First identified in September 2025, Obscura is a new, sophisticated ransomware strain written in the Go programming language. It targets Windows enterprise environments, leveraging Active Directory (AD) domain controller mechanics for rapid lateral movement. The malware stages itself in the SYSVOL/NETLOGON directory, allowing it to be automatically replicated across all domain controllers. It achieves persistence via scheduled tasks and employs a double-extortion model, encrypting files with .obscura and leaking stolen data on a TOR-based site if the 10-day ransom deadline is not met. A notable attack against Michigan City, Indiana, resulted in the theft and subsequent leak of 450 GB of municipal data.

2. Indicators of Compromise (IOCs)

Hard indicators identified from public analysis (Huntress, WatchGuard, CYFIRMA).

3. Technical Analysis & TTPs (MITRE ATT&CK)

The attack chain is built on stealth, domain-level propagation, and aggressive defense evasion.

Execution Flow:

1. Initial Access (T1078 – Valid Accounts): While the initial vector is not confirmed, the TTPs strongly suggest the use of compromised domain administrator credentials.
2. Execution (T1059.003 – Windows Command Shell): The binary requires administrator privileges to run. If not admin, it exits. It checks for an environment variable DAEMON=1 to determine if it should run its main encryption payload or its preparation/propagation functions.
3. Lateral Movement (T1080 – Taint Shared Content): The malware binary is staged in the SYSVOL/NETLOGON scripts folder. Due to AD replication, this file is automatically copied to all other domain controllers, enabling rapid, widespread compromise.
4. Persistence (T1053.005 – Scheduled Task):
   • Creates a scheduled task named SystemUpdate to execute the ransomware binary from the NETLOGON share.
   • An additional task, iJHcEkAG, has been observed, executing the following command to enable RDP access via the firewall:cmd.exe /C netsh firewall set service type = remotedesktop mode = enable > \Windows\Temp\SJYfXB 2>&1
5. Credential Access (T1555.003 – Credentials from Web Browsers/Credential Manager): The malware is confirmed to extract stored credentials from the Windows Credential Manager to aid in lateral movement and privilege escalation.

Defense Evasion (Key Techniques):

• T1490 – Inhibit System Recovery: The binary executes cmd.exe /c vssadmin delete shadows /all /quiet to delete all Volume Shadow Copies, preventing easy system restoration.
• T1562.001 – Impair Defenses: A function (main_windows_api_KillProcesses) terminates a hardcoded list of over 120 processes. This list specifically targets antivirus (WinDefend, MsMpEng, CSFalconService, SentinelAgent, bdagent), backup (Veeam*, AcrSch2Svc, BackupExec), and database (MSSQL*, SQLSERVERAGENT, postgresql) services.
• T1036 – Masquerading: The binary is named to mimic the victim’s domain (e.g., victimdomain.local.exe) to blend in with legitimate scripts in the SYSVOL folder.
• T1497 – Virtualization/Sandbox Evasion: Performs runtime checks to detect virtualized or sandboxed environments before executing.
• T1027 – Obfuscated Files or Information: The Go binary is packed and obfuscated to hinder static analysis.

Impact (T1486 – Data Encrypted for Impact):

• Encryption: Uses a hybrid cryptosystem. A 32-byte shared secret is generated using X25519 (Curve25519) key exchange. This secret is then used as the key for XChaCha20 file encryption.
• File Exclusions: The malware avoids encrypting critical system files by excluding extensions such as .exe, .dll, .sys, .efi, .ini, .lnk, and its own .obscura.
• File Footer: Appends a 64-byte footer to each encrypted file, containing the OBSCURA! magic bytes, the 32-byte ephemeral public key, and a 24-byte nonce.

4. Detection & Threat Hunting

High-Fidelity Sigma Rule (via CYFIRMA): Shadow Copy Deletion¹²

YAML

title: Shadow Copies Deletion Using Operating Systems Utilitiestags:    - attack.defense_evasion    - attack.impact    - attack.t1070    - attack.t1490logsource:    category: process_creation    product: windowsdetection:    selection1_img:        - Image|endswith:            - '\vssadmin.exe'        - OriginalFileName:            - 'VSSADMIN.EXE'    selection1_cli:        CommandLine|contains|all:            - 'shadow'            - 'delete'    condition: (all of selection1*)level: high

EDR / SIEM Hunting Queries:

1. RDP Firewall Rule:
   • Monitor for process creation: process_name: 'cmd.exe' AND command_line: 'netsh firewall set service type = remotedesktop mode = enable'
2. Suspicious SYSVOL File Creation:
   • Monitor for file creation events: file_path: 'C:\WINDOWS\sysvol\sysvol\' AND file_path_ends_with: '\scripts\' AND file_extension: '.exe'
3. Scheduled Task Creation:
   • Monitor for scheduled task creation (Event ID 4698) where TaskName: 'SystemUpdate' OR TaskName: 'iJHcEkAG'.
4. Service Termination:
   • Look for rapid succession of taskkill or API-based process termination events matching the 120-process list (e.g., MsMpEng.exe, VeeamBackupSvc.exe, Splunkd.exe).

5. Mitigation & Recommendations

1. Block IOCs: Ingest the provided file hash and .onion address (for TOR blocking) into your security platforms (EDR, Proxy, Firewall).
2. Harden Active Directory:
   • Secure SYSVOL: Strictly limit write permissions to the SYSVOL/NETLOGON scripts folder. Only Domain Admins should have this right, and all activity should be heavily audited.
   • Monitor GPO/Scripts: Alert on any new executable file (.exe) being added to this directory.
3. Principle of Least Privilege: Ensure that service accounts and users do not have domain-level administrative privileges unless absolutely necessary.
4. Monitor Scheduled Tasks: Monitor endpoints for the creation of new scheduled tasks, particularly those running from suspicious paths or with generic names like SystemUpdate.
5. Backup & Recovery: Ensure immutable, offline backups are in place. Test restoration procedures.
6. VSS Monitoring: Implement the Sigma rule above to immediately alert on any vssadmin deletion commands.