The Good | Police Disrupt Phobos, 8Base & LockBit Ransomware Operations
International operation “Phobos Aetor” has led to the arrest of two Russian-based cybercriminals linked to the Phobos ransomware gang, who are accused of conducting over 1,000 cyberattacks globally and extorting $16 million in Bitcoin.
The suspects are linked to at least 17 ransomware attacks on Swiss companies between April 2023 and October 2024, in which they infiltrated corporate networks to steal and encrypt data, demanding ransoms in cryptocurrency, which was then laundered through crypto mixers.
The same operation has also disrupted 8Base ransomware operations, a group that was quietly active since March 2022 before gaining prominence in June 2023. 8Base targets small and medium-sized businesses (SMBs) worldwide and uses Phobos ransomware to encrypt files and demand millions in ransom. High-profile victims included Nidec Corporation and the UNDP.
Meanwhile, the U.S., U.K., and Australia have placed sanctions on Zservers, a bulletproof hosting (BPH) provider based in Russia, for supplying the attack infrastructure of the LockBit ransomware operations. The sanctions also call out two designated Russian nationals, Alexander Mishin and Aleksandr Bolshakov, for their part in administrating LockBit’s virtual currency transactions.
Authorities linked Zservers’ infrastructure to LockBit malware operations through a Canadian raid from 2022, which revealed a laptop running a LockBit control panel. Then in 2023, Zservers provided Russian IP addresses to a known LockBit affiliate.
In addition to sanctions on Zservers, the U.K. is also sanctioning XHOST Internet Solutions LP, Zservers’ U.K. front company, as well as four of its employees for supporting LockBit’s attacks. The sanctions freeze assets and prohibit transactions with the designated individuals and entities. A $15 million bounty stands for any information that leads to the arrest of LockBit ransomware operations, owners, admins, and/or affiliates.
The Bad | New Sarcoma Ransomware Threatens Major PCB Manufacturer With Data Leak
A new ransomware group known as ‘Sarcoma’ has claimed responsibility for recent attacks on Unimicron, a large printed circuit board (PCB) firm based in Taiwan. Sarcoma alleges that it has stolen 377 GB of SQL files and sensitive documents and is now threatening to leak the data if its ransom is not paid. Some of the stolen data has already been published and the firm has been added to Sarcoma’s data leak site.
Sarcoma first emerged in October 2024, quickly gaining attention by claiming 36 victims in its first month of operation. Security researchers have warned of its aggressive tactics against industrial organizations in particular. So far, Sarcoma’s observed attack methods include phishing campaigns, exploiting n-day vulnerabilities to gain initial access, and conducting supply chain attacks to move downstream from service vendors to their client base.
Once inside a network, Sarcoma uses remote desktop protocol (RDP) exploitation, lateral movement, and data exfiltration tactics. As of this writing, Sarcoma’s exact toolsets, origins, and tactics remain unclear though their methods suggest experience operating within the threat ecosystem.
According to Unimicron’s security notice, the firm confirmed that the attack occurred on January 30, 2025, impacting one of its subsidiaries based in Shenzhen, China. The company states that the impact of the attack was limited and that it is working with a forensic team to analyze the incident and help shore up defenses. The firm has not confirmed a data leak.
The Unimicron attack is a reminder of the risk ransomware poses to critical infrastructure and supply chain operations. Fast-growing groups like Sarcoma will continue to emerge, increasing the urgency for manufacturers, government partners and vendors to work together to protect intellectual property and maintain secure operation of vital industrial control systems (ICS) and operational technologies (OT).
The Ugly | Shared Tools Link Ransomware Actors to China-Backed Cyber Espionage
In a recent campaign, China-linked threat actor Bronze Starlight leveraged RA World ransomware against a South Asian software and services company. Notably, the attack used a toolset commonly associated with Chinese state-sponsored cyber espionage efforts.
Researchers found that Bronze Starlight used PlugX (Korplug) malware via DLL sideloading, loading a malicious DLL (toshdpapi.dll) through a legitimate Toshiba executable (toshdpdb.exe) before launching the encrypted PlugX payload. The attack also involved NPS proxy, a covert communication tool, and various RC4-encrypted payloads. The initial access vector is suspected to be the exploitation of a Palo Alto Networks PAN-OS vulnerability (CVE-2024-0012).
The toolset has also appeared in older espionage campaigns targeting government ministries and telecom firms across Southeast Europe and Asia. In attacks observed between July 2024 and January 2025, threat actors leaned towards establishing long-term persistence, rather than immediate financial gain. The November attack, though, involved encrypting machines with RA World ransomware and a $2 million ransom demand.
This incident adds to growing evidence of crossover between cyber espionage and financially motivated cybercrime. In August 2023, for example, SentinelLABS identified a suspected-Chinese malware targeting the Asian gambling sector. The infrastructure and malware used in the latest attacks show connections to Operation ChattyGoblin, a campaign linked to Bronze Starlight. This suspected China-aligned ransomware group primarily engages in espionage, using ransomware for misattribution or distraction.
The overlap in tactics between these operations and the RA World ransomware attack underscores the blurry lines between state-backed espionage and financially-fueled attacks. As Chinese APTs share their malware and infrastructure, trends like this further complicate attribution in an extensive threat ecosystem.
