Play
| Active
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.
On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs
On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs
Victims
1262
First Discovered
2022-11-26
victim
Last Discovered
2026-06-04
victim
Inactive Since
2
days
Avg Delay
37.7
days
Infostealer
17.1%
victims with domain
Countries
42
hit
Attack Velocity — Last 12 months
-40% vs last month
Known Locations (3)
| Favicon | Title | Type | Available | Last Visit | Server Info | FQDN | |
|---|---|---|---|---|---|---|---|
|
PLAY NEWS | No | 2026-06-06T00:44:23 |
mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion
|
|||
|
PLAY NEWS | No | 2026-06-06T00:44:33 |
k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion
|
|||
|
PLAY NEWS | No | 2026-06-06T00:44:19 | nginx |
j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion
|
Target
Top 5 Activity Sectors
- Manufacturing 262
- Business Services 218
- Technology 115
- Construction 80
- Transportation/Logistics 68
Top 5 Countries
-
United States
911
-
Canada
94
-
United Kingdom
38
-
Germany
34
-
Netherlands
16
Heatmap
Ransom Notes (3)
Tools Used
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
|
AdFind
WKTools
|
|
EDRKill (echo_driver.sys + DBUtil 2.3)
GMER
IOBit
PowerTool
icardagt.exe (version.dll DLL sideload)
|
HandleKatz
Mimikatz
Nanodump
|
Cobalt Strike
WinPEAS
|
FRP
Plink
|
PsExec
|
WinSCP
|
TTPs Matrix (10)
| Initial Access | Execution | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Impact |
|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Scheduled Task/Job: Scheduled Task | Obfuscated Files or Information | OS Credential Dumping | System Network Configuration Discovery | Remote Services: Remote Desktop Protocol | Archive Collected Data | Exfiltration Over Alternative Protocol | Remote Access Software | Data Encrypted for Impact |
| Exploit Public-Facing Application | Command and Scripting Interpreter | Indicator Removal | OS Credential Dumping: LSASS Memory | Network Service Discovery | Remote Services: SMB/Windows Admin Shares | Archive Collected Data: Archive via Utility | Service Stop | ||
| Command and Scripting Interpreter: PowerShell | Indicator Removal: Clear Windows Event Logs | OS Credential Dumping: NTDS | Account Discovery: Domain Account | Lateral Tool Transfer | Inhibit System Recovery | ||||
| Domain or Tenant Policy Modification | Unsecured Credentials | Software Discovery | Financial Theft | ||||||
| Domain or Tenant Policy Modification: Group Policy Modification | Software Discovery: Security Software Discovery | ||||||||
| Disable or Modify Tools |
YARA Rules (1)
Indicators of Compromise (IoCs) (3)
Email
3
| Type | IOC |
|---|---|
Email
|
derdiarikucisv@gmx.de
|
Email
|
raniyumiamrm@gmx.de
|
Email
|
teilightomemaucd@gmx.com
|
Victims (1262)
United States : M?????n C?????? & W?? & The ???? G????…
Australia - Nova Group is a leading engineering services and technology solutions partner. Our visio…
information: LIBRA VIRTUA provides the necessary LIBRA modules, the database manager, server capacit…
Saxon, Switzerlandi ; Commune de Saxon is a company that operates in the Government industry.…
Texas, United Statesi - Founded in 1996, Negma Business Solutions, Inc. has been leading the way, pr…
Netherlandsi - Woonkracht10 is a housing corporation in the Drechtsteden region and manages more tha…
