: Primary target system where ransomware executable was found and deployed from. : Previously unseen ransomware variant first encountered on August 29, 2025. Go binary with embedded encryption capabilities and ransom note.. : Ransomware executable automatically deployed throughout infrastructure via NETLOGON share replication across domain controllers. : Scheduled task named SystemUpdate created on multiple hosts to execute ransomware binary from NETLOGON share. : Threat actor enabled Remote Desktop Protocol access through Windows firewall using scheduled task. : Used to enable Remote Desktop Protocol through Windows firewall. : Ransomware deletes volume shadow copies to prevent recovery of encrypted files. : Used to delete volume shadow copies to inhibit system recovery. : Ransomware gathers CPU core count and enumerates storage devices to optimize encryption strategy. : Ransomware determines computer's role in domain using Windows API to identify standalone PC, domain member, or domain controller. : Ransomware terminates 120 security, backup, database, and monitoring processes to prevent interference with encryption. : Ransomware encrypts files using XChaCha20 with Curve25519 key exchange, appending 64-byte footer with OBSCURA! marker. : Possible threat actor workstation name found in ransomware artifacts. : Multiple endpoints throughout the victim network where ransomware was executed
https://www.huntress.com/blog/obscura-ransomware-variant