Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Spirals Ransomware Quickly Hits IT Firm with Web Shell

Spirals Ransomware Quickly Hits IT Firm with Web Shell

Posted on July 18, 2026 By CWS

A newly identified ransomware known as ‘Spirals’ targeted an IT services firm in South Asia in June 2026. According to Symantec’s Threat Hunter Team, the attackers infiltrated the company’s systems and encrypted the network within less than a day.

Developed using Rust, the Spirals payload appears to be either a new creation or specifically designed for this assault, with the assailants yet to be identified.

Web Shell and PsExec Utilization

The attack commenced on June 16 at 22:21 local time. The perpetrators breached an internet-facing IIS web server, deploying an ASP.NET web shell. Within a short timeframe, three tunneling tools were activated, including Chisel masquerading as chrome.exe, alongside a Cloudflare tunnel client, to establish secret communication channels. A token impersonation tool was also used, likely aiding in privilege escalation.

During an intense three-hour session, the attacker manipulated cmd.exe and powershell.exe through the IIS worker process, bypassed User Account Control (UAC), enabled Remote Desktop Protocol (RDP), created a persistent local account, and extracted the SAM hive. By 23:07, efforts to neutralize security systems were evident.

Lateral Movement and Mass Deployment

By 23:33, the attackers transitioned to using WMI-based lateral movement, quickly compromising over a dozen systems using stolen domain administrator credentials, indicating a pre-planned, automated approach rather than manual exploration.

The following day, on June 17, the attackers shifted to PsExec for mass payload deployment. Starting around 14:12, a compromised system distributed a base64-encoded PowerShell payload to network targets every few seconds for 30 minutes. This payload disabled Windows Defender’s real-time monitoring and halted over 20 critical services.

Encryption Tactics and Defensive Measures

The ransomware executed under the guise of bitsadmin.exe, a legitimate Windows utility, was strategically distributed across network locations to ensure widespread propagation. This tactic highlights the need for organizations to audit internal script shares.

Spirals, a Rust-based encryptor, comes equipped with defense evasion, lateral movement, and privilege escalation capabilities. It employs AES-128 for file encryption and an attacker-controlled ECDH P-256 public key to secure local AES keys.

The ransom note, C:RECOVERY_SECTION.log, threatens data exposure within six days if payment is not made, directing victims to a Tor-based negotiation portal.

Though Spirals has only been observed in one instance, its sophisticated operations suggest the potential for broader attacks. Organizations should prioritize web shell detection, behavioral auditing of WMI and PsExec activities, and the protection of credentials against LSASS memory dumping tools.

Cyber Security News Tags:cyber attack, cyber threat, IIS web shell, IT security, IT services, network encryption, PsExec, Rust-based ransomware, Spirals ransomware, Symantec

Post navigation

Previous Post: Critical Vulnerabilities in Citrix Clients Pose Security Risks

Related Posts

Crypto Scams Surge in Asia with Sophisticated Tactics Crypto Scams Surge in Asia with Sophisticated Tactics Cyber Security News
Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability Cyber Security News
WaterPlum’s New Malware Threatens VSCode Security WaterPlum’s New Malware Threatens VSCode Security Cyber Security News
Critical MongoDB Vulnerability Exposes Sensitive Data via Zlib Compression Critical MongoDB Vulnerability Exposes Sensitive Data via Zlib Compression Cyber Security News
Ousaban Malware Targets Iberian Banks with Phishing PDFs Ousaban Malware Targets Iberian Banks with Phishing PDFs Cyber Security News
New SEO Poisoning Attacking Windows Users With Weaponized Software Sites New SEO Poisoning Attacking Windows Users With Weaponized Software Sites Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Spirals Ransomware Quickly Hits IT Firm with Web Shell
  • Critical Vulnerabilities in Citrix Clients Pose Security Risks
  • Critical wp2shell RCE Vulnerability Threatens WordPress Sites
  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Spirals Ransomware Quickly Hits IT Firm with Web Shell
  • Critical Vulnerabilities in Citrix Clients Pose Security Risks
  • Critical wp2shell RCE Vulnerability Threatens WordPress Sites
  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark