The SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d, which is connected to various potentially malicious servers, was detected by multiple researchers. It was deployed on 85 IP servers and most
of them (at least 52) were tagged as Cobalt Strike C2.
We have dubbed the threat actor that uses the SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d ShadowSyndicate (previous name Infra Storm). This SSH fingerprint was first seen on July 16, 2022 and it is still in use at the time of writing (August 2023).
Together, we looked into any associated information we could find, with the aim of determining which cyber criminal groups used these servers.
At the start of our research, we established five hypotheses about ShadowSyndicate that we set out to prove. These hypotheses are as follows:
- ShadowSyndicate is a hoster who set up the SSH fingerprint on their server.
- ShadowSyndicate is a DevOps engineer that deploys servers and provides them to various threat actors.
- ShadowSyndicate owns an underground service offering “bulletproof hosting” to cyber criminals.
- ShadowSyndicate is an initial access broker that obtains initial access to victims themselves and then sells that access to other cyber crime groups.
- ShadowSyndicate is a RaaS affiliate that uses various types of ransomware.
Although we have not reached a final verdict, all the facts obtained during our research suggest that hypothesis E, that ShadowSyndicate is a RaaS affiliate that uses various types of ransomware, is the most plausible.
Figure 1. Hosts related to ShadowSyndicate’s SSH fingerprint.