The Play ransomware group has claimed responsibility for attacks against two US-based technology and manufacturing companies, AES Clean Technology and Dataforth. The group added both victims to its dark web leak site on October 6, 2025, initiating a public countdown for data publication. This move signals a classic double-extortion tactic, pressuring the victims to pay a ransom.
About the Victims
AES Clean Technology is a significant player in the pharmaceutical and biotech space, specializing in designing and building modular cleanroom facilities. Dataforth Corporation operates in the industrial sector, manufacturing signal conditioning and data acquisition hardware. Both companies are established in their respective fields, making them valuable targets due to the sensitive nature of their project and client data.
Tactics, Techniques, and Procedures (TTPs) 🕵️♂️
A significant clue points to the potential initial access vector used against AES Clean Technology. On October 1, 2025, just days before the ransomware claim, the company’s name appeared in logs from the Stealc infostealer. This strongly suggests that credentials or session data were harvested from a compromised device and later used by the Play group to infiltrate the network.
Once inside, the threat actor moved to exfiltrate sensitive data before deploying their ransomware payload. The leak site post explicitly lists the types of stolen data, including financial records, client documents, and personal information, which is a core component of their double-extortion strategy. The group then uses its Tor-based site and various Telegram channels to publicize the breach and exert pressure.
Indicators of Compromise (IOCs)
Security teams can use the following IOCs identified from the various intelligence feeds related to these attacks for threat hunting and blocking.
- Threat Actor:
Play Ransomware - Precursor Malware:
Stealc Infostealer - Attack Hashes (from ransomfeed.it):
- AES Clean Technology:
a0a65a80ba28d53401251acaffb79152646723952801bdc50132504f6ac75995 - Dataforth:
325bac87f8af8688ff269241e528d2543c89d290346c98717a92d2dde6e68617
- AES Clean Technology:
- Associated Dark Web URLs:
k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onionmbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion
Monitoring for Stealc activity and blocking these known IOCs could help prevent similar intrusions. The connection between initial access brokers using infostealer logs and prominent ransomware groups continues to be a prevalent TTP.
