Yurei Ransomware Uses Common Tools, Adds Stranger Things References

Summary

Team Cymru discovered the Yurei ransomware campaign, which emerged in September 2025 and uses modular toolkits assembled from readily available resources rather than custom-built malware. The group gains initial access via stolen credentials, leverages tools like NetExec, Rubeus, and AnyDesk for lateral movement and persistence, then deploys a PowerShell script named Vecna.ps1 that triggers the StrangerThings.exe ransomware payload. The campaign notably names malicious components after Stranger Things characters and is based on the open-source Prince Ransomware written in Go.

Full text

Security Cyber Attacks Cyber Crime MalwareYurei Ransomware Uses Common Tools, Adds Stranger Things References Team Cymru details the Yurei ransomware campaign, using standard tools and a few Stranger Things–named payloads to breach and encrypt systems. byDeeba AhmedApril 2, 20262 minute read A new extortion campaign involving the Yurei ransomware toolkit has been detected by the research firm Team Cymru. The group behind this campaign first appeared in September 2025 and stands out not just for their aggressive tactics, but also for their unusual habit of naming malicious tools after characters and themes from the hit TV show Stranger Things. According to Team Cymru’s research, detailed in a blog post shared with Hackread.com, this campaign follows a growing trend where instead of building their own complex software, the hackers “assemble modular toolkits using readily available resources,” making it easier and faster to launch attacks. Gaining Initial Access Researchers noted that the Yurei toolkit’s entry into a company’s network is quite simple, as they believe the operators buy stolen passwords from online criminal marketplaces. Once they have some access, they use a suite of tools like SoftPerfect NetScan and NetExec to map out the network and find where the most valuable data is hidden. Further probing revealed that the group uses a tool called Rubeus to trick the system into giving them high-level Administrator powers. As we know it, when a hacker has these permissions, they gain total control. To stay connected even if they are discovered, they often install AnyDesk, a common remote-desktop app that most security software ignores because it looks like a legitimate business tool. The Vecna Script The most striking part of the Yurei toolkit is a PowerShell script named Vecna.ps1. Much like the villain from the show, this script is designed to stay hidden and strike when the time is right. It sets up a trigger that waits for a user to log in, which then automatically launches the main ransomware file, StrangerThings.exe. Image credit: Team Cymru It is worth noting that the Yurei ransomware itself isn’t a new invention. Researchers noted it is actually based on Prince Ransomware, an open-source project written in the Go programming language. This allows the Yurei operators to “enter the ransomware underground economy without the necessary development skills or even investing much effort.” Covering Their Tracks Before the group locks any files, they make sure the victim cannot recover them. They use a script called FixingIssues2.ps1 to essentially blind Windows Defender, turning off every major security feature. They also use a tool called SDelete to permanently wipe away evidence and delete shadow copies, which are the automatic backups most of us rely on. Between December 2025 and January 2026, Team Cymru monitored the group’s server traffic (a technique called NetFlow) to see how they moved through systems using tools like PsExec. While the group’s public leak site currently only lists three victims, the ease with which they can launch these attacks has experts worried. As the researchers put it, the barrier to entry for cybercrime is lower than ever. Cyber CrimeCybersecurityMalwareRansomwareStranger ThingsTeam CymruToolkitYurei Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Android Malware Fake Antivirus App Spreads Android Malware to Spy on Russian Users Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming… byWaqas Read More Security Leaks Trove of UK Student Records Exposed in School Software Server Leak Hundreds of thousands of UK student records exposed in software firm's server leak putting names, grades, and photos at risk - Learn more about the school software breach and how to protect your child's information. byWaqas Read More Malware Scams and Fraud Security “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests. byDeeba Ahmed Read More Artificial Intelligence Cyber Attacks Security Chinese State Hackers Jailbroke Claude AI Code for Automated Breaches Anthropic, the developer behind Claude AI, says a Chinese state sponsored group used its model to automate most of a cyber espionage operation against about 30 companies with Claude handling up to 90% of the technical work. byDeeba Ahmed

Indicators of Compromise

• malware — Yurei
• malware — StrangerThings.exe
• malware — Vecna.ps1
• malware — FixingIssues2.ps1
• malware — Prince Ransomware

Entities