Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Citrix Vulnerability (CVE-2023-49605) Lets Attackers Escalate Privileges
July 18, 2026
Spirals Ransomware Uses IIS Web Shell and PsExec for Rapid Encryption
July 18, 2026
Critical wp2shell RCE Vulnerability in WordPress Patched
July 18, 2026
Home/CyberSecurity News/Spirals Ransomware Uses IIS Web Shell and PsExec for Rapid Encryption
CyberSecurity News

Spirals Ransomware Uses IIS Web Shell and PsExec for Rapid Encryption

Key Takeaways A new Rust-based ransomware, “Spirals,” rapidly encrypted an IT services company’s network in South Asia in June 2026. Attackers leveraged an IIS web shell for initial...

Emy Elsamnoudy
Emy Elsamnoudy
July 18, 2026 4 Min Read
4 0

Key Takeaways

  • A new Rust-based ransomware, “Spirals,” rapidly encrypted an IT services company’s network in South Asia in June 2026.
  • Attackers leveraged an IIS web shell for initial access, then used tunneling tools, privilege escalation, and PsExec for widespread deployment.
  • The ransomware, designed for speed and evasion, disables security software, terminates critical services, and encrypts files using AES-128 and ECDH P-256.
  • The threat actor behind Spirals remains unknown, but their operational sophistication suggests a highly capable group.

Unseen Spirals Ransomware Unleashes Rapid Encryption Campaign

A previously undocumented ransomware strain, dubbed “Spirals,” executed a swift and devastating attack against an IT services firm in South Asia in June 2026. Security researchers at Symantec’s Threat Hunter Team reported that the threat actors progressed from initial network compromise to full system encryption in less than 24 hours.

Table Of Content

  • Key Takeaways
  • Unseen Spirals Ransomware Unleashes Rapid Encryption Campaign
  • Spirals Leverages IIS Web Shell and PsExec for Mass Deployment
  • What You Should Do

The ransomware payload, developed in Rust, appears to be either an entirely new creation or custom-built for this specific, targeted operation. The identity of the group behind the Spirals ransomware campaign has not yet been determined.

Spirals Leverages IIS Web Shell and PsExec for Mass Deployment

The intrusion commenced on June 16 at 22:21 local time, when the attackers breached an internet-exposed IIS web server. They swiftly uploaded an ASP.NET web shell, establishing their initial foothold.

Within minutes of gaining access, the attackers deployed three distinct tunneling tools, including Chisel (masquerading as chrome.exe) and a Cloudflare tunnel client. These tools created redundant, covert communication channels to maintain persistence. A token impersonation utility was then introduced, likely facilitating the escalation of privileges within the compromised network.

During an intense three-hour “hands-on-keyboard” session, the operator utilized the IIS worker process to spawn cmd.exe and powershell.exe. They performed a User Account Control (UAC) bypass, enabled Remote Desktop Protocol (RDP), established a persistent local account, and extracted the Security Account Manager (SAM) hive. By 23:07, initial activities indicated active efforts to disable security software.

As detailed in the Spirals ransomware report, the attackers shifted to WMI-based lateral movement at 23:33. They compromised over a dozen machines within minutes by leveraging stolen domain administrator credentials. This rapid pace strongly suggests an automated, pre-planned targeting strategy rather than manual exploration.

On June 17, the threat actors changed their primary method for mass deployment to PsExec. Beginning around 14:12, a single compromised host distributed an identical base64-encoded PowerShell payload to network targets every few seconds for approximately 30 minutes.

This automated payload immediately disabled Windows Defender’s real-time monitoring and forcefully terminated more than 20 critical backup, database, and virtualization services, including Veeam, VMware, SQL Server, and Exchange. This action effectively cleared open file handles, preparing the systems for encryption.

The ransomware executable itself was named bitsadmin.exe, a deliberate attempt to impersonate a legitimate Windows utility. It was strategically placed across multiple network locations, including the SYSVOL domain scripts directory, ensuring automated propagation even to machines not directly targeted by the PsExec script.

Spirals is a sophisticated, full-featured Rust-based encryptor. It incorporates capabilities for defense evasion, automated lateral movement, process termination, and privilege escalation.

Cryptographic Component Implementation Specification Target Objective
Symmetric Key Per-file AES-128 Secures the raw block data of targeted files
Asymmetric Wrapper Attacker-controlled ECDH P-256 public key Protects the local AES keys from decryption
Optimization Trick Intermittent encryption of jittered chunks Speeds up the locking cycle for files over 5 MB

The ransomware leaves a local footprint to initiate ransom negotiations:

A ransom note is dropped across the system as C:RECOVERY_SECTION.log. This note threatens the public exposure of stolen corporate data within six days if the victim fails to pay. The note directs victims to a Tor negotiation portal, which Symantec confirmed explicitly identifies the threat family as “Spirals.”

While Spirals has only been observed in a single incident to date, its operational precision indicates a highly skilled actor capable of rapidly scaling attacks. The combination of layered tunneling infrastructure, credential harvesting via LSASS dumps (using rundll32.exe and comsvcs.dll), and domain-wide propagation via SYSVOL necessitates an immediate and robust defensive response.

Symantec’s indicators of compromise include dedicated staging infrastructure hosted at 185.141.216.194, along with two compromised domains used for hosting malicious payloads.

What You Should Do

  • Web Shell Detection: Implement active monitoring for internet-facing web servers to detect unauthorized ASP.NET file modifications or unusual process creations originating from IIS worker processes.
  • Behavioral Auditing: Configure immediate alerts for anomalous WMI and PsExec activity, particularly rapid, sequential connection attempts across internal network segments.
  • Credential Protection: Harden endpoints against LSASS memory dumping tools and strictly limit the use of domain administrator accounts on machines other than domain controllers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical wp2shell RCE Vulnerability in WordPress Patched

Next Post

Critical Citrix Vulnerability (CVE-2023-49605) Lets Attackers Escalate Privileges

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ransomware Attack Halts Fairlife Production Across US
July 17, 2026
PentestCode AI Agent Automates Pen Testing with 18 Specialized Tools
July 17, 2026
AWS Cost Explorer Bug Exposes Trillion-Dollar Billing Estimates
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us