Arcane

Description

Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations against critical infrastructure like hospitals, schools, and educational entities. It follows a double-extortion model—encrypting data (using ROLLCOAST/Eruption malware) while also exfiltrating sensitive information and threatening to leak it. Victims have included institutions in the U.S. and Canada across sectors such as healthcare, education, and natural resources. Initial intrusion tactics involved deployment of Cobalt Strike with custom profiles, DLL-based in-memory execution, and signed TLS certificates, plus use of stealthy GET requests ending with “kitten.gif.” Specific encryption algorithms or file extensions have not been publicly confirmed. The group appears to operate in an affiliate-style model but remains under single management rather than a full RaaS platform.

External Analysis
https://www.anvilogic.com/threat-reports/unc2190-arcane-and-sabbath
https://cyberscoop.com/mandiant-sabbath-arcane-ransomware-rebrand/
Urls
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen