Ransomware Group: NIGHTSPIRE

VICTIM NAME: EPK

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the NIGHTSPIRE Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page concerns a victim identified as “EPK,” based in Venezuela. The attack was publicly disclosed on May 19, 2025, with the compromise date recorded as May 18, 2025. The breach involves a substantial data exfiltration, with approximately 27 GB of data stolen by the threat group “nightspire.” The leak includes various types of sensitive information and possibly internal documents, although specific contents are not detailed. The page indicates that the attackers have released data publicly on a dedicated leak site, emphasizing the seriousness of the breach.

The attack involved multiple malware families and infostealer tools, including well-known malware such as Lumma, RedLine, and Raccoon, which were used to gather information from infected systems. The threat actor maintains a presence on the dark web, with references to related third-party domains and over 200 user accounts associated with the breach. Despite no specific press statements, visual evidence suggests that the attackers may have included screenshots of internal data or system information. While detailed content leaks are not provided, the data’s volume and malware diversity signify a significant cybersecurity incident at the targeted organization in Venezuela.

It is important to note that the threat actors associated with this incident have actively published the stolen data, possibly to pressure or extort the victim. The breach reveals a variety of infostealers and malware are in use, indicating a sophisticated attack campaign. The scene of the attack appears to involve various malicious tools designed to maximize data exfiltration. The absence of detailed content leaks means the specific nature of compromised data remains unspecified, but the risk to the affected organization and related entities is considerable. The leak page is part of ongoing ransomware activities by the threat group, which continues to operate on the dark web, posing a persistent threat to organizations worldwide.