI Powered Active Directory Attack Framework 💀🔥 A modular red-team framework built for advanced AD operations, Kerberos workflows, ADCS abuse, credential access, lateral movement & attack-path analysis. ⚡ 🔥 58 interactive modules 🛡️ Kerberos-aware workflows 🤖 AI-assisted operator agent 📊 HTML / JSON / Markdown reporting ⚔️ BloodHound, Impacket, Certipy, NetExec integration Built for professional red team operations & authorized security testing. 🔗 github.com/capture0x/adstrik…

Pass-the-CCache: Lateral Movement Technique 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Pass-the-CCache is a stealthy Kerberos-based attack where attackers use exported .ccache tickets to authenticate without passwords or NTLM hashes. ⚡ Key Features 🎟️ Reuse Kerberos tickets (.ccache) 🔐 No need for plaintext creds or hashes 💻 Works with Impacket tools 🚀 Lateral movement via: PsExec, WmiExec, AtExec, SmbExec 🖥️ Remote access using Evil-WinRM ⚡ NetExec support (WinRM & WMI) 🕵️ Low detection footprint 💡 This technique abuses Kerberos authentication by reusing valid tickets, helping attackers pivot inside Active Directory environments silently. 📖 Article: hackingarticles.in/lateral-m… #CyberSecurity #EthicalHacking #RedTeam #Pentesting #ActiveDirectory #Kerberos #LateralMovement #InfoSec

SMB share enumeration via ACLs with NetExec🔥 NetExec now detects share permissions via ACL enumeration, instead of trying to write a file. In addition, we can now detect if a user has indirect access to the share, e.g. by having ACL write permissions! Made by @PytelJack🚀

Credential Dumping: Pre2k 🔥 Telegram: t.me/hackinarticless ✴ Twitter: x.com/hackinarticles Pre2K Active Directory misconfigurations arise from legacy “Pre-Windows 2000” settings that expose weak permissions, default credentials, and excessive access rights—allowing attackers to enumerate, escalate privileges, and even compromise domain controllers. 📚 Topic Covered 🧩 Understanding Pre-Windows 2000 Compatibility ⚙️ Legacy AD Misconfigurations & Risks 🔍 Enumeration using pre2k Tool 🛠 Enumeration using NetExec (nxc) 🔑 Identifying Default Computer Account Passwords 💉 Exploiting Weak AD Permissions 🔄 Changing Computer Account Passwords 🖥 Gaining Access via Evil-WinRM 🚀 Domain Compromise Scenario 🛡 Mitigation & Hardening Techniques 📖 Article: hackingarticles.in/pre2k-act… #CyberSecurity #ActiveDirectory #RedTeam #Pentesting #EthicalHacking #InfoSec

SPN-less RBCD with NetExec🔥 While classic RBCD requires a computer account, you can use U2U authentication to perform RBCD with a normal user account, if a computer account is not available. Thanks to @azoxlpf, you can now perform this attack with NetExec as well🚀

🆕 Tool update NetExec -> (github.com/Pennyw0rth/NetExe…) In the latest "NetExec" release, a detection mechanism for accessible SMB resources based on Access Control Lists (ACLs) was added, improving accuracy and reducing noise when checking access rights. Now "NetExec" can distinguish between direct and inherited permissions without creating test files. #dbugs_tools

If you want to learn more, check out our wiki page or thehacker.recipes: - SPN-less RBCD with NetExec: netexec.wiki/smb-protocol/au… - RBCD on SPN-less users: thehacker.recipes/ad/movemen…

🔴 NetExec for OSCP & AD Pentesting: Complete Guide 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles NetExec is becoming the go-to tool for Active Directory enumeration, credential attacks & post-exploitation ⚡ ⚡ What You’ll Learn 🔍 SMB, LDAP & WinRM enumeration 🔑 Password spraying & credential validation 🎯 Kerberoasting & AS-REP Roasting 🩸 BloodHound data collection 📂 LAPS & shares enumeration 🚀 Remote command execution & lateral movement ⚔️ AD exploitation techniques for OSCP labs 💡 NetExec combines the power of CrackMapExec with modern modules, better performance & streamlined AD operations 🔥 ⚠️ One tool can uncover the entire attack surface of Active Directory 📖 Article: hackingarticles.in/netexec-f… #cybersecurity #activedirectory #redteam #oscp #pentesting #infosec #netexec #windows

Getting Started with NetExec: Streamlining Network Discovery and Access blackhillsinfosec.com/gettin…