Cloak
Parsing : Enabled
Known to use a Captcha to block crawling.
Description
Cloak is a cybercriminal ransomware group that first appeared publicly in mid-2023, operating with a double-extortion model. It deploys an ARCrypter variant derived from Babuk, delivered via loaders that terminate security and backup services, delete shadow copies, and install encrypted payloads using algorithms like HC-128 combined with Curve25519 key generation. Victims include entities such as the Virginia Attorney General’s Office, whose IT systems were disrupted and whose data (134 GB) was exfiltrated and listed on Cloak’s Tor leak site. Cloak has been linked to other ARCrypter variants like Good Day, sharing victim portals and infrastructure. Its operations reportedly use initial access brokers, phishing, malvertising, and exploit kits for network infiltration.
| External Analysis |
|---|
| https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/cloak |
| https://www.thaiCERT.or.th/en/2025/03/25/cloak-ransomware-attacks-virginia-attorney-generals-office/ |
| https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities |
| https://www.sentinelone.com/blog/threat-actor-interplay-good-days-victim-portals-and-their-ties-to-cloak/ |
| https://www.cyberint.com/blog/other/cloak-ransomware-whos-behind-the-cloak/ |
| Urls | |
|---|---|
| http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion |
| File servers | |
|---|---|
| http://jpef6snenchj3rxgugsozky3i34q66vmcoqy7neyu37xxiwxrad5doid.onion | |
| http://glrw7ip5gz2fv2njbiqfvg5uiwavllw5zuixko4yrpj5hta7fjwqpjqd.onion | |
| http://vicjwr6abknvcfjomocyb3koloidahc3hidwt5sq2ytwk7yepwfzlsid.onion | |
| http://puzhh5aykks65qneqantprbqjt6k5bnigmwqwv6yvkxvkfu4ivva5mid.onion | |
| http://piatupks5hai3oafo66xlj2eg2fbzjqy2j7gy3nyhqmnthlrwvrsolad.onion | |
| http://necnstpnzuaovjocmiuv7ned7bstczit3kkvotqxl53xo5rfohndlvid.onion | |
| http://ey2eak3vq5zbeu4s56m25mm4kvszy2is7gyjs6tsfzmhptbyijkzn2yd.onion | |
| http://b53cqorlo7uftd3ymxguwnn7rfoz54ryoojjqxowdsaw2bahvuppntyd.onion | |
| http://l3bbtg2p2gp2x43e2nngzkf7ab52k4mef3saowrl6m5notkts7p2vfyd.onion | |
| http://vsdp5gqwrunytxw4f6dbxznux66aaewlwyenw3rantba4lwyzbckgfid.onion | |
| http://a6gq22ngckken4xksz5ytl66sqeylh45ktke5pnbzfdksw5sfum5lvqd.onion | |
| http://nbfxtlikrnicuht5yvvhlujpnh3spzjmek6eujeyck2ws34yytxjdhyd.onion | |
| http://ziburuf5kh4phq5i6nmukpke7uruflhlvfexfmjwiwgghapz6ug3ajyd.onion | |
| http://am3mzzguimx45wxywpukvwf3gobt3r4bidxzntjpsmqqge4s3vi2vvid.onion | |
| http://occwme3xtlnzk3nlhn5ewsgodswrp6pysmmk7kcxqgj4hyiwkhoqcuyd.onion | |
| http://qyywpuxysuur4exynwwwhu6nbd2f5vpj3h4tjbltfhwd4blamd4fppqd.onion | |
| http://hsn2e745m36crxj2gmnrp432vbsyarhwvq3fgcyus345dp3oqlrltuad.onion | |
| http://pbbeck4xcy3jzbu6lv5db3c5n3n44wngmpb5jj3yo4px32mlznziwbid.onion | |
| http://hmxt5u75kj5qxqjqhckgaoda6zndgxcazleersyioat4iuq3ldgmkcid.onion | |
| http://cii64fki62v2mudocjvgarzlmnpqrfp6xb7korapmdd7qmjpnccgduyd.onion | |
| http://jrmayo7rvsx6sbv36djpdge6iwuem67dhccpctera2ykmqr6kplhayad.onion | |
| http://ljrswxeei4isir3s5i7xmlzpx6sabmkgd7mvjrimcqwu7rqpn7bdjfad.onion | |
| http://qixf7fqw237ikunw4ey22jsc4deltducf6zn4mq4ldyqab3ij3gehlyd.onion | |
| http://ztqugnw4upfmd6mu3l6sdz2mfvzxzouhwgqqowyjeedgsmz733dqq2ad.onion | |
| http://u66kitj46wmr5onijbbkg7cq45crcs66c563kyqy6klxm5c2nz42ujid.onion | |
| http://e7gxrudyx2o733zlernyqqv623wyky5teor5xhnnx2g6dt4vf6jwn2yd.onion | |
| http://qx2b2on5phkj4jczfpzfkb5cuhxn7wfqbgdu27pmxyzamoim3jqff6qd.onion | |
| http://37izr5yow5d673agew22miyy3inbqncuv7gfp5372yciuzvadqef66yd.onion | |
| http://d2wqt4kek62s35hjeankc75nis4zn4e5i6zdtmfkyeevr7fygpf2iiid.onion | |
| http://sclj2rax5ljisew3v4msecylzo7iieqw25kcl7io4szei4qcujxixaid.onion | |
| http://xyy2fymbdytltylyuicasuvw7vw3gtgm3cvvjskh4jnzfg3gp7dqgnqd.onion | |
| http://heac3upmfv33scnkeek64dqdx2cblv7z256aezluyvgtwsxi2o3coiid.onion/ | |
| http://uss2a5zyeth7sop57zhgqcyafmnbkmoknps3i7anusze77zppp4bf5yd.onion/ | |
| http://67cw3reg2revettu2xfhaaaxhoukctplr6u6mhzri5x6uflet5bq56ad.onion |
| Chat servers | |
|---|---|
| http://6mw4yczxeqoiq7rgwnpi75qxsjd5jykuutpatflybodwlckoarhfdlid.onion/ | |
| http://7puvv4qtcrigzbxshqibkpibzbmrs6thb7s6uf3tisqfp3t2ddpp66id.onion/ | |
| http://vir3qwnhwtdriaejfsav6fu5y5ikqlyp5ml345eenlk4pxgabqpf4iid.onion/ |
| Admin servers |
|---|
Posts
| Date | Title | Description | Screen |
|---|---|---|---|
| Wstg-steuerberater.de | |||
| Tu*******ne | |||
| Go********l | |||
| *********.bh | |||
| *******roup.ro | |||
| Nos********om.br | |||
| Ws*******.de | |||
| Pensions.gov.lk | |||
| Productionsaw.com | Country: USA Views: 164 | ||
| **********li.com | |||
| Bosshard-farben.ch | |||
| Pe*************.lk | |||
| Orl***********.com | |||
| pea**********.uk | |||
| Pc***********.org | |||
| Oag.state.va.us | |||
| Wr-recht.de | |||
| Baltimorecityschools | |||
| Fi***************.pa | |||
| St***********.nl | |||
| ba**********.org | |||
| Waggonereng.com | |||
| op*********.eu | |||
| wr********.de | |||
| pen********.de | |||
| oa*************.us | |||
| Ad***********.ca | |||
| Centromedicoenova | Country: Spain Views: 69 View more /enova Public <100GB | ||
| Premierautocredit.com | Country: USA Views: 53 View more /pac Public 156GB | ||
| Kaisersbach.de | Country: germany Views: 106 View more /kaiser Public <100GB | ||
| Neovita.de | Country: germany Views: 88 View more /neovita Public 227GB | ||
| Bwfg.at | |||
| pre*************.com | |||
| Wa**********.com | |||
| ge*******.com | |||
| Mai***********.de | |||
| bac***********.com.au | |||
| Town of Ponoka | |||
| Kai*************.de | |||
| Ne***********.de | |||
| Fmp.gob.pe | |||
| N************.uk | |||
| Orthopaedie-hof.de | |||
| Ukh-hof.de | |||
| Donnewalddistributing | |||
| Bw**********.at | |||
| Ma************.de | |||
| Or*************.de | |||
| Uk***********.de | |||
| Globalresultspr.com | |||
| don****************.com | |||
| F************.pe | |||
| SCAFF'HOLDING | |||
| Glo**************.com | |||
| o******************v | |||
| mm********.com | |||
| Wertachkliniken.de | |||
| Pennvet.com | |||
| Ful************.com | |||
| Te***************.net | |||
| Pen*****************.com | |||
| El**********.hu | |||
| we****************.de | |||
| Kalaswire.com | |||
| Dunlop Aircraft Tyres | |||
| Vibo.dk | |||
| Hvb-ingenieure.de | |||
| Westermans.com | |||
| Stjamesplace.org | |||
| Dd*******uk | |||
| Entr**************.fr | |||
| Cb**********.com | |||
| upcli.com | |||
| Vi*********.dk | |||
| Hv*************.de | |||
| We*******.com | |||
| Ka******.com | |||
| Dun*****************uk | |||
| Longviewbridge.com | |||
| Ruland-viersen.de | |||
| P********.pl | |||
| Unit*****************.com | |||
| Mundocar.eu | |||
| lo***********.com | |||
| ab*******.org | |||
| Baeckerei-raddatz.de | |||
| Rul**********.de | |||
| cli*********.com | |||
| bae************.de | |||
| Speditionweise.de | |||
| Wencor.com | |||
| Theharriscenter.org | |||
| Mu*****.eu | |||
| Cv*****.com | |||
| Ce***.com | |||
| B*****.hu | |||
| Forgepresion.com | |||
| Ponoka.ca | |||
| Vhs-vaterstetten.de | |||
| Gascontec.com | |||
| Equatorial Energia | |||
| we****.com | |||
| The************.org | |||
| Sped**********.de | |||
| Maas911.com | |||
| farwickgrote.de | |||
| kvfcu.org | |||
| skncustoms.com | |||
| euro2000-spa.it | |||
| Thenewtrongroup.com | |||
| Bankofceylon.co.uk | |||
| carranza.on.ca | |||
| Arus-gmbh | |||
| Sportlab-srl | |||
| BONI-PASSAU.DE | |||
| lusis-avocats.com | |||
| werk33.com | |||
| GRIDINSTALLERS.com | |||
| surapon.com | |||
| mps-24.com | |||
| gruppomoba.com | |||
| stshcpa.com.tw | |||
| ihopmexico.com | |||
| Nicer technology | |||
| binhamoodah.ae | |||
| first-resources-ltd | |||
| Sbs-Berlin | |||
| imtmro.com | |||
| INCOBEC | |||
| still95.it | |||
| gsh-cargo.com | |||
| flamewarestudios.com | |||
| ALEZZELPOWER.com | |||
| Notaires.fr | |||
| Sonabhy.bf | |||
| KVFCU.ORG |