Unmasked: ShadowSyndicate’s Global Ransomware Empire Blurs Lines Between Cybercrime and Geopolitical Espionage
The ShadowSyndicate infrastructure—also known by the alias Infra Storm—has come under intense scrutiny from cybersecurity professionals following its significant overlaps with some of the world’s most notorious ransomware operations. Active since mid-2022, the group has been linked to an array of major ransomware brands, including AlphaV/BlackCat, LockBit, Royal, Play, Cl0p, Cactus, and RansomHub. Unlike traditional initial access brokers, ShadowSyndicate operates more as a high-tier participant within the Ransomware-as-a-Service (RaaS) model, offering services or infrastructure to a wide spectrum of criminal affiliates.
According to findings from Intrinsec, ShadowSyndicate’s connections extend well beyond the typical contours of the cybercriminal underworld. Their toolkit and operational methods exhibit striking similarities with those of established threat groups such as TrickBot, Ryuk/Conti, FIN7, and TrueBot—all known for their sophisticated intrusion techniques, evasion capabilities, and exploitation expertise.
The investigation was sparked by two IP addresses sharing an identical SSH fingerprint. Using platforms like Shodan and Fofa, researchers expanded their analysis to identify 138 servers exhibiting similar behavioral and structural traits. Notable intersections include participation in attacks exploiting the Citrix Bleed vulnerability (CVE-2023-4966), with LockBit and ThreeAM infrastructure involved in the exploitation.
Additional overlap was discovered with infrastructures used in the MOVEit and ScreenConnect attacks—the latter involving simultaneous exploitation of CVE-2024-1708 and CVE-2024-1709. Some ShadowSyndicate servers were also associated with hosts previously linked to UAC-0056 (aka Cadet Blizzard) and Cl0p.
Beyond the technical footprint, analysts uncovered connections to operations involving Black Basta, Bl00dy, and suspicious activity hinting at Cicada3301—a potential rebranding of BlackCat. Moreover, infostealers such as AMOS and Poseidon, which were disseminated via fraudulent Google ads and phishing lures disguised as large language model tools, also appear tied to this infrastructure.
The network’s architectural sophistication is equally noteworthy. The research highlights the use of bulletproof hosting (BPH) disguised as legitimate VPN, VPS, and proxy services—offering resilient platforms for cyber operations. Cited autonomous systems include AS209588 (Flyservers), AS209132 (Alviva Holding), and the extensive AS-Tamatiya network, which aggregates 22 ASNs. These hosting services operate under the veil of offshore jurisdictions such as Panama, the Seychelles, and the Virgin Islands.
Although Intrinsec’s report assigns a moderate level of confidence to assertions of state-linked affiliations, references to high-ranking actors and hybrid operations aimed at information manipulation suggest a far more expansive role for this infrastructure.
The study also notes connections to DecoyDog—a PupyRAT variant utilizing DNS tunneling—as well as the use of malicious loaders like Amadey and Nitol. As of May 2025, the network remained active, continually probing for vulnerabilities and deploying malicious payloads.
Collectively, this body of evidence paints a portrait of a highly sophisticated, resilient, and multi-layered ecosystem that supports not only conventional extortion campaigns but also appears intricately woven into threat activity aligned with national interests.
ShadowSyndicate represents more than a criminal enterprise; it exemplifies an operational structure capable of orchestrating coordinated campaigns across diverse domains of cyber threat—from infostealers and botnets to advanced zero-day exploitation and custom payload deployment.
