NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence

Severity

Medium

Detail

A rapidly emerging ransomware operation known as NightSpire has targeted organizations across healthcare, education, government, finance, manufacturing, and logistics sectors worldwide since early 2025. The threat group uses a double extortion model, stealing sensitive data before encrypting systems and threatening to leak the information through a Tor-based site if ransom demands are not met.

Researchers observed at least 64 victims across 33 countries between March and June 2025, with the United States experiencing the highest number of incidents.

How?

NightSpire primarily gains initial access through exposed or compromised Remote Desktop Protocol (RDP) services. Once inside a network, the attackers avoid using heavily customized malware during the early stages and instead deploy legitimate remote administration tools such as Chrome Remote Desktop and AnyDesk to establish persistence and maintain long-term access.

Because these tools are widely used in enterprise environments, their activity often blends into normal administrative operations, allowing attackers to remain unnoticed for extended periods.

After securing access, the operators conduct internal discovery using “Everything” by voidtools, a legitimate file indexing and search utility capable of rapidly identifying sensitive files across infected systems. The selected data is then compressed into password-protected archives using 7-Zip before being exfiltrated through MEGAsync to MEGA cloud storage services.

Once data theft is completed, the attackers deploy a Go-based ransomware encryptor that systematically encrypts accessible files and appends the “.nspire” extension. Ransom notes are dropped throughout affected directories, while OneDrive files are also encrypted without changing their original extensions, potentially delaying detection.

Conclusion

NightSpire demonstrates how threat actors can successfully combine legitimate administrative and cloud synchronization tools with ransomware operations to reduce detection opportunities and maintain stealth within compromised environments.

Organizations should restrict unnecessary RDP exposure, enforce multi-factor authentication, monitor for unauthorized use of remote administration and cloud synchronization tools, and closely track abnormal archive creation or mass file encryption activity. Proactive threat hunting and ransomware simulation exercises can also help security teams identify defensive gaps before attackers exploit them.

Source

https://cybersecuritynews.com/nightspire-ransomware-uses-rdp-access-and-remote-admin-tools/