🌐Akira
🌐 Akira is a tracked threat actor in the Clankerusecase corpus. Attributed to ??. Primary motivation: Criminal. We map 26 detection use cases to this actor across 53 MITRE ATT&CK techniques, with 4 threat-intel articles citing them. Active in our corpus from 2025-12-16 to 2026-05-18.
crit 4
26Use cases
4Articles
53Techniques
0IOCs
Known aliases
Akira ransomwareAkiraGOLD SAHARAPUNK SPIDERHowling Scorpius
Top techniques
All other tracked techniques
T1005 · Data from Local SystemT1014 · RootkitT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1027.001 · Binary PaddingT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1027.009 · Embedded PayloadsT1036.005 · Match Legitimate Resource Name or LocationT1037.001 · Logon Script (Windows)T1055 · Process InjectionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1068 · Exploitation for Privilege EscalationT1070.004 · File DeletionT1071.001 · Web ProtocolsT1078 · Valid AccountsT1133 · External Remote ServicesT1140 · Deobfuscate/Decode Files or InformationT1190 · Exploit Public-Facing ApplicationT1195.002 · Compromise Software Supply ChainT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1213.002 · SharepointT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1482 · Domain Trust DiscoveryT1489 · Service StopT1490 · Inhibit System RecoveryT1531 · Account Access RemovalT1539 · Steal Web Session CookieT1543.003 · Windows ServiceT1555.003 · Credentials from Web BrowsersT1558 · Steal or Forge Kerberos TicketsT1560.001 · Archive via UtilityT1562.001 · T1562.001T1562.004 · T1562.004T1562.006 · T1562.006T1562.009 · T1562.009T1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1567.002 · Exfiltration to Cloud StorageT1569.002 · Service ExecutionT1657 · Financial TheftT1685 · Disable or Modify Tools
Detection use cases (26)
Akira pre-encryption: WMI-driven shadow copy wipe paired with backup/SQL service stop Akira initial access: MFA-less SSL VPN logon followed by rapid RDP fan-out (Cisco ASA / SonicWall vector) Cisco Secure FMC anomalous outbound HTTP PUT (Interlock CVE-2026-20131 callback) Crypto-wallet file/keystore access by non-wallet process Infostealer — non-browser process accessing browser cookie/login DBs Asset exposure — vulnerability matches article CVE(s) Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) Remote service execution — PsExec / SMB lateral movement Trusted vendor binary / installer launching unusual children Phishing-link click correlated to endpoint execution Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) 1Password impossible-travel sign-in Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write Atlassian administrator impersonating user Auth0 anomalous attack-protection event spike AWS Console login without MFA + impossible travel AWS Detective behaviour graph deleted AWS KMS key deleted or scheduled for deletionThreat-intel articles (4)
crit What the ransom note won’t say · 2026-04-20
crit EDR killers explained: Beyond the drivers · 2026-03-19
crit ESET Threat Report H2 2025 · 2025-12-16
Tracked indicators
CVEs (1)
CVE-2026-20131