MalwareRansomwareUsed by 4 actors

PingCastle

PingCastle is a legitimate Active Directory security assessment and reconnaissance utility. In the provided reporting, it is described as being used for Active Directory reconnaissance, including by the financially motivated threat actor Octo Tempest alongside ADRecon, and it is also listed by Kaspersky as a utility shared across ransomware-linked groups including Crypt Ghouls, MorLock, BlackJack, and Twelve. The cited use cases are focused on post-compromise enumeration of Active Directory environments. No specific infection vector, persistence mechanism, or indicators of compromise for PingCastle itself are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BlackJack

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

Twelve

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

Crypt Ghouls

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

MorLock

"...utilities, including SoftPerfect Network Scanner, PingCastle..."

via security online infosecurityonline.info

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Discovery

1 technique

T1018Remote System DiscoveryEvidence2

TacticDiscovery

ainsi que PingCastle et BloodHound afin d’identifier de mauvaises configurations de l’Active Directory.

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence1

TacticLateral Movement

The threat actor moved cab files to the remote hosts using SMB and then expanded and ran them using wmiexec.py commands.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Oct 21, 2024

Supply Chain Weakness: Crypt Ghouls Exploit Contractors to Deploy Ransomware

Active Directory assessment/recon tool used to enumerate AD posture and identify paths for privilege escalation and lateral movement.

microsoft security blogNews

Oct 25, 2023

Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog

Active Directory assessment/reconnaissance tool used to enumerate AD posture and configuration during discovery.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.