Malware, Ransomware, Security Operations

Yurei ransomware campaign leverages Stranger Things themes

A new extortion campaign utilizing the Yurei ransomware toolkit has been identified by Team Cymru. The threat actors, active since September 2025, are notable for their use of tools named after characters and themes from the popular television series Stranger Things, HackRead reports.

The Yurei campaign employs a modular toolkit assembled from readily available resources, lowering the barrier to entry for cybercriminals. Initial access is often gained by purchasing stolen credentials from criminal marketplaces. Once inside, attackers use tools like SoftPerfect NetScan and NetExec for network reconnaissance and data discovery. They escalate privileges using Rubeus to achieve administrator control and maintain persistence by installing legitimate remote desktop software like AnyDesk, which often evades security detection.

A key component is the PowerShell script "Vecna.ps1," which acts as a trigger for the "StrangerThings.exe" ransomware upon user login. The ransomware itself is based on the open-source Prince Ransomware. Before encryption, the attackers disable Windows Defender features and use SDelete to wipe shadow copies, ensuring data is irrecoverable.

Source: HackRead

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds