Threat-actor profile

← Back to main site

Home/ Threat Actors/ Rhysida

🌐Rhysida

🌐 Rhysida is a tracked threat actor in the Clankerusecase corpus. Attributed to ??. Primary motivation: Criminal. We map 14 detection use cases to this actor across 32 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-06-16 to 2026-06-16.

crit 1

View full actor card → All threat actors

14Use cases

1Articles

32Techniques

3IOCs

Known aliases

Rhysida

Top techniques

T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1047 · Windows Management Instrumentation

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1027 · Obfuscated Files or Information T1027.009 · Embedded Payloads T1036.005 · Match Legitimate Resource Name or Location T1059.001 · PowerShell T1059.005 · Visual Basic T1059.007 · JavaScript T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.004 · DNS T1082 · System Information Discovery T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1218.005 · Mshta T1218.007 · Msiexec T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1539 · Steal Web Session Cookie T1555.003 · Credentials from Web Browsers T1566 · Phishing T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1569.002 · Service Execution T1574.002 · T1574.002

Detection use cases (14)

Rhysida (Vice Society successor) — AnyDesk silent-install for hands-on-keyboard persistence AI · profile SΣDD Rhysida — ntdsutil IFM snapshot for offline NTDS.dit extraction AI · profile SΣDD ClickFix Run-dialog PowerShell download chain (BabaDeda/Lorem Ipsum/Potemkin) Bespoke Outdated Node.js v7.10.1 launched from user-writable path (Lorem Ipsum Loader) Bespoke DLL side-load of mscoree.dll or msvcp140.dll from non-System32 path (Lorem Ipsum) Bespoke Potemkin host-marker file %LOCALAPPDATA%\hyper-v.ver creation Bespoke MSI installer spawning HTA payload (Potemkin delivery chain) Bespoke Storage Crypter external-storage payload read (BabaDeda List.Control.dat) Bespoke Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Remote service execution — PsExec / SMB lateral movement Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal

Threat-intel articles (1)

crit ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures · 2026-06-16

Tracked indicators

Domains (1)

malicious.site

IP addresses (2)

91.92.243.161 95.163.152.190