Authors: Harlan Carvey, Lindsey O’Donnell-Welch, Anna Pham, Alden Schmidt
On 29 August 2025, Huntress analysts encountered a previously unseen ransomware variant called “Obscura.” This name was taken from the ransom note (README_Obscura.txt), which also made several references to Obscura in its contents.
While researching this ransomware variant, analysts did not find any public references to a ransomware variant named Obscura.
The ransomware executable was first seen being executed across multiple hosts on the victim organization. This network had a limited deployment of the Huntress agent, which impacted both detection and response, inhibiting the SOC’s ability to respond effectively. This also limited our visibility into certain aspects of the attack, including the initial access vector.
However, what we were able to see was that the ransomware executable was found on the domain controller, in the path:
C:\WINDOWS\sysvol\sysvol\[domain].local\scripts\
In the incident observed by the Huntress SOC, the ransomware executable file was named for the domain in which it was found, in an apparent attempt to blend in (for this reason, we are not publicly identifying the name of this executable). The executable is a Go binary (including a Go build ID), and contains a number of file paths, such as:
/run/media/veracrypt1/Backups/Obscura/Locker/windows/locker/
/run/media/veracrypt1/Locker Deps/go1.15.linux-amd64/go/src/os/exec
The location of the binary on the domain controller was shared as the NETLOGON folder, which makes scripts and group policy objects (GPOs) available to users. In addition, the folder contents are automatically replicated across all domain controllers, to maintain consistency. However, this also meant that the ransomware executable was automatically deployed throughout the infrastructure.
... continue reading