Quick Summary
Executive Summary
DyStar, a manufacturing company based in Singapore, was recently targeted by the Settra ransomware group. The listing appeared on Settra’s dark web portal on June 28, 2026, as part of a batch of new victims. SOCRadar’s Dark Web Monitoring service identified this listing. DyStar joins other victims from the consumer services, technology, and manufacturing sectors, indicating a pattern of targeting across various industries and geographic locations, including the United States and Taiwan.
Technical Analysis
SOCRadar’s analysis of stealer-log telemetry revealed credential exposure for the dystar.com domain. This included corporate credentials for Microsoft 365 (smtp.office365.com) and an internal training portal, as well as corporate emails reused on third-party sites. A single corporate username appeared in both internal and third-party categories, suggesting a potential compromise of an employee workstation with credential reuse. The exposed data had a freshness window between May 14 and June 28, 2026. Credential harvesting through stealer logs is a common initial access vector for ransomware groups like Settra. While this specific log data doesn’t confirm Settra’s direct use of these credentials, the pattern of exposing corporate credentials tied to potential endpoint compromise aligns with typical ransomware kill chains. CTI teams are advised to prioritize credential rotation, session revocation, and endpoint forensics.