NightSpire Ransomware Leverages RDP & Admin Uses Access

NightSpire, a newly identified ransomware strain, is actively targeting organizations across various industries and countries. This threat employs a deceptively simple yet highly effective approach, primarily leveraging Remote Desktop Protocol (RDP) access and legitimate remote administration tools to infiltrate systems and encrypt victim data. A comprehensive analysis of NightSpire’s tactics, techniques, and procedures (TTPs) has been

NightSpire, first identified in early 2025, has already shown it is willing to cast a wide net, hitting hospitals, schools, government offices, and financial institutions alike. What makes it stand out is not just what it encrypts, but how quietly it moves before anyone notices.

NightSpire operates through a double extortion model. Attackers first steal sensitive files from the victim’s environment, then encrypt everything in sight.

If the victim refuses to pay, the criminals threaten to publish the stolen data on a Tor-based leak website. Between March and June 2025, NightSpire hit at least 64 organizations across 33 countries, with the United States topping the victim list, followed by Turkey, Hong Kong, Japan, Taiwan, Mexico, Spain, and Egypt.

Analysts at Picus Security, who documented the attack chain in detail, noted that the encryptor is built on Go, a programming language known for creating lightweight, cross-platform executables.

The malware appends the .nspire extension to every locked file and drops a ransom note inside each affected folder. Notably, it also encrypts OneDrive files without changing their extensions, a behavior that can easily catch victims off guard.

The speed at which NightSpire has grown its victim list is alarming. In just three months, operators logged over 45 victims on their own leak blog.

The attacks span a wide range of sectors, from healthcare and education to manufacturing, hospitality, IT services, and logistics. No industry appears off-limits, and the global spread of victims points to a well-coordinated and motivated threat operation.

Picus Security said in a report shared with Cyber Security News, that what makes NightSpire especially concerning for defenders is its deliberate use of trusted software to blend into normal network activity and avoid detection for as long as possible.

NightSpire Ransomware Uses RDP Access and Remote Admin Tools

NightSpire gains initial access through Remote Desktop Protocol, a legitimate Windows feature used by IT teams around the world every day.

Once inside, instead of deploying custom backdoors that might trigger security alerts, attackers install widely trusted remote administration software to maintain a steady foothold on compromised machines.

Chrome Remote Desktop was deployed on at least two compromised machines, running as a persistent Windows service named “Chrome Remote Desktop Service.”

The Google account linked to this deployment was prince1990905@gmail[.]com, showing just how little effort was needed to establish long-term access.

On a separate endpoint, AnyDesk was installed, creating both a Windows service and a startup shortcut so it launched automatically on every reboot.

This approach gives attackers a powerful advantage. Because these tools are legitimate and commonly used for IT support, they are far less likely to raise flags in security monitoring. By the time defenders notice anything unusual, the attacker may have already spent days inside the network.

Discovery, Exfiltration, and Encryption at Scale

After securing persistence, the attackers move quickly to locate and collect valuable data. They deploy Everything by voidtools, a free file search utility that scans entire drives in seconds, letting them pinpoint sensitive documents almost instantly.

Targeted folders are then compressed into password-protected archives using 7-Zip, reducing the number of files that need to be transferred out.

Those archives are uploaded to MEGA cloud storage using MEGAsync, a free sync tool that blends into normal activity.

The Go-based encryptor is then launched, walking through every accessible drive and path, renaming each file with the .nspire extension, and dropping ransom notes throughout the system.

Organizations should monitor for unexpected use of remote access tools and cloud sync applications on endpoints.

Restricting RDP access, enforcing multi-factor authentication, and blocking unauthorized software installations are practical steps that cut the risk significantly.

Security teams can also simulate NightSpire attack patterns against their own defenses to find and close gaps before real attackers do.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.