Path & Payload

Amateur Tradecraft, Professional Damage: Inside NightSpire

On March 14, 2025, a user going by xdragon128 posted a job listing on BreachForums 2, an English-language cybercrime forum. The position: negotiation specialist. The compensation: 20% of profits.

The platform had explicitly banned ransomware-related content following a law enforcement seizure in May 2024, so the post was short-lived. But within weeks, the ransomware operation behind the post β€” NightSpire β€” had claimed victims across three continents.

Ransom demands ran from $150,000 to $2 million. Pressure tactics included 48-hour payment deadlines, direct emails to victim employees, and published excerpts of negotiation transcripts when organizations refused to pay. By May 1, 2026, the victim count stood at 259 across dozens of countries.

NightSpire's operators have made plenty of mistakes. They’ve used Gmail addresses to communicate with victims, and their leak site server headers exposed Apache, OpenSSL, and PHP version information. During at least one attack, a hostname appeared on victim infrastructure that read XDRAGON-SERVER1 β€” the operator's own handle, embedded in their attack infrastructure. These aren't the mistakes of a careless operation, though. They're the mistakes of operators new to ransomware attacks β€” and who, as of early 2025, hadn't even existed as a threat group.

Who They Are

NightSpire is a financially motivated ransomware group first observed in February 2025, with a dark web data leak site that went live on March 12, 2025. At the time, the group operated as a closed shop β€” all attacks handled in-house from initial access through extortion, a deliberate contrast to the Ransomware-as-a-Service affiliate model that dominates the current landscape. This changed in April 2026, when the group made its first public move toward recruiting affiliates. More on that later.

The ransomware payload is compiled in Go (Golang) and appends the .nspire extension to encrypted files. NightSpire runs a full double-extortion model: data is exfiltrated before encryption, and victims who don't pay face publication of stolen data on the leak site alongside an escalating set of secondary pressure tactics. Primary targets are small to medium-sized enterprises β€” organizations with exposed perimeter services and limited security infrastructure.

The operators behind NightSpire are not new to cybercrime. Their known handles β€” xdragon128 and cuteliyuan β€” had been active in the cybercrime ecosystem since at least mid-2024, moving through prior tool development, group affiliations, and a precursor extortion operation before launching NightSpire. What they hadn't done before was run a full ransomware operation: encryption, leak site management, victim negotiation, ransom collection. The birth of NightSpire marked their first attempt.

(The name NightSpire is assumed to be a reference to World of Warcraft lore.)

The Lineage

Two operators are publicly identified: xdragon128 (also known as xdragon333) and cuteliyuan. Barracuda Networks' May 2026 analysis identifies geographic indicators pointing toward an India-linked operator nexus with possible Chinese-speaking involvement, though no formal attribution has been published by any government or law enforcement body.

The earliest documented activity traces back to September 2024, when a developer using the pseudonym Paranodeus began marketing a suite of Python-based tools on underground forums. That handle belongs to xdragon128. The toolkit included Parano Stealer, Parano Ransomware, and Parano Screen Locker, with documented anti-VM, anti-analysis, persistence, and cryptographic extraction capabilities. CYFIRMA's December 2024 research connects this activity to the CyberVolk collective and, separately, to DarkAssault.

By early 2025, xdragon128 surfaces in a short-lived operation called Rbfs β€” a data-only extortion group with no public branding and a brief lifespan. In early March 2025, xdragon128 is still posting Rbfs victims on BreachForums 2 while cuteliyuan shares Telegram links to the same victims.

Then, within days, all Rbfs-related activity stops. NightSpire's leak site goes live. At least two victims that appeared on the Rbfs leak site reappear on NightSpire's. S-RM assessed it as highly likely that the two groups were associated, based on shared operators, overlapping victims and the speed of the transition.

The Go-based NightSpire payload represents a technical step up from the earlier Python tooling, and NightSpire launched with a dedicated leak site, structured victim publication, and the double-extortion model that Rbfs never implemented. The infrastructure continuity is visible throughout: the hostname XDRAGON-SERVER1 links directly back to the xdragon128 persona across early incident reporting from multiple independent researchers.

Motivation and Targeting

Primary targeting concentrates on the United States β€” over 40% of victims in most analyses β€” with significant secondary presence across Asia-Pacific, particularly India, Hong Kong, Taiwan, and Japan, along with Western Europe, the Middle East, and Africa. The geographic spread reflects opportunistic exploitation rather than any political or espionage motive.

Manufacturing represents the largest victim concentration (roughly a third of identified cases), followed by technology and IT services, financial services, and healthcare. The group has also claimed victims in construction, education, retail, logistics, and government. The breadth is a notable operating characteristic β€” NightSpire goes wherever unpatched infrastructure and limited IR capacity overlap.

They focus on smaller organizations that likely lack dedicated security teams, operate without robust monitoring, and are more susceptible to the time pressure NightSpire applies. A 48-hour payment deadline hits differently when there's no IR firm on retainer and no pre-established playbook.

Signature TTPs (Mapped to MITRE ATT&CK)

Initial Access

NightSpire's primary access vector is CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass that can allow a remote attacker to gain super-admin privileges through crafted requests to the Node.js websocket module or CSF proxy requests.

By sending specially crafted requests, an unauthenticated attacker can obtain super-administrator privileges on a FortiGate device without valid credentials. Fortinet disclosed the vulnerability on January 14, 2025 and said it was being exploited in the wild. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog the same day. Some secondary reporting places exploitation as early as November 2024 β€” before the patch existed. At disclosure, tens of thousands of internet-facing devices running vulnerable versions were still exposed.

Secondary access methods include RDP brute-force and credential stuffing, phishing campaigns disguised as browser or security software updates, exploitation of other unpatched VPN appliances, MFA fatigue attacks combined with VPN credential brute-forcing, and compromise of managed service providers to reach downstream clients.

ATT&CK mappings: T1190 (Exploit Public-Facing Application), T1110 (Brute Force), T1566 (Phishing), T1621 (Multi-Factor Authentication Request Generation)

Exfiltration

Before encryption, NightSpire conducts discovery using Everything.exe β€” a legitimate Windows search utility β€” to locate files of value. Data is staged and exfiltrated using legitimate tools such as WinSCP, MEGACmd/MEGASync and 7-Zip, often blending into normal administrative activity. S-RM documented the exfiltration server IP 14.139.185.60 in March 2025, and Huntress later observed similar use of legitimate tooling, including Everything, MEGASync and 7-Zip, in NightSpire activity.

ATT&CK mappings: T1087 (Account Discovery), T1005 (Data from Local System), T1567.002 (Exfiltration to Cloud Storage)

Encryption and Persistence

The Go-compiled ransomware payload appends .nspire to encrypted files. For a subset of victims, NightSpire has modified MFA settings and changed account passwords to maintain persistence after initial stolen session tokens expire, effectively extending the attacker's window before eviction. Lateral movement relies on PowerShell, PsExec, and WMI. NightSpire notably does not delete Volume Shadow Copies, prioritizing encryption speed over complete recovery prevention β€” an operational choice that also represents a potential recovery path for defenders.

ATT&CK mappings: T1486 (Data Encrypted for Impact), T1556 (Modify Authentication Process), T1059.001 (PowerShell), T1047 (Windows Management Instrumentation)

Extortion

NightSpire's pressure model goes beyond the standard leak-site threat. Payment deadlines have been as short as 48 hours from ransom note delivery. If direct negotiation stalls, the group pivots to emailing victim employees directly. In at least one documented case, NightSpire published excerpts of negotiation transcripts after a victim refused to pay β€” using the victim's own communications as an additional pressure mechanism. The group maintains multiple negotiation channels: ProtonMail, OnionMail, Telegram, qTox, and personalized Tor-hosted chat portals.

S-RM noted in their March 2025 analysis that the group's actual follow-through on data publication has been inconsistent β€” a marker of an operation still finding its footing. That may change as the affiliate model matures.

Notable Operations

NightSpire's victim list is dominated by anonymous SMBs, which reflects the opportunistic targeting model but limits the public record. Most victims are not large enough to generate mandatory breach disclosures or significant media coverage. The two consistently cited named cases are below.

Operation Details
Municipality of Ardon, France β€” April 2025 30GB of data claimed stolen. Named on NightSpire's leak site with a payment deadline of April 30, 2025. One of the few publicly confirmed and named cases in the public record.
Nippon Ceramic β€” April 2025 Manufacturing sector victim documented by Cyble with a confirmed compromise date of April 10, 2025.
Q1 2026 growth Check Point Research documents 183% growth from Q4 2025 to Q1 2026, from 29 victims to 82 in a single quarter. NightSpire ranked among the most active ransomware operations globally during this period.

The OpSec Paradox

Here's what should concern security leaders more than any specific TTP: NightSpire's operators make basic mistakes, and it hasn't mattered.

They tried to recruit on a platform that had banned ransomware content and got permanently banned. They used Gmail for victim communications β€” a mainstream service with a traceable footprint and exposure to provider-initiated shutdown. Their leak site exposes server header information that defenders can use to fingerprint infrastructure. During at least one attack, the hostname XDRAGON-SERVER1 appeared on victim infrastructure β€” the operator's own handle.

And yet: 259 victims across dozens of countries. 183% quarter-over-quarter growth. Ransom demands reaching $2 million.

The gap between tradecraft quality and operational impact tells you something specific about the current ransomware ecosystem. CVE-2024-55591 gave NightSpire access to hundreds of thousands of potentially vulnerable FortiGate devices at the moment Fortinet disclosed it. A working exploit plus a Tor-hosted leak site is sufficient to run a ransomware operation at scale in 2025 and 2026. Operational maturity is no longer a prerequisite for significant damage β€” the infrastructure commoditization that followed LockBit's disruption lowered the floor for everyone.

Barracuda's May 2026 analysis calls the operators "wannabe warlords," and the OpSec failures earn that framing. But wannabe warlords with access to a critical Fortinet exploit, a functioning double-extortion model, and 259 organizations in their victim count are still causing material harm to real organizations, regardless of what you call them.

What's Changed Recently

In April 2026, NightSpire made its first public move toward a RaaS model, with screenshots emerging of the group actively recruiting affiliates. If the shift holds, it marks a significant operational transition.

Until now, the closed-group model was both a strength and a constraint. Total operator control meant consistent TTPs and no affiliate management overhead, but it also capped scale. Moving to affiliates changes that calculus β€” and it changes the OpSec equation. The core operators' tradecraft weaknesses matter less if affiliates are running the intrusions.

Check Point Research's Q1 2026 report places NightSpire among the most active operations of the quarter and notes that NightSpire and The Gentlemen are both exploiting CVE-2024-55591. The access vector that fueled NightSpire's growth is now shared with at least one other group that grew 315% in the same quarter. For organizations that haven't patched, the competition for that attack surface is intensifying.

No law enforcement action against NightSpire has been reported as of May 2026. No arrests, no indictments, no infrastructure seizures. The geographic attribution indicators documented by Barracuda have not been confirmed or acted on publicly.

Detection and Defense Considerations

Patching CVE-2024-55591 is the first and most urgent control. Fortinet disclosed the vulnerability in January 2025, patches are available, and any internet-facing FortiGate or FortiProxy device running a vulnerable version should be treated as potentially already compromised, not just at risk.

Beyond the patch: NightSpire's LOLBin stack β€” WinSCP, MEGACmd, Everything.exe, 7-Zip β€” is detectable through behavioral baselines rather than signatures. File transfer utilities appearing in environments where they have no legitimate business purpose, particularly against cloud storage endpoints like MEGA, warrant investigation. These tools generate logs.

The 48-hour deadline is an operational problem, not just a psychological one. Organizations without pre-established IR playbooks, tested backups, and a defined escalation path for ransomware events will be making containment and negotiation decisions under time pressure that the attacker engineered. Standard assumptions about 72-hour response windows don't hold here. Backup architecture should be validated specifically against compressed recovery scenarios, with offline or immutable copies that are isolated from the credentials an attacker would hold post-compromise.

Another thing worth noting: S-RM's early analysis flagged that NightSpire's follow-through on data publication has been inconsistent. That's not a reason to treat leak threats as negligible β€” but it is a reason to verify claimed data theft independently before accepting worst-case exposure as a given.

Sources Used

#Threat Actor Profiles