ShadowSyndicate Adopts Advanced SSH Key Rotation to Evade Detection
The cybercriminal group ShadowSyndicate, first identified in 2022, has refined its infrastructure management tactics by rotating SSH keys across multiple servers a technique designed to obscure its operations and complicate tracking efforts. Initially, the group relied on a single SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d), creating a detectable pattern. However, its latest shift involves reusing servers and cycling SSH keys in ways that mimic legitimate server transfers, though operational errors have exposed these connections.
Researchers from Group-IB uncovered two additional SSH fingerprints (ddd9ca54c1309cde578062cba965571e and 55c658703c07d6344e325ea26cf96c3b) linked to the group, following a 2025 report by Intrinsec that flagged another fingerprint. These findings reveal ShadowSyndicate’s infrastructure now spans at least 20 command-and-control (C2) servers, supporting attack frameworks like Cobalt Strike, MetaSploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. These tools enable persistent network access and ransomware deployment.
Analysis of the group’s server clusters ties ShadowSyndicate to multiple ransomware operations, including Cl0p, ALPHV/BlackCat, Black Basta, Ryuk, and Malsmoke. This suggests the group may function as an Initial Access Broker (IAB) or provide bulletproof hosting for other cybercriminals. Despite using diverse hosting providers and geographic locations, ShadowSyndicate’s preference for specific autonomous system numbers (ASNs) creates identifiable patterns, aiding proactive detection.
Security teams are advised to monitor for repeated MFA failures, high-volume login attempts, and rapid valid credential usage, as well as geographic mismatches between login attempts and device locations. The group’s evolving tactics underscore the need for continuous infrastructure correlation to counter its adaptive evasion strategies.
Source: https://cybersecuritynews.com/shadowsyndicate-using-server-transition/
Cyderes cybersecurity rating report: https://www.rankiteo.com/company/cyderes
KILLASOFT cybersecurity rating report: https://www.rankiteo.com/company/killasoft
"id": "CYDKIL1770303400",
"linkid": "cyderes, killasoft",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': 'SSH Key Rotation, Command-and-Control (C2) Servers',
'description': 'The cybercriminal group ShadowSyndicate has refined its '
'infrastructure management tactics by rotating SSH keys across '
'multiple servers to obscure its operations and complicate '
'tracking efforts. The group, first identified in 2022, '
'initially relied on a single SSH fingerprint but has since '
'shifted to reusing servers and cycling SSH keys in ways that '
'mimic legitimate server transfers. Researchers from Group-IB '
'uncovered additional SSH fingerprints linked to the group, '
'revealing its infrastructure now spans at least 20 '
'command-and-control (C2) servers supporting attack frameworks '
'like Cobalt Strike, MetaSploit, Havoc, Mythic, Sliver, '
'AsyncRAT, MeshAgent, and Brute Ratel. Analysis ties '
'ShadowSyndicate to multiple ransomware operations, suggesting '
'it may function as an Initial Access Broker (IAB) or provide '
'bulletproof hosting for other cybercriminals.',
'lessons_learned': "ShadowSyndicate's evolving tactics, such as SSH key "
'rotation and infrastructure reuse, underscore the need '
'for continuous infrastructure correlation and proactive '
'detection to counter adaptive evasion strategies.',
'motivation': 'Financial Gain, Persistent Network Access, Ransomware '
'Deployment',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'suspicious login patterns, '
'geographic mismatches, and '
'infrastructure correlation '
"to detect ShadowSyndicate's "
'adaptive tactics.',
'root_causes': 'SSH key rotation and server reuse '
'to evade detection, reliance on '
'specific autonomous system numbers '
'(ASNs), and use of diverse attack '
'frameworks for persistent access.'},
'ransomware': {'ransomware_strain': ['Cl0p',
'ALPHV/BlackCat',
'Black Basta',
'Ryuk',
'Malsmoke']},
'recommendations': 'Security teams should monitor for repeated MFA failures, '
'high-volume login attempts, rapid valid credential usage, '
'and geographic mismatches between login attempts and '
'device locations. Additionally, track specific autonomous '
"system numbers (ASNs) associated with the group's hosting "
'providers.',
'references': [{'source': 'Group-IB'}, {'source': 'Intrinsec'}],
'response': {'enhanced_monitoring': 'Monitor for repeated MFA failures, '
'high-volume login attempts, rapid valid '
'credential usage, and geographic '
'mismatches between login attempts and '
'device locations.'},
'threat_actor': 'ShadowSyndicate',
'title': 'ShadowSyndicate Adopts Advanced SSH Key Rotation to Evade Detection',
'type': 'Cybercriminal Infrastructure Evasion'}