Home/ Threat Actors/ Play

🇷🇺Play

🇷🇺 Play is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 26 detection use cases to this actor across 47 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-05-28 to 2026-05-28.

crit 1

View full actor card → All threat actors MITRE ATT&CK group spec (G1040) ↗

26Use cases

1Articles

47Techniques

0IOCs

Known aliases

Play ransomwarePlayCryptBalloonflyPlay

Top techniques

T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1219 · Remote Access Tools

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.002 · SMB/Windows Admin Shares T1027.010 · Command Obfuscation T1030 · Data Transfer Size Limits T1048 · Exfiltration Over Alternative Protocol T1057 · Process Discovery T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1070.004 · File Deletion T1071.001 · Web Protocols T1071.004 · DNS T1078 · Valid Accounts T1078.002 · Domain Accounts T1078.003 · Local Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1105 · Ingress Tool Transfer T1133 · External Remote Services T1204.001 · Malicious Link T1204.002 · Malicious File T1218 · System Binary Proxy Execution T1486 · Data Encrypted for Impact T1498 · Network Denial of Service T1518.001 · Security Software Discovery T1539 · Steal Web Session Cookie T1555.003 · Credentials from Web Browsers T1560.001 · Archive via Utility T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1569.002 · Service Execution T1583.001 · Domains T1583.003 · Virtual Private Server T1587.001 · Malware T1588.002 · Tool T1598.003 · Spearphishing Link T1657 · Financial Theft T1685 · Disable or Modify Tools T1685.005 · Clear Windows Event Logs

Detection use cases (26)

Play (Balloonfly) ransomware impact stage — .play extension fan-out + ReadMe.txt drop correlated with VSS shadow-copy wipe AI · profile SΣDD Play (Balloonfly) initial access — OWASSRF / ProxyNotShell Exchange w3wp.exe child-process chain AI · profile SΣDD NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) Bespoke World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Bespoke Beaconing — periodic outbound to small set of destinations Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match

Threat-intel articles (1)

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface · 2026-05-28