Pulse Detail — Threat Intelligence

PULSE NAME

Shadow syndicate infrastructure illumination

WHITE ShadowSyndicate PetrP.73 2025-08-02 Modified: 2025-09-01

154

IOCs

HIGH VOLUME

ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1068 T1105 T1133 T1190 T1213 T1486 T1505.003 T1573 T1583.003 T1588.002

Indicators of Compromise (11 / 154 total)

All CIDR CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://179.60.147.0/24.	—	2025-08-02
URL	http://185.55.240.0/22.	—	2025-08-02
URL	http://5.188.86.0	—	2025-08-02
URL	http://5.188.87.255	—	2025-08-02
URL	http://ec.com/bl	—	2025-08-02
URL	http://itter.com/I	—	2025-08-02
URL	http://www.global-layer.com	—	2025-08-02
URL	https://bunea.eu/	—	2025-08-02
URL	https://escapeesrvclub.com/macshare.php	—	2025-08-02
URL	https://escapeesrvclub.com/macshare.php.	—	2025-08-02
URL	https://www.bridewell.com/insights/blogs/detail/shadowsyndicate?source=post_page----	—	2025-08-02

References (1)

↗ https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf