Sinobi is a financially motivated, closed vetted-affiliate RaaS operation assessed with medium confidence as a rebrand/successor of Lynx (itself INC-derived). Active since late June 2025, it gains access primarily via compromised SonicWall SSL VPN credentials and over-privileged accounts, removes EDR, exfiltrates with RClone and WinSCP, then deploys a Curve25519/AES-128-CTR locker that deletes shadow copies and appends .SINOBI — enforcing double extortion with a 7-day deadline. 250+ leak-site victims by May 2026. A serious mid-market threat through 2026.
TA2026169.SINOBI locker, Lynx-derived code and infrastructureSinobi is a financially motivated ransomware-as-a-service operation that emerged in late June 2025, running a closed, vetted-affiliate model where a core team maintains the encryptor, infrastructure, and negotiation/leak portals while screened affiliates conduct intrusions. Code and data-leak-site overlaps support a medium-confidence assessment that Sinobi is a rebrand or successor of Lynx, itself derived from INC ransomware source code sold in May 2024 for $300,000. Despite shinobi branding, consistent avoidance of Russia/CIS victims points to Russian or Eastern-European cybercrime.
Sinobi targets mid-to-large organizations with $10–50 million annual revenue, primarily in the United States. The top 2025 vertical was Manufacturing, followed by Construction, Healthcare, Technology, and Business Services. The operation scaled from ~40 victims in Q3 2025 to 250+ listed by May 2026. Given its inherited tooling maturity, rapid victim accumulation, credential-led intrusion model, and recovery-inhibition tradecraft, Sinobi should be treated as a serious mid-market threat through 2026.
| CVE ID | Vulnerability Name | Affected Product | Zero-Day | CISA KEV | Patch |
|---|---|---|---|---|---|
CVE-2024-53704 |
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability | SonicWALL NSv devices · SonicWall SSLVPN | ✗ No | ✓ Yes | ✓ Yes |
CVE-2024-40766 |
SonicWall SonicOS Improper Access Control Vulnerability | SonicWall SonicOS | ✗ No | ✓ Yes | ✓ Yes |
CVE-2024-53704 (SSL VPN authentication bypass) and CVE-2024-40766 (improper access control — a credential-carryover flaw exploited by multiple ransomware groups during Gen 6→Gen 7 SonicWall migrations). Phishing and initial-access-broker credentials are also reported vectors..SINOBI, and writes a README.txt note with Tor negotiation links and a 7-day deadline. The desktop wallpaper is replaced. Double extortion is enforced: pay the ransom or stolen data is published on the Sinobi leak site.CVE-2024-40766 and CVE-2024-53704. Because CVE-2024-40766 is a credential-carryover flaw from Gen 6 to Gen 7 firewall migrations, reset all local SSL VPN account passwords imported during migration — patching alone is insufficient.sc config <edr_service> start= disabled), and never store EDR uninstall or deregistration codes on file shares or mapped drives.net user ... /add followed by net localgroup "domain admins" ... /add from a single session. Restrict net, net localgroup, and sc config execution from non-administrative hosts. Monitor RDP and network-share access between internal systems.| Type | Value |
|---|---|
| SHA256 |
1b2a1e41a7f65b8d9008aa631f113cef36577e912c13f223ba8834bbefa4bd14 676dc8e28c90e64000a998ec257c014cb1152e7a5bdccab3916d8fba401853da 9432b065c803baa54f1fefac20d97affce212dec2bb9a597fc010064d391fc24 8bb8c6e72d20e9b07bb55e0b0d168efe99d0088122131ae96d13fa01d3325a17 82cd0af26bc1e9e3b0bfcfe6c61cf467992367a31d87e6bd7e2efa8e9fecbb25 d4919a7402d7ae02516589fbdfb3cc436749544052843a37b5d36ac4b7385b18 |
| SHA1 |
3ebf5f01ac8ca704f4ab9e12acd11139f3ff838f 2101541061fb52b178165e7ef22244ec42601aea 3055b209cfdd3bd297029ef4270b77b50f76dc03 86233a285363c2a6863bf642deab7e20f062b8eb |
| File Paths |
c:\programdata\rclone-ssh.conf C:\programdata\bin.exe %TEMP%\background-image.jpg README.txt |
| Registry Key | HKCU\Control Panel\Desktop\Wallpaper |
| File Extension | .SINOBI |
| Tor Domains |
sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd[.]onion sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd[.]onion sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid[.]onion sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad[.]onion sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd[.]onion sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd[.]onion sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd[.]onion sinobi7yuoppj76qnkwiobwfc2qve2xkv2ckvzyyjblwd7ucpptl62ad[.]onion/login sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd[.]onion/login sinobibjqytwqxjw24zuerqcjyd3hoow6zia7z6kzvwawivamu7nqayd[.]onion/login sinobicrh73ongfuxjajmlyyhalvkhlcgttxkxaxz3gvsgdcgf76uiqd[.]onion/login |
| Tactic | Technique | Sub-technique & Notes |
|---|---|---|
| Initial Access | T1133 |
External Remote Services — SonicWall SSL VPN credential abuse; over-privileged MSP domain-admin account enables RDP to file server |
| Initial Access | T1078 |
T1078.002 Domain Accounts — compromised VPN credentials for over-privileged domain-administrator accounts; also IAB-sourced credentials |
| Initial Access | T1190 |
Exploit Public-Facing Application — CVE-2024-53704 (SSLVPN auth bypass) and CVE-2024-40766 (improper access control / credential carryover) |
| Execution | T1059 |
T1059.003 Windows Command Shell — post-compromise scripting for account creation, lateral movement, and encryptor deployment |
| Persistence | T1136 |
T1136.001 Local Account — rogue local accounts created and elevated to local Administrators and Domain Admins for persistence and lateral movement |
| Persistence | T1543 |
T1543.003 Windows Service — services modified or created to maintain persistence across the compromised environment |
| Priv Escalation | T1134 |
Access Token Manipulation — elevated privileges used to operate with domain admin context across compromised network |
| Priv Escalation | T1098 |
Account Manipulation — rogue accounts elevated into Domain Admins group via net localgroup "domain admins" /add |
| Defense Evasion | T1562 |
T1562.001 Disable/Modify Tools — Carbon Black EDR uninstalled using deregistration code stored on a network share |
| Discovery | T1082 |
System Information Discovery — host profiling to identify backup agents, databases, and mail servers for termination before encryption |
| Discovery | T1057 |
Process Discovery — enumerates running backup, database, and mail processes for pre-encryption termination |
| Discovery | T1083 |
File and Directory Discovery — file system enumeration to identify high-value data for exfiltration staging |
| Discovery | T1135 |
Network Share Discovery — network shares enumerated for lateral movement and data staging via RClone/WinSCP |
| Discovery | T1087 |
Account Discovery — existing accounts enumerated to identify targets for privilege escalation and lateral movement |
| Lateral Movement | T1021 |
T1021.001 RDP / T1021.002 SMB — lateral movement via RDP and shared mounts across compromised network |
| Credential Access | T1003 |
OS Credential Dumping — credentials harvested post-compromise to support lateral movement and privilege escalation |
| Collection | T1005 |
Data from Local System — sensitive data collected from compromised file servers prior to exfiltration |
| C2 | T1090 |
T1090.003 Multi-hop Proxy — Tor onion domains used for negotiation and leak-site communications |
| Exfiltration | T1567 |
T1567.002 Exfiltration to Cloud Storage — RClone and WinSCP used to transfer stolen data to cloud storage before encryption |
| Impact | T1486 |
Data Encrypted for Impact — Curve25519/AES-128-CTR per-file encryption with CryptGenRandom; appends .SINOBI; no cryptographic decryption shortcut |
| Impact | T1489 |
Service Stop — backup, database, and mail processes optionally terminated before encryption to maximize file access |
| Impact | T1490 |
Inhibit System Recovery — volume shadow copies deleted via low-level DeviceIoControl resize; Recycle Bin emptied before encryption |
