Campaigns
Anatomy of the Osiris Campaign: A New Chapter in Modern Ransomware

Anatomy of the Osiris Campaign: A New Chapter in Modern Ransomware

Osiris RansomwarePoortry DriverBYOVDDouble Extortion
A new player has entered the threat landscape: Osiris Ransomware. Researchers recently detailed its November 2025 attack on a major food service franchise group in Southeast Asia.

Indicators of Compromise

wesir.net
ausare.net

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1204.002 - Malicious File


ID

Name

Analytic ID

Analytic Description

DET0294

User Execution – Malicious File via download/open → spawn chain (T1204.002)

AN0819

User opens a file delivered by email, web, chat, or share. The handler application (Word/PDF reader/archiver) creates a file in user-controlled paths (Downloads, Temp, Desktop) and then spawns a new or unusual child process (e.g., powershell.exe, wscript.exe, cmd.exe, regsvr32.exe, rundll32.exe, msiexec.exe). Optional precursors include FileStreamCreated (URL/UNC) and Office → system32 batch writes.

AN0820

User opens a downloaded document/installer leading to EndpointSecurity file create in ~/Downloads or ~/Library paths then an exec of a suspicious utility (osascript, bash/zsh, curl, chmod, open with -a Terminal). Correlates File Creation with subsequent process exec and, optionally, quarantine/LSQuarantine events.

AN0821

User or desktop application writes a new file to ~/Downloads, /tmp, or mounted removable media followed by execve of a risky interpreter/loader (bash, sh, python, perl, php, node, curl|wget piping to sh, ld.so, rdesktop, xdg-open - with unusual args). Uses auditd PATH+SYSCALL (open/creat/write/rename) with execve event linking.


T1543.003 - Windows Service


ID

Name

Analytic ID

Analytic Description

DET0552

Detection of Windows Service Creation or Modification

AN1527

Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.


T1074.002 - Remote Data Staging


ID

Name

Analytic ID

Analytic Description

DET0071

Detection of Remote Data Staging Prior to Exfiltration

AN0194

Detects file transfers or mounting operations from remote hosts followed by write actions into a local staging directory, often using SMB or remote shell activity.

AN0195

Detects inbound SCP, rsync, or NFS mounts from remote systems followed by aggregation of files into known staging paths like /mnt/staging or /var/tmp.

AN0196

Detects rsync or scp inbound from other hosts that then aggregate content into /Users/Shared or /private/tmp, often involving compressed files or scripts.

AN0197

Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.

AN0198

Detects remote write activity across cloud VMs or object storage buckets within the same region/account that correlate with data aggregation across hosts.


T1036 - Masquerading


ID

Name

Analytic ID

Analytic Description

DET0127

Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.


T1055 - Process Injection


ID

Name

Analytic ID

Analytic Description

DET0508

Behavioral Detection of Process Injection Across Platforms

AN1399

Detects process injection by correlating memory manipulation API calls (e.g., VirtualAllocEx, WriteProcessMemory), suspicious thread creation (e.g., CreateRemoteThread), and unusual DLL loads within another process's context.

AN1400

Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.

AN1401

Detects memory-based injection by monitoring task_for_pid, mach_vm_write, and dylib injection patterns through DYLD_INSERT_LIBRARIES or manual memory mapping.


T1112 - Modify Registry


ID

Name

Analytic ID

Analytic Description

DET0280

Behavior-Based Registry Modification Detection on Windows

AN0781

Behavior chain involving abnormal registry modifications via CLI, PowerShell, WMI, or direct API calls, especially targeting persistence, privilege escalation, or defense evasion keys, potentially followed by service restart or process execution. Such as editing Notify/Userinit/Startup keys, or disabling SafeDllSearchMode.


T1003.001 - LSASS Memory


ID

Name

Analytic ID

Analytic Description

DET0363

Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence

AN1030

A non-privileged or abnormal process attempts to open a handle with full access (0x1F0FFF) to lsass.exe and subsequently invokes memory dump, file creation, or registry modification indicative of credential scraping. This behavior chain reflects staged credential theft activity.


T1562.001 - Disable or Modify Tools


ID

Name

Analytic ID

Analytic Description

DET0497

Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.

AN1369

Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.

AN1370

Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations.

AN1371

Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents.

AN1372

Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination.

AN1373

Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars.

AN1374

Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features.


T1078 - Valid Accounts


ID

Name

Analytic ID

Analytic Description

DET0560

Detection of Valid Account Abuse Across Platforms

AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.


T1027 - Obfuscated Files or Information


ID

Name

Analytic ID

Analytic Description

DET0378

Behavioral Detection of Obfuscated Files or Information

AN1064

Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation.

AN1065

Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration.

AN1066

Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes.

AN1067

Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams.

AN1068

Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs).


T1486 - Data Encrypted for Impact


ID

Name

Analytic ID

Analytic Description

DET0215

Detection of Multi-Platform File Encryption for Impact

AN0602

High-frequency file write operations using uncommon extensions, followed by ransom note creation, registry tampering, or shadow copy deletion. Often uses CLI tools like vssadmin, wbadmin, cipher, or PowerShell.

AN0603

Encryption via custom or open-source tools (e.g., openssl, gpg, aescrypt) recursively targeting user or system directories. Also includes overwrite of existing data and ransom note drops.

AN0604

Userland or kernel-level ransomware encrypting user files (Documents, Desktop) using srm, gpg, or compiled payloads. Often correlated with ransom note creation in multiple directories.

AN0605

Ransomware encrypts .vmdk, .vmx, .log, or VM config files in VMFS datastores. May rename to .locked or delete/overwrite with encrypted versions. Often correlates with shell commands run through dcui, SSH, or vSphere.

AN0606

Encryption of cloud storage objects (e.g., S3 buckets) via Server-Side Encryption (SSE-C) or by replacing objects with encrypted variants. May include API patterns like PutObject with SSE-C headers.


T1567.002 - Exfiltration to Cloud Storage


ID

Name

Analytic ID

Analytic Description

DET0570

Detection Strategy for Exfiltration to Cloud Storage

AN1571

Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.

AN1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.

AN1573

Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains.

AN1574

Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.


T1570 - Lateral Tool Transfer


ID

Name

Analytic ID

Analytic Description

DET0183

Detection Strategy for Lateral Tool Transfer across OS platforms

AN0516

Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries.

AN0517

Monitor scp, rsync, curl, sftp, or ftp processes initiating transfers to internal systems combined with file creation events in unusual directories. Correlate transfer activity with subsequent execution of those binaries.

AN0518

Detect anomalous use of scp, rsync, curl, or third-party sync apps transferring executables into user directories. Correlate new file creation with immediate execution events.

AN0519

Identify lateral transfer via datastore file uploads or internal scp/ssh sessions that result in new VMX/VMDK or script files. Correlate transfer with VM execution or datastore modification.


T1059.003 - Windows Command Shell


ID

Name

Analytic ID

Analytic Description

DET0202

Behavioral Detection of Windows Command Shell Execution

AN0578

Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors.


T1070.004 - File Deletion


ID

Name

Analytic ID

Analytic Description

DET0140

Behavioral Detection of Malicious File Deletion

AN0392

Detects adversary behavior deleting artifacts (e.g., dropped payloads, evidence files) using native or external utilities (e.g., del, erase, SDelete). Detects deletion events correlated with unusual process lineage or timing post-execution.

AN0393

Detects deletion of suspicious files (e.g., payloads, temp exes, scripts) via rm, unlink, or secure deletion tools like shred, especially when performed by unexpected users or shortly after execution.

AN0394

Detects removal of adversary artifacts via rm, unlink, or secure tools, with focus on shell sessions, temp files, and modified LaunchAgents or system directories.

AN0395

Detects manual or scripted removal of logs, artifacts, or malware droppings via rm or PowerCLI in ESXi shell. Focus on deletions from /tmp/, /var/core/, or /scratch.


T1021.001 - Remote Desktop Protocol


ID

Name

Analytic ID

Analytic Description

DET0327

Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity

AN0931

Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.


T1569.002 - Service Execution


ID

Name

Analytic ID

Analytic Description

DET0421

Detection Strategy for System Services Service Execution

AN1185

Detection focuses on abnormal service executions initiated via service control manager APIs, sc.exe, net.exe, or PsExec creating temporary services. Defenders observe process creation of services.exe spawning non-standard binaries, registry changes in service keys followed by rapid execution, and network connections originating from processes tied to transient services. Correlation across process lineage, registry activity, and service logs provides strong signals of malicious service execution.


T1490 - Inhibit System Recovery


ID

Name

Analytic ID

Analytic Description

DET0329

Behavioral Detection for T1490 - Inhibit System Recovery

AN0933

Process chains that use native utilities (vssadmin, wbadmin, diskshadow, bcdedit, REAgentC, wmic) with arguments to delete shadow copies, disable recovery, or remove backup catalogs

AN0934

Shell utilities or scripts deleting /etc/systemd/system/rescue.target, /etc/fstab backups, or /boot/efi partitions; chattr used to block snapshot auto-recovery

AN0935

ESXi shell or vim-cmd execution that deletes all VM snapshots using vmsvc/snapshot.removeall or rm on snapshot paths

AN0936

Execution of erase, format, and reload in immediate sequence from a privileged AAA session

AN0937

Cloud API calls disabling snapshot scheduling, backup policies, versioning, followed by DeleteSnapshot/DeleteVolume operations

Observed Countries250

AD (818)
AE (829)
AF (971)
AG (69)
AI (430)
AL (116)
AM (856)
AO (777)
AQ (938)
AR (812)
AS (179)
AT (805)
AU (746)
AW (128)
AX (97)
AZ (399)
BA (834)
BB (780)
BD (816)
BE (729)
BF (639)
BG (161)
BH (439)
BI (768)
BJ (503)
BL (258)
BM (848)
BN (951)
BO (153)
BQ (272)
BR (737)
BS (865)
BT (129)
BV (197)
BW (43)
BY (507)
BZ (408)
CA (944)
CC (109)
CD (588)
CF (118)
CG (577)
CH (641)
CI (467)
CK (589)
CL (611)
CM (754)
CN (392)
CO (600)
CR (48)
CU (33)
CV (504)
CW (99)
CX (709)
CY (740)
CZ (177)
DE (864)
DJ (629)
DK (281)
DM (377)
DO (226)
DZ (291)
EC (653)
EE (72)
EG (265)
EH (842)
ER (680)
ES (39)
ET (361)
FI (291)
FJ (685)
FK (787)
FM (619)
FO (792)
FR (870)
GA (77)
GB (659)
GD (536)
GE (988)
GF (993)
GG (602)
GH (232)
GI (448)
GL (156)
GM (620)
GN (207)
GP (675)
GQ (860)
GR (527)
GS (808)
GT (104)
GU (379)
GW (59)
GY (457)
HK (347)
HM (449)
HN (401)
HR (681)
HT (153)
HU (317)
ID (546)
IE (364)
IL (709)
IM (123)
IN (507)
IO (822)
IQ (411)
IR (444)
IS (818)
IT (614)
JE (518)
JM (165)
JO (662)
JP (79)
KE (848)
KG (67)
KH (185)
KI (240)
KM (64)
KN (676)
KP (921)
KR (529)
KW (157)
KY (811)
KZ (334)
LA (305)
LB (507)
LC (696)
LI (213)
LK (564)
LR (137)
LS (253)
LT (927)
LU (890)
LV (301)
LY (400)
MA (138)
MC (836)
MD (694)
ME (581)
MF (469)
MG (334)
MH (699)
MK (845)
ML (786)
MM (113)
MN (58)
MO (281)
MP (405)
MQ (223)
MR (887)
MS (879)
MT (351)
MU (11)
MV (944)
MW (904)
MX (123)
MY (700)
MZ (885)
NA (371)
NC (845)
NE (866)
NF (685)
NG (879)
NI (105)
NL (428)
NO (202)
NP (397)
NR (383)
NU (22)
NZ (501)
OM (699)
PA (451)
PE (585)
PF (364)
PG (75)
PH (879)
PK (107)
PL (498)
PM (458)
PN (131)
PR (603)
PS (311)
PT (392)
PW (58)
PY (63)
QA (604)
RE (840)
RO (386)
RS (694)
RU (520)
RW (241)
SA (413)
SB (244)
SC (643)
SD (239)
SE (266)
SG (465)
SH (961)
SI (83)
SJ (343)
SK (716)
SL (667)
SM (791)
SN (333)
SO (640)
SR (165)
SS (462)
ST (694)
SV (634)
SX (705)
SY (504)
SZ (960)
TC (535)
TD (219)
TF (103)
TG (229)
TH (898)
TJ (118)
TK (175)
TL (616)
TM (361)
TN (622)
TO (723)
TR (183)
TT (334)
TV (950)
TW (916)
TZ (316)
UA (967)
UG (867)
UM (66)
US (100)
UY (57)
UZ (383)
VA (212)
VC (631)
VE (31)
VG (140)
VI (646)
VN (481)
VU (275)
WF (68)
WS (65)
XK (262)
YE (503)
YT (55)
ZA (223)
ZM (403)
ZW (612)