Ransomware Group: NIGHTSPIRE

VICTIM NAME: conasa infraestrutura s[.]a[.]

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the NIGHTSPIRE Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware attack targeted a construction company based in Brazil, identified as Conasa Infraestrutura S.A. The breach was discovered on July 13, 2025, with the attack itself occurring approximately a week earlier, on July 6, 2025. The incident involved a data compromise of approximately 30 GB, indicating a significant breach of sensitive information. The threat group responsible is associated with “Nightspire,” a known malicious actor. The leak page suggests that data related to company operations, possibly including internal documents, may have been exfiltrated and published online. The page does not provide explicit download links but indicates the presence of stolen data available for review or download by interested parties. Some screenshots or images may be available but were not included in the provided data.

The malicious activity involved infostealer malware, with some indicators pointing to tools such as Lumma and StealC, which are known for exfiltrating confidential information. The attack impacted multiple third-party domains and approximately ten users. Although the page does not specify PII or sensitive employee information, the leak could expose internal communications and operational details. The victim operates within the construction industry and is located in Brazil. Overall, the malicious actors have publicly disclosed the breach, aiming to damage reputation or extract ransom payments, while emphasizing the volume of data stolen and the threat group’s capabilities.