RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
NightSpire
Double Extortion  •  Transitioning to RaaS  •  Rbfs Predecessor
Emerging Threat Active RaaS (Transitioning)
First Observed
Feb 2025
DLS live: Mar 12, 2025
Total Victims
259+
As of May 1, 2026
Countries
30+
Global opportunistic targeting
LE Disruptions
Zero
No arrests, no sanctions
Primary IAV
CVE-2024-55591
FortiOS / FortiProxy
Encryptor
Go / .nspire
AES-256-CBC + RSA-2048
Lineage
Rbfs
Shared operators confirmed
01

Executive Summary and Group Overview

NightSpire is a financially motivated double-extortion ransomware operation that emerged in February 2025. It is assessed with high confidence as a rebrand and capability escalation of the earlier "Rbfs" extortion group, driven by the same core operators. Within approximately 15 months of emergence, the group had claimed 259 victims across 30 or more countries and announced a formal Ransomware-as-a-Service (RaaS) affiliate program in April 2026. Despite rapid growth in victim volume, the group retains markers of operational immaturity: poor OPSEC, erratic extortion behavior, and infrastructure that leaves identifiable forensic fingerprints.

Geographic indicators from infrastructure analysis suggest an India-linked operator nexus with probable Chinese-speaking involvement, based on a WinSCP exfiltration server IP assigned to Kerala Agricultural University's academic network block and Chinese internet culture markers (tilde greeting, operator handle "cuteliyuan" containing the common Chinese given name "liyuan"). Spanish open-source reporting characterized the group as likely Russian or Eastern European, but this assessment predates the Barracuda infrastructure analysis and is in tension with it. No formal government attribution has been published as of May 2026.

AttributeDetail
StatusActive and growing; formal RaaS transition announced April 2026
PredecessorRbfs (data-only extortion, early 2025); shared operators xdragon128 and cuteliyuan
Tracking designationsNo formal tracking designation from CrowdStrike, Secureworks, Unit 42, Mandiant, Recorded Future, or Microsoft as of May 2026 (INTELLIGENCE GAP). SonicWall signature: GAV: NightSpire.RSM (Trojan). AhnLab V3: Ransomware/Win.Nightspire. AttackIQ and Cyble track as NightSpire.
Operational modelClosed crew (Feb to mid-2025), transitioning to RaaS affiliate model (2025 to present)
Extortion mechanicDouble extortion: exfiltration followed by encryption; countdown DLS; secondary data sale to third parties if payment refused
Primary IAVCVE-2024-55591 (FortiOS/FortiProxy authentication bypass); also RDP brute-force, phishing, credential stuffing
EncryptorGo-compiled PE, AES-256-CBC per-file, RSA-2048 key wrap; .nspire extension; readme.txt ransom note
Victim count259+ as of May 1, 2026 (11 in Mar 2025, 45+ by May 2025, 200+ by late 2025, 259 by May 2026)
Assessed geographyIndia-linked IP infrastructure, probable Chinese-speaking operator (cuteliyuan), East Asian cultural markers; no formal state attribution (CREDIBLE inference, medium confidence)
Decryptor availableNo public decryptor. Not listed on No More Ransom as of May 2026.
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Overall Assessment
Credible — multi-source convergence, not yet universally corroborated

S-RM Intelligence assessed in March 2025 that it is "highly likely" NightSpire operators are associated with the Rbfs ransomware group. Barracuda Networks (May 2026) and multiple open-source outlets corroborate this assessment through independent observation of the same three evidentiary pillars. ASEC (August 2025) characterized the rebrand question as "unclear," but did not dispute the Rbfs evidence directly. No major TI vendor (CrowdStrike, Secureworks, Unit 42, Mandiant, Recorded Future) has published a formal connected-cluster assessment as of May 2026, leaving the Rbfs connection at credible but not universally accepted.

Rbfs to NightSpire: Evidentiary Pillars
Pillar 1 — Confirmed (multiple independent sources)
Shared Operator Handles
Handles "xdragon128" and "cuteliyuan" promoted both Rbfs victim data and NightSpire operations on crime forums and Telegram. The hostname "XDRAGON-SERVER1" appeared in early NightSpire incident infrastructure, directly linking the xdragon128 persona to operational infrastructure. Consistent across S-RM, Barracuda, and multiple secondary sources.
Pillar 2 — Confirmed (documented by S-RM with screenshots)
Victim Overlap
At least two organizations previously claimed by Rbfs (via xdragon128 forum posts) later appeared on NightSpire's DLS victim listing, with matching victim names shown in side-by-side screenshots published by S-RM. This is the strongest single evidentiary element supporting the lineage assessment.
Pillar 3 — Credible
Temporal Substitution
Public references to Rbfs ceased at precisely the same time NightSpire emerged in early March 2025. Rbfs's short operational lifespan and the abrupt timing are consistent with rebranding behavior documented in other ransomware group transitions. No competing explanation for the simultaneous disappearance is documented in available sources.
Pillar 4 — Credible
Infrastructure Continuity
The WinSCP exfiltration server IP (14.139.185.60, assigned to Kerala Agricultural University's NKN block) was identified in early NightSpire incidents. While IP reuse is not definitive on its own, combined with operator handle and hostname continuity it supports a consistent operational infrastructure thread across the Rbfs-to-NightSpire transition.
Extended Lineage: xdragon128 Prior Activity (2024)

Barracuda's reporting traces xdragon128 further back into 2024, prior to Rbfs activity. In late 2024, xdragon128 was observed collaborating with "Paranodeus" in the DarkAssault and DeepWing Telegram channels to build and distribute the Python-based Parano toolset. During this same period, xdragon128 appeared in hacktivist-adjacent channels linked to CyberVolk, a pro-Russian hacktivist group. Multiple secondary sources note the possible equation of "Paranodeus" and "xdragon128" as the same individual, though Barracuda explicitly states it does not have evidence to confirm this.

The Parano toolset connection is notable because the NightSpire Go-based encryptor represents a deliberate departure from Python-based tooling, suggesting new developer involvement rather than simple reuse. The extended lineage runs through shared human operators, not shared code.

Collection gap: The Telegram channels in which xdragon128 operated (DarkAssault, DeepWing) were banned and no available archives or screenshots are publicly accessible. The CyberVolk/xdragon128 connection relies on forum images published by Cyfirma and S-RM rather than primary archived evidence. CrowdStrike, Secureworks, Unit 42, Mandiant, and Recorded Future have not published formal cluster assessments covering NightSpire or its Rbfs predecessor.
Capability Shift: Rbfs vs. NightSpire
DimensionRbfsNightSpire
Extortion modelData theft and extortion only (no encryption)Double extortion: exfiltration plus full encryption
Encryptor languageNone documented; Parano toolset was Python-basedGo (Golang) compiled PE binary
Dedicated leak siteNo dedicated DLS; forum and Telegram posts onlyFull Tor-based DLS with countdown timers, victim pages, free data samples
Affiliate modelNo affiliate programNegotiator recruitment (20% share) 2025; public RaaS affiliate program announced April 2026
OPSECLow (Telegram, identifiable operators)Low-to-moderate (Gmail comms, identifiable hostname, exposed directory listings in early phase)

The transition from Rbfs to NightSpire represents a capability escalation rather than a simple rebrand: new encryptor (likely sourced from a developer not previously associated with xdragon128), full DLS infrastructure, and a structured double-extortion playbook. The core operators provide organizational continuity; the toolset and tradecraft represent an upward capability step.

Vendor Designation Disambiguation

No major intelligence vendor had published a formal, branded tracking designation specifically for NightSpire as of May 2026. The confirmed tracking designations and signatures are limited to:

  • SonicWall Capture Labs: GAV: NightSpire.RSM (Trojan)
  • AhnLab ASEC (V3): Ransomware/Win.Nightspire.C5769860 (2025.06.12.02) and Ransomware/Win.Nightspire.C5775165 (2025.07.01.03)
  • AttackIQ: Attack graph content modeled under "NightSpire ransomware" (April 2026)
  • Cyble: Publishes threat actor profile as NightSpire Ransomware Group
  • Broadcom Security Center: Protection bulletin issued for NightSpire Ransomware

The absence of a CrowdStrike adversary name (typically in the [ANIMAL] SPIDER format), a Secureworks GOLD designation, a Unit 42 tracking label, a Mandiant UNC number, or a Microsoft Storm designation is itself an intelligence gap, reflecting either the group's relative recency or its current tier positioning below the threshold for formal major-vendor classification.

03

Operational Model

RaaS Structure and Evolution
PeriodModelEvidenceConfidence
Feb to mid-2025Closed crew, end-to-end operator controlHalcyon (July 2025): "no public RaaS, no affiliate program, it's a closed shop"CONFIRMED for this period
Mid to late 2025Hybrid: limited external recruitmentBreachForums post by xdragon128 recruiting a negotiation specialist at 20% profit share; HivePro (Sept 2025): "RaaS model"CREDIBLE
April 2026 onwardFormal affiliate RaaS offeringDLS screenshots showing public affiliate invitation; AttackIQ (April 2026) states "launched a RaaS program"CONFIRMED

The progression is consistent with the growth pattern of other mid-tier operations: initial closed-crew testing, then limited function outsourcing (negotiators), then a formal affiliate layer. If the RaaS model matures, TTP variance across incidents will likely increase significantly, complicating attribution and remediation scoping.

Affiliate Revenue Structure
  • Negotiators: 20% of proceeds, documented from a BreachForums recruitment post (S-RM, March 2025).
  • Intrusion affiliates (if any): No confirmed split model published in open sources. No "must not be from CIS countries" exclusion rule documented, unlike several established Russian-language crews. This is an intelligence gap.
  • Vetting criteria: No detail on technical requirements or vetting process for affiliates is available in open-source reporting as of May 2026.
Negotiation Behavior

NightSpire's negotiation posture is characterized by aggressive pressure, short deadlines, and willingness to escalate rapidly. Key documented behaviors:

  • Deadline compression: Payment deadlines as short as 48 hours from ransom note delivery, substantially shorter than the week-plus standard used by more professionalized operations (S-RM).
  • Multi-channel pressure: Operators use negotiation portals, email (early period: Gmail; later: ProtonMail and OnionMail), Telegram, and in some cases direct employee contact to sustain pressure from multiple angles simultaneously.
  • Escalation triggers: When negotiations stall, NightSpire has published portions of stolen data, shared excerpts of prior communications, and threatened secondary data sale to other threat actors.
  • Secondary market threat: NightSpire explicitly threatens to sell stolen data to third parties if the primary victim refuses payment, documented on DLS listings (S-RM).
  • Unprofessional tone: S-RM and ASEC both note highly threatening and psychologically aggressive language as a consistent stylistic marker. Negotiation chat logs archived by ransomware.live show willingness to escalate immediately and leak selected data when victims resist.
No systematic negotiation discount data is available in open sources. Unlike more established operations where payment settlement statistics have been published (e.g., by insurance brokers or external threat intelligence firms), no systematic analysis of NightSpire starting demand vs. final settlement has been documented. This is a significant gap for ransom response guidance.
Double Extortion Mechanics

NightSpire's extortion model follows a staged structure designed to maintain maximum leverage throughout the negotiation cycle:

1
Exfiltration
Data is collected and staged before encryption deployment. Tools: 7-Zip for archiving, MEGASync/MEGACmd or WinSCP/Rclone for transfer to attacker-controlled infrastructure. Ransom notes in 2026 have claimed exfiltration volumes of 2.5 TB or more (unverified by Huntress in the March 2026 incident).
2
Encryption
Go-based encryptor deployed. Files receive .nspire extension. OneDrive-synced files encrypted without icon or extension change, delaying detection. Countdown timers start on DLS.
3
Naming
Victim name and metadata posted to DLS (sometimes with redacted name and countdown before full publication). View counts and data volume visible to external observers, increasing reputational risk perception.
4
Sample Release / Secondary Sale
If payment is refused after deadline, NightSpire releases data samples or full dumps to other threat actors. The group has explicitly advertised stolen data as available for purchase by third parties, adding a secondary monetization dimension.
Communication Channel Evolution
PeriodChannelsOPSEC Assessment
Early 2025Gmail (documented), early Tor portalsVery poor; Gmail use risks account suspension mid-negotiation and attribution via account metadata
Mid to late 2025ProtonMail, OnionMail, Telegram handles, dedicated Tor portalsModerate; standard operational security for ransomware groups
2026Tor negotiation portals (victim-specific IDs), ProtonMailModerate; consistent with mature double-extortion operations
04

Technical Capabilities

Initial Access Vectors
VectorCVE / MethodNotesConfidence
FortiOS / FortiProxy exploitationCVE-2024-55591Authentication bypass allowing unauthenticated attacker to gain super-admin privileges via crafted Node.js WebSocket requests. Affects FortiOS 7.0.0-7.0.16 and FortiProxy 7.0.0-7.0.19 / 7.2.0-7.2.12. Fortinet disclosed January 14, 2025; exploitation observed from November 2024. Verified against NVD entry.CONFIRMED
RDP brute-force / credential stuffingN/ACredential-based attacks against exposed RDP services. Huntress incident (March 2026): threat actor accessed endpoint via RDP prior to additional tooling deployment.CONFIRMED
PhishingN/ADocumented by Barracuda and AttackIQ; also includes MFA fatigue attacks and RMM platform abuse.CREDIBLE
VPN perimeter exploitation (general)MultipleNot limited to Fortinet; vulnerable VPN and perimeter services more broadly observed as access vectors.CREDIBLE
Post-Exploitation Toolchain
CategoryToolsPurpose
LOLBins / nativePowerShell, WMI, PsExec, ConhostCommand execution, lateral movement, defense evasion
DiscoveryAdvanced IP Scanner, Everything.exeNetwork mapping, file search and targeting of financial records, customer data, internal communications
Credential harvestingMimikatzLSASS memory extraction: passwords, NTLM hashes, Kerberos tickets; domain admin escalation
Remote access / persistenceAnyDesk, Chrome Remote DesktopPersistent hands-on-keyboard access; Chrome Remote Desktop account email prince1990905@gmail.com documented in March 2026 Huntress incident
Data staging7-ZipEncrypted archive creation for exfiltration staging
ExfiltrationMEGASync / MEGACmd, WinSCP, RcloneTransfer to attacker-controlled cloud or server infrastructure
Other imported toolsVMware Workstation, WPS OfficeOperational convenience; WPS Office (Kingsoft, Chinese company) noted as potentially culturally significant given Chinese-speaking operator indicators
TTP variance observed: Huntress analyzed two incidents (December 2025 and March 2026) and found notable differences: the March 2026 case involved no LOLBins at all, with the threat actor trucking in all tooling from scratch (Chrome Remote Desktop, AnyDesk, 7-Zip, Everything, MEGASync, VMware Workstation, WPS Office). This divergence is consistent with either encryptor/playbook evolution or different affiliates operating under the NightSpire umbrella.
Encryption Implementation
ParameterDetailSource
Encryptor languageGo (Golang), compiled PE binarySonicWall, AhnLab ASEC
Symmetric cipherAES-256-CBC (per-file key)AttackIQ, ASEC (encrypted file structure confirmed: AES key appended at end of file, RSA-encrypted)
Key protectionRSA-2048 public key wraps per-file AES keyAttackIQ, ASEC (Figure 3: encrypted file structure)
Extension.nspireCONFIRMED (multiple sources)
Ransom note filenamereadme.txt (2025); _nightspire_readme.txt (Dec 2025); [nspire_msg].txt (Mar 2026)Huntress: filenames evolved between incidents
Block encryption targetsiso, vhdx, vmdk, zip, vib, bak, mdf, flt, ldf: 1 MB block encryption for speedASEC (confirmed from reverse engineering); partial overlap with AttackIQ list
Full encryptionAll other file extensionsASEC
VSS deletionNone documentedASEC: Volume Shadow Copy deletion not observed
OneDrive behaviorOneDrive-synced files encrypted without changing icons or file extensions; corruption not visually apparent until file open attemptSonicWall (documented as an advanced operational capability for detection delay)
Desktop backgroundNo change documentedASEC
Decryptor availabilityNone. Not listed on No More Ransom. No cryptographic weakness publicly disclosed.Multiple sources; verified via nomoreransom.org
CIS / Regional Exclusion Checks
Analyst Inference — absence of documented evidence

Open sources do not document any hard-coded checks for Russian, Ukrainian, or other CIS keyboard layouts or system locales in the NightSpire binary. No analyst has confirmed that the encryptor aborts on CIS-region systems, unlike some established Russian-aligned crews. The absence of a CIS exclusion, combined with the India/China attribution indicators, is weakly consistent with a non-Russian operator profile. However, this should be treated as an outstanding collection requirement rather than a confident conclusion.

Confirmed Sample Hashes (via Huntress, 2025 to 2026)
Hash (SHA-256)FilenameIncident Date
bde50a42efc079edde1a314243ad339db2d42e343fbbcd39117803b0f5960355enc.exeDecember 2, 2025
ad67031e2ca68764fe1a7d6632c02b02a299d59efb920710011a9a2ccf4399b7enc.exeMarch 25, 2026

The two hashes differ, confirming that the encryptor binary was modified between December 2025 and March 2026. This is consistent with either active development or affiliate-specific builds.

Platform Coverage

Public coverage centers entirely on Windows environments. SonicWall's analysis documents impact across local paths and OneDrive-synchronized content. No confirmed Linux or ESXi/hypervisor-specific variant has been documented in open sources as of May 2026. The absence of a dedicated Linux/ESXi build would represent a capability ceiling relative to top-tier groups (LockBit, BlackCat, Akira) that routinely target VMware ESXi hosts. This should be treated as a collection requirement.

05

Financial Infrastructure

Payment Mechanism

Ransomware notes and DLS commentary strongly imply standard cryptocurrency payments. The specific cryptocurrency type (Bitcoin, Monero, or other) is not explicitly quoted in the open-source reporting reviewed. No wallet addresses have been publicly linked to NightSpire incidents in available reporting. This absence of explicit crypto payment detail is itself analytically notable for a group with 259 claimed victims.

On-Chain Forensics
Intelligence Gap

No published blockchain analysis from Chainalysis, TRM Labs, Elliptic, or any other on-chain forensics firm has been cited in connection with NightSpire as of May 2026. This is a major intelligence gap. Consequently, there is no current mapping of wallet clusters, layering patterns, mixer or tumbler use, cross-chain bridge activity, or cash-out exchange identification in publicly available sources.

Analytical implication: Without on-chain forensic coverage, it is not possible to assess NightSpire's laundering sophistication, estimate total revenue, determine whether payment volumes reflect operator success rates, or identify financial infrastructure that could serve as a disruption vector. This should be flagged as a priority collection requirement for any formal product involving financial pressure options.
Regulatory and Sanctions Status

No OFAC-listed wallet addresses or specific sanctions designations (U.S., EU, or UK) have been publicly associated with NightSpire as of May 2026. No formal government financial attribution has been published. The group does not appear on any publicly available OFAC SDN list entry.

06

Victim Profile and Targeting

Volume and Growth Trajectory
March 2025
11
Initial emergence (S-RM)
May 2025
45+
Per SonicWall reporting
Late 2025
200+
Per Spanish media reporting
May 1, 2026
259
Ransomware.live (via Barracuda)

The growth rate from 11 to 259 victims in approximately 14 months represents one of the faster documented expansion trajectories for an emerging ransomware group. The formal RaaS announcement in April 2026 is expected to accelerate this rate further, introducing greater TTP variance in the process.

Sector Distribution
SectorNotes
ManufacturingDisproportionately represented, approximately 36% of early 2025 cases (S-RM); chemical and industrial manufacturing documented in Japan and Poland
Technology and ITSoftware providers and IT services targeted across multiple geographies
HealthcareDocumented; no explicit healthcare ban observed unlike some other groups
Financial servicesDocumented across Taiwan, UK, and other markets
Retail and wholesaleSpanish hardware distributor Bresme (a named publicly reported victim); US retail also documented
Logistics and maritimeMaritime industry in Thailand documented (ASEC)
Professional servicesAccounting services (UK), business services (Hong Kong)
ConstructionConstruction industry in Hong Kong documented
Government / public sectorSome public-sector entities documented (AttackIQ); Municipality of Ardon (France) claimed

The group is broadly opportunistic. Sector representation reflects access opportunity (primarily exposed perimeter devices running vulnerable Fortinet software) rather than deliberate sector targeting. No documented sector exclusions.

Geographic Distribution

Victims span more than 30 countries. Confirmed geographies with documented cases include: United States, Spain, Japan, Thailand, United Kingdom, China, Poland, Hong Kong, Taiwan, South Korea (ASEC reporting), and France (Municipality of Ardon). The breadth reflects opportunistic global targeting rather than regional focus. No CIS-country exclusion has been documented.

Organization Size Profile

S-RM's early 2025 sample found that 73% of victims had fewer than 1,000 employees, confirming a primary focus on small and mid-sized organizations with less mature security controls and reduced incident response capacity. AttackIQ corroborates this as a defining characteristic. NightSpire has not yet achieved a marquee enterprise victim list comparable to LockBit or BlackCat; named victims (Bresme, Ardon) are mid-market rather than Fortune-level targets.

Targeting Criteria and Exclusions

No explicit sector bans, country exclusions, or size thresholds are documented in NightSpire's public communications or observed behavior. The group does not appear to maintain the kind of published targeting policy used by some more "professionalized" Russian-aligned operations (e.g., "no hospitals, no critical national infrastructure"). Healthcare entities have been targeted. The absence of a CIS exclusion is noted but its meaning is ambiguous given the uncertain geography of the operators themselves.

07

Law Enforcement and Regulatory Response

Status Summary
Confirmed — absence verified across multiple sources

As of May 1, 2026, there are no public indictments, criminal charges, arrests, or named suspects tied specifically to NightSpire in U.S. or European court records, law enforcement advisories, or Europol/FBI press releases. No CISA/FBI joint advisory focused specifically on NightSpire has been published. No successful infrastructure seizure or DLS takedown has been reported. This distinguishes NightSpire clearly from more established groups such as LockBit, BlackCat/ALPHV, and Hive, which have all been subjects of major multinational LE operations.

Vendor and Government Advisories
  • AhnLab ASEC (August 2025): Published an advisory warning South Korean organizations about NightSpire ransomware following domestic damage cases. Vendor-driven, not a government bulletin.
  • Broadcom Security Center: Protection bulletin published for NightSpire, covering detection signatures.
  • SonicWall Capture Labs: Published technical analysis with signature coverage (GAV: NightSpire.RSM).
  • AttackIQ (April 2026): Published attack graph emulation for NightSpire to support security control validation.
  • Barracuda Networks (May 2026): Comprehensive threat profile including infrastructure analysis and operator attribution indicators.

No CISA alert, FBI Flash, or Europol advisory specifically addressing NightSpire has been published as of May 2026. This absence reflects the group's current mid-tier status relative to the threshold for government-level advisory publication.

Sanctions

No OFAC designations, EU sanctions, or UK sanctions specifically naming NightSpire, its infrastructure, or its identified operators (xdragon128, cuteliyuan) have been reported. The operator handles and the single documented infrastructure IP (14.139.185.60) have not appeared in any publicly known sanctions action.

Infrastructure Vulnerability to Disruption

S-RM (March 2025) noted that NightSpire's leak-site tech stack leaves recognizable fingerprints that could support targeted law enforcement takedown action. The group's early OPSEC failures (Gmail use, exposed directory listings, identifiable server hostname) provide more forensic footholds than a mature operation would leave. However, no evidence of any LE disruption attempt has been publicly disclosed as of May 2026.

08

Attribution and State Nexus

Overall Assessment
Credible — medium confidence, competing geographic indicators

NightSpire is assessed as a financially motivated cybercriminal enterprise. All reviewed sources treat the group as criminal rather than state-directed. The geographic attribution picture is contested, with evidence pointing toward South or East Asia rather than the Russia/Eastern Europe origin suggested in earlier Spanish-language reporting. No formal government attribution has been published by any national intelligence or law enforcement agency as of May 2026.

Geographic Indicators: Competing Assessments
IndicatorPoints TowardSourceConfidence
WinSCP exfiltration server IP 14.139.185.60India (Kerala Agricultural University, National Knowledge Network block)Barracuda (May 2026), S-RM (March 2025)CONFIRMED as IP assignment; likely compromised host, not necessarily operator location
Operator handle "cuteliyuan" containing "liyuan"Chinese-speaking individual ("liyuan" is a common Chinese given name)Barracuda (May 2026)CREDIBLE
Trailing tilde (~) in DLS greeting "Greetings to world~"East Asian internet culture, particularly ChineseBarracuda, citing academic research on East Asian CMC markersCREDIBLE (documented cultural marker, not definitive)
WPS Office installation by threat actorChinese-affiliated (Kingsoft, Chinese company)Huntress (April 2026)ANALYST INFERENCE
xdragon128 CyberVolk associationPro-Russian hacktivist-adjacent communityBarracuda, CyfirmaCREDIBLE for prior association, weak inference for current alignment
Spanish intelligence/media characterizationRussia or Eastern EuropeEscudodigital (May 2026)CREDIBLE as secondary inference, predates Barracuda infrastructure analysis
No CIS exclusion in encryptorNon-Russian operator (weakly)Analyst observation from available reverse engineering reportsANALYST INFERENCE
Attribution conflict: The Barracuda infrastructure analysis (May 2026) pointing to India and China is more recent and more specific than the Spanish-language characterization of Russia/Eastern Europe. The India IP likely represents a compromised host on a high-bandwidth academic network rather than an operator's physical location. The Chinese-speaking indicators (handle, tilde, WPS Office) are the strongest elements for cultural/geographic placement of at least one operator. The best current assessment is: India-linked infrastructure (likely compromised host), probable Chinese-speaking lead operator (cuteliyuan), unclear co-operator geography (xdragon128). Not enough to confirm or exclude a Russia nexus entirely, but the Russian-origin framing should be treated as weakly supported pending further evidence.
Named Operators
HandleRolePrior ActivityNotes
xdragon128 (alias xdragon333)Primary public-facing operator; Rbfs and NightSpire promotion, DLS management2024: Parano toolset development with Paranodeus in DarkAssault/DeepWing Telegram; CyberVolk-adjacent channelsNaming convention (dragon + number) consistent with gamer culture. Hostname XDRAGON-SERVER1 provides direct infrastructure link.
cuteliyuanSecondary operator; promoted Rbfs victim data on Telegram before NightSpire emergenceRbfs Telegram activity (early 2025)Handle contains "liyuan," a common Chinese given name. Assessed as probable Chinese-speaking individual.

No real-name identities for either operator have been publicly confirmed. No passport, national ID, or physical address data is available in open sources.

State Nexus Assessment
  • No direct state linkage documented. No reliable reporting describes direct ties to any state intelligence or security service (Indian, Chinese, Russian, or other).
  • No state cut-out behavior observed. NightSpire has not been used in targeted operations against specific government entities or strategic adversaries in a pattern consistent with state-directed use.
  • CyberVolk association is weak evidence at best. xdragon128's prior presence in CyberVolk-adjacent channels does not establish a current operational relationship with any state actor. CyberVolk itself is assessed as a financially motivated hacktivist group with pro-Russian sympathies, not a formal state instrument.
  • Safe harbor inference: If the operators are China-based, the informal "safe harbor" dynamic that characterizes Russian-based ransomware (operational tolerance in exchange for avoiding domestic targets) would not apply in the same form. Chinese authorities have shown greater willingness than Russian authorities to prosecute domestic cybercriminals in some contexts, though toleration of criminal operations targeting foreign entities has also been documented.

Bottom line: NightSpire is best assessed as a financially motivated criminal operation with no confirmed state nexus (medium confidence). The geographic attribution is ambiguous. The group's small scale, poor OPSEC, and criminal ecosystem connections do not fit a state-controlled operational profile.

09

Trajectory Assessment

Connected Group Cluster
Group / ActorConnection TypeConfidence (Anchor)Confidence (Extension)Vendor Coverage
RbfsDirect predecessor; shared operators, victims, and infrastructureCREDIBLE (multi-source: S-RM, Barracuda, screenshot evidence)N/A (direct connection, not extended inference)S-RM, Barracuda, Escudodigital; NOT formally assessed by CrowdStrike, Secureworks, Unit 42, Mandiant, or Recorded Future as of May 2026
Paranodeusxdragon128 collaboration on Parano toolset (2024)CREDIBLE (Cyfirma/S-RM)ANALYST INFERENCE (no shared code or infrastructure with NightSpire; Parano toolset not used in NightSpire operations)Cyfirma; not formally assessed by major TI vendors
CyberVolkxdragon128 present in associated Telegram channels (2024)CREDIBLE (channel co-presence)ANALYST INFERENCE (no operational overlap with NightSpire activity documented)SentinelOne (CyberVolk profiling); not linked to NightSpire by any major vendor

No strong open-source evidence places specific affiliates known from other major RaaS ecosystems (LockBit, BlackCat, Cl0p) within NightSpire's operational network. Shared tool usage (Fortinet exploitation, LOLBins, MEGASync) overlaps superficially with many groups but does not indicate developer or personnel sharing beyond xdragon128/cuteliyuan continuity.

Maturation Indicators
DimensionEarly 2025Mid-2026Direction
Encryptor capabilityNo encryption (Rbfs); early Go buildMature AES-256/RSA-2048 Go build with OneDrive-aware evasionPositive (improving)
Victim volume11 (March 2025)259 (May 2026)Positive (rapid growth)
Affiliate structureClosed crewFormal RaaS program announcedPositive (scaling)
Communication OPSECGmail, exposed directories, identifiable hostnameProtonMail, Tor portalsPositive (improving)
Extortion sophisticationSingle-channel, basic deadlinesMulti-channel, staged leaks, secondary data salePositive (improving)
LE attentionNoneNoneFlat (no disruption pressure)
OPSEC overallVery poor (GMAIL, XDRAGON-SERVER1)Low-to-moderate (infrastructure fingerprints remain)Marginal improvement
Disruption and Exit Signals
  • No shutdown signals: The April 2026 RaaS announcement points explicitly toward expansion, not exit.
  • No internal leak/dispute signals: No equivalent of the Conti internal chats leak or Black Basta dispute logs has appeared for NightSpire.
  • No post-seizure rebranding pattern: The Rbfs-to-NightSpire transition appears to have been a voluntary capability upgrade rather than a post-seizure pivot. No law enforcement disruption preceded it.
  • Infrastructure exposure risk: S-RM's observation that DLS tech-stack fingerprints remain identifiable means there is a latent takedown vector, but no evidence it is being actively pursued.
Trajectory Outlook
Analyst Inference

NightSpire is on a clear upward trajectory in terms of victim volume, capability, and organizational structure. The most likely near-term development is affiliate-driven diversification of TTPs, making incident clustering more difficult and attribution less reliable. The group's OPSEC remains below the level that would make a law enforcement disruption technically difficult. If the RaaS affiliate pool expands rapidly, both the victim count and the TTP variance will accelerate. The most analytically significant open question is whether the group's geographic and personnel indicators will prompt action from non-Western law enforcement (India, China), which historically have taken action against cybercriminals when international pressure or reputational cost is sufficient.

Key collection requirements: (1) On-chain financial forensics to characterize payment volumes, laundering methods, and financial leverage points. (2) Formal major-vendor cluster assessment linking NightSpire to any established adversary taxonomy. (3) Confirmation of CIS exclusion behavior or its absence in binary analysis. (4) Identification of any affiliate activity post-April 2026 RaaS announcement to assess affiliate pool characteristics. (5) Linux/ESXi variant development confirmation or denial.
--

Recent Reporting

--

Sources