Osiris
Osiris is a malware name used in the provided content for multiple distinct threats. Most prominently, it refers to a newly observed ransomware family first seen in November 2025 in a targeted attack against a major food service franchisee operator in Southeast Asia. Researchers reported that this ransomware is unrelated to the 2016 Locky variant also called Osiris. In the 2025 intrusion, attackers used living-off-the-land and dual-use tools including Netscan, Netexec, MeshAgent, a modified RustDesk binary disguised as "WinZip Remote Desktop," Mimikatz/kaz.exe for credential dumping, and Rclone to exfiltrate data to Wasabi cloud storage prior to encryption. The operation also used the POORTRY/Abyssworker malicious driver in a BYOVD-style defense evasion technique, including masquerading as a Malwarebytes component, to disable security software; KillAV was also reported in some coverage. The ransomware is full-featured, using hybrid ECC and AES-128-CTR encryption with a unique key per file, supporting partial or full encryption via command-line options, appending the .Osiris extension, deleting Volume Shadow Copies, terminating numerous database, backup, mail, office, browser, and other processes/services, handling Hyper-V-related options, and dropping a ransom note named Osiris-MESSAGE.txt with negotiation links. Reporting noted tactical and tooling overlaps with prior Inc ransomware activity, but attribution remained uncertain.
The content also uses Osiris to refer to a Windows banking malware sample analyzed in August 2019. That sample persisted by adding itself to startup and copying itself to %APPDATA%\Roaming\Microsoft\Windows\Protected\setspn.exe, masquerading as the legitimate Microsoft setspn.exe. It dropped files in %APPDATA%\Roaming and %temp%, used Nullsoft Scriptable Installer components for a headless install, and used a Mini-Tor proof-of-concept implementation to communicate over the Tor network, likely for anonymized data exfiltration. Reported indicators for that sample included SHA-256 0325714eeb2af235a0f543ad9e11b5d852a61be78c9ece308c651412d97edd39 and URLs httpx://naot[.]org/cms/file/fixed111[.]exe and httpx://borel[.]fr/notices/CanadaPost[.]zip.
Separately, the content mentions the publicly available Osiris jailbreak bundled inside the Phenakite iOS surveillance implant used by Arid Viper/APT-C-23. In that context, Osiris is jailbreak code rather than the primary malware itself, and was used by Phenakite to elevate privileges on 64-bit devices running iOS 11.2 to 11.3.1.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Phenakite comes bundled with the publicly available Osiris jailbreak and also includes the Sock Port exploit.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
After running the sample for the first time it adds itself to system startup and copies itself to %appdata%\Roaming\Microsoft\Windows\Protected\setspn.exe . Comparing the malicious setspn.exe with the Microsoft Original (which is normally found at C:\Windows\System32\setspn.exe) with the help of PEBear it is obvious that the files are not the same.
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
A quite interesting find: this Osiris sample uses a POC implementation called Mini-Tor for communication with the Tor network. Pretty convenient for the malware author as it keeps the size of the binary small, but still allows data exfiltration over an anonymized protocol.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family that used a BYOVD technique leveraging the POORTRY driver to disable security software.
Ransomware family that uses a mix of legitimate Windows tooling and custom components to gain access, disable defenses, exfiltrate data, and encrypt systems for extortion.
Newly reported ransomware family (first spotted Nov 2025) using a hybrid encryption scheme (ECC + AES-128-CTR) with per-file keys, terminating processes (e.g., SQL/Oracle/Office apps) prior to encryption, and dropping a ransom note (Osiris-MESSAGE.txt) directing victims to a negotiation chat. Observed using living-off-the-land tooling and drivers to disable defenses and support extortion via data exfiltration.
Ransomware family referenced as newly observed; no additional technical details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.