
ShadowRoot Campaign: The Dark Wave of Cyber Attacks on Turkey's Business Sector
ShadowRootTurkishBusinessesPhishing
The ShadowRoot ransomware campaign targets Turkish entities through phishing emails with malicious PDF attachments disguised as invoices from a Russian domain. The attack begins with downloading an executable file from a compromised GitHub repository, which includes a Delphi binary that conceals the ransomware payload, "RootDesign.exe." This payload encrypts files with the “.shadowroot” extension and sends information to a Russian SMTP server, demanding an email ransom from the victims.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Remediation
Incident Response Plan: Establish and execute a comprehensive plan to manage and contain the breach.
System Restoration: Use clean backups to restore systems, removing all malicious code.
Network Forensics: Conduct detailed network forensics to understand the breach's scope.
Credential Reset: Reset all affected credentials and enforce MFA.
Communication: Inform stakeholders about the breach and the steps taken to address it.
Reports & References1
Observed Countries1
TR (799)