TENGU RANSOMWARE

NOTE: This is the initial report of Tengu Ransomware. The detailed version will be updated in the same post when newer information gets uncovered.

The most important part of this post is “THREAT INTELLIGENCE”.

1. INTRODUCTION
2. DATA LEAK SITE REVAMP
3. LEAK ANALYSIS
4. THREAT INTELLIGENCE: TENGU RANSOMWARE GROUP
 4.1 EXPOSING LOGS
 4.2 REVEALING HOSTNAMES
 4.3 COMMAND USED BY TENGU RANSOMWARE GROUP
 4.4 DEFENSIVE ACTION
 4.5 UNCOVERING REAL IP
 4.6 MODUS OPERANDI 
 4.7 ADDITIONAL INTEL
5. TWITTER ACTIVITY
6. RANSOM NOTE ANALYSIS
7. CONCLUSION

INTRODUCTION

The ransomware group appeared on October 9, 2025 by listing 6 victims initially on their Data Leak Site (DLS), primarily targeting Technology and Manufacturing sectors. 

TENGU  —  A Japanese mythical bird-like demons are protective, wise, and often mischievous, red-faced spirits with long noses, as per Shinto belief.

There were 6 victims listed on 23rd October 2025. Their DLS was at

fuvodyoktsjdwu3mrbbrmdsmtblkxau6l7r5dygfwgzhf36mabjtcjad.onion

The first batch of victims is from:-

• Qatar
• Morocco
• UAE
• Spain
• Brazil

It is notable that the group is more focused on Islamic Nations rather than the US at initial glance. Later, we observed that this trend gone blended with general Ransomware Victimology as the US, Asia, and Europe were also seen in the Victim List.

It can be assumed that the group is having a strong connection (or an affiliate or Group Member) is based out in the Middle East. This could be the reason for the spike in Middle Eastern Countries.

The first victim listed was Qatargas and Tar Company. However, the company was mistakenly tagged as Iran though the original Geo-Location was Qatar. 

The images of Sensitive Documents, including ID Cards. The catch here is: all the listed images are Iran. So this might be the reason to tag it as Iran instead of Qatar. 

NOTE: This was the only mis-geolocated victim on their DLS our of 47 Victims listed so far. 

DATA LEAK SITE REVAMP

After operating for a while, the group decided to revamp its existing DLS. On January 27th, 2026; the group began to advertise their newer Leak Site and shut down the old one. 

longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion

On 30th January 2026, the group went offline. This time was utilized for revamping their DLS and changing the TOX ID, and shutting down the old Leak Domain. 

On 10th March 2026, the group again switched back to the title “Shisa Ransomware”.

The group also made a proper rules for Affiliate Program and the affiliate cut is 80%–20%. Tengu builds are available for Windows, ESXi, and Linux which are sized between 90–100KB. 

While checking the File Management Service, it is found that the group had developed a new tool called “StealTENGU” for the File Upload Service. Apart from this the group also uses MEGA, SFTP, PixelDrain, StorJ for the File Management service. 

The note present in the Affiliate Program signifies that the group is using Intermittent Encryption — by encrypting partial (headers) and make it useless without the key. 

The group maintained a dedicated TOX ID for Affiliate Communication. 

LEAK ANALYSIS

The group publishes the Images of Victim’s Sensitive Documents on each victim’s dedicated page along with the Publish Time, along with Count-Down timer.

The group had infiltrated 47 Victims so far, however the older victims were removed from the newer DLS Page. Currently, there are only 12 victims listed on their page. 

As a part of DLS Revamp, the group had decided to store the Leaks on a separate domain in February 2026. 

longvqprqrb4zbxooswz4upefhtikhnyqv4gw4fkzpkc2wjpvxsucwid.onion

From the domain, it can be inferred that the group had opted for Vanity Service for TOR Domain as the keyword “long” was also found. 

In February 2026, the group had made an additional 4 Onion Domains available for the Leak backup:-

• longejh5gj5igfinj36rmqt2ydx2vun6zmditi3ij6hebawnn4xucqad.onion
• longf6faa6tiudn5n6ar77z5balign2cxo2tjfsxuf6wnlzjamqew2yd.onion
• longhbqhzlv3p7tvx3iwhfizkmtkm2nhnlbw5d4qr65wjz5e6aa23mid.onion
• longjr5sl6a57ajn52nysmvgobmb7lktjthssmt2jeyjagk3rw36djyd.onion

The leaks are organized in a Directory File Structure, which makes it easy to scout through any files. 

By tracing the older leaks, it is found that this server was active from 14th February 2026 and the latest file upload was performed on 5th March 2026. 

Upon analyzing the file sizes, ~450GB are currently hosted in the mentioned server, which is expected to grow as more victims are added to the count-down timer. The largest file size clocked at 145GB. 

While analyzing a few victims, it was found that the group had uploaded their Ransom Chat Negotiation to the Victim’s page as proof of communication to visitors. This tactical approach pressures the current victim to open a negotiation channel with them. 

Though the negotiation was not fruitful for the group, uploading the chat would psychologically challenge the future victims and also make a point as the group is ready to sleeve-up more tactics for Victim Negotiation, if victims are not responding. 

THREAT INTELLIGENCE: TENGU RANSOMWARE GROUP

The following are the most critical part of this blog where the data is made public via this post, which are not yet made public. In this section, we will see the network used by Tengu Group for Bruteforcing Attack, Modus Operandi followed by Tengu once infiltrated, Exposing the Real IP Address of the DLS and much more…

EXPOSING LOGS

A bunch of IPs are used against the victim. To be precise, 52 IP Addresses were found in the attack, where 12 IPs were repeatedly found in the same log. Hence, we shall mark it as High-Confidence IPs. Most of them are a part of SMB/RDP Bruteforcing. 

COUNT | IP ADDRESS
==================
3 | 110.227.205.232
3 | 123.255.248.97
3 | 94.26.88.100
3 | 94.26.88.101
3 | 94.26.88.102
3 | 94.26.88.103
2 | 117.239.53.213
2 | 117.240.9.147
2 | 117.244.244.52
2 | 192.168.1.3
2 | 206.168.81.33
2 | 61.0.226.126

From the above-listed High Confidence IPs, it’s clear that the group had made use of Residential Proxies located in India 🇮🇳 (#6) as the victim was from India. 

Along side, 4 IPs were notable from Bulgaria 🇧🇬, which is held with MEVSPACE — A VPS Cloud from Poland 🇵🇱.

NOTE: MEVSPACE is popular among criminal network as many incidents have been reported such as React2Shell Exploitation, Phishing, DDoS attacks etc. 

This is possibly opted by the threat actor to blend-in locally, as most of the home IPs are welcomed. 

Following are the list of IPs found to be attacked on the victim:-

103.80.211.131
117.250.6.65
122.129.85.250
149.88.72.63
185.11.61.27
192.168.1.106
192.168.1.75
194.165.16.161
194.165.16.163
194.165.16.164
194.165.16.167
45.227.254.151
45.227.254.152
45.227.254.153
45.227.254.156
49.51.142.252
71.6.134.232
88.214.25.121
88.214.25.125
91.238.181.93
91.238.181.95
91.238.181.96

By mapping the host of these IPs, we can see the following trend:-

Flyservers S.A. dominates with 8 IPs across Monaco 🇲🇨 and Panama 🇵🇦 — known for VPS/bulletproof hosting often abused by attackers. It was previously leveraged by LockBit, BlackSuit, Akira and DPRK 🇰🇵 Actors.

Checking the Geo-Location, here are the stats for the same:

4 private/internal IPs (e.g., 192.168.1.x) likely from victim-side logging or NAT, not external attackers.

As per Crowdstrike, most of the IPs found in the log had been notably used only for Bruteforcing attack.

Another one here just FYR:-

One of the IP addresses hosted FortiGate on their RDP Port. This was possibly used/controlled by Tengu Ransomware Group as we will see the group had installed a FortiRDP on a victim machine.

Similarly, the same IP was seen hosting Odoo.

REVEALING HOSTNAMES 

Following are the list of Hostnames uncovered:-

WIN-VNPNGV0B7GQ
WIN-DI3NSODDMLO
WIN-4324J6071OG
WIN-J7O3HGLKHP1
WIN-60V56FLEGSG
WIN-4EESR4GKNLO
WIN-T898MO3KJ7C
WIN-4BCLP741LDI

These listed hostnames are not always malicious; however, you can include it in your list, as some of the IPs had adopted these Hostnames at some point (its a Digital Trail for you). 

COMMAND USED BY TENGU RANSOMWARE GROUP

nxc smb 192.168.104.24 -u caja -p caja -x “sc query | findstr /i fort”

Here is the break-down of the command used by Ransomware Group:

☢️nxc smb 192.168.104.24
NetExec to perform lateral movement over SMB
Targets the machine at 192.168.104.24 using the SMB protocol (port 445).

☢️-u caja -p caja
Authenticates using the username and password as “caja”
Extremely common in Ransomware Attacks

☢️-x
-> Executes a specific command remotely on remote Windows target over SMB without deploying a persistent service binary like psexesvc.exe, unlike traditional PsExec.
-> Leverages Service Control Manager (SCM) via RPC to create a temporary service on-the-fly that runs the command and self-terminates.
-> Minimizes forensic artifacts while achieving lightweight remote execution.

☢️sc query 
Lists all Windows services registered on the system (their names, states, types)

☢️findstr /i fort 
Filters the output for any line containing the substring “fort” (case-insensitive due to /i)
This scans for the presence of Fortinet Applications

This command is used by Threat Actors for Lateral Movement over SMB and a specific reconnaissance / environment check step, Commonly performed before the stage of Encryption.

SMB Lateral Movement and EDR/AV Detection Checks are achieved with this single command!

DEFENSIVE ACTION

❗Always check for Event ID 7045 (new service installation)
❗Check for “caja” as Credentials in your environment
❗Add this to your Playbook

UNCOVERING REAL IP

Here, I have found the real IP behind the TOR Data Leak Site.

IP: 194.163.154.33
VPN: Contabo
ASN: AS51167
Location: France 🇫🇷
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30

It is notable that the ASN had already received a large number of abuse reports, mostly for hosting QakBot, Cobalt Strike, AsyncRAT etc. 

MODUS OPERANDI

The following MO was carried out by the group while infiltrating a victim:-

-> Gained Initial Access via RDP Bruteforcing
-> Script ran for Environment Check and Forti Detection
-> Installed Forti RDP for Lateral Movement, though the victim didn’t have Forti Application installed.

Once initial access is gained-often via vulnerable Fortinet VPNs or firewalls-attackers enable or abuse RDP services to remotely control other systems. This allows them to escalate privileges, map the network, deploy ransomware payloads, and exfiltrate data for double extortion. RDP usage with LOLBINs (living-off-the-land binaries) for stealthy pivoting to file servers or critical assets.

This tactic maximizes disruption while evading detection, turning one compromised endpoint into network-wide control.

NOTE: The MO explained above is not the only sole method used by TENGU, but shall be considered as the group also uses these techniques in their Ransomware Infection. 

While scouting through the Telegram Channel, it was found that the group had made a statement about their mistake while compromising a victim:

This can be simplified as:-

• The Initial Mistake: They gained initial access to the network and then tried to deploy their ransomware/encryptor. However, due to an error in how they executed the attack, they only encrypted the domain controller (the main server that controls authentication, user accounts, policies, etc., in a Windows Active Directory). They incorrectly assumed that encrypting the domain controller would automatically encrypt everything else on the network.

• Result of the Mistake: The other servers, workstations, file shares, etc., “remained unencrypted” and fully functional. This would have been a big failure for the ransomware operation, as the victim could potentially restore from backups, isolate the DC, or recover without paying.

• What they did to fix it: After realizing the screw-up, they went back in (they still had access) and “properly deployed the encryption across all devices simultaneously” (or in a controlled wave). This means they spread the ransomware payload more effectively this time — likely using domain admin privileges or tools like PsExec, Group Policy, WMI, etc. — to encrypt the entire environment at once, making recovery much harder.

• Why the initial compromise was “Easy”: They exploited a vulnerability called “Zerologon (CVE-2020–1472)” on the domain controller.

In Short: The hackers almost flopped by only encrypting the DC (thinking it would cascade), but because they had used Zerologon to gain full control early on, they could easily go back, correct their deployment error, and Encrypt the whole network properly. This turned a potential failure into a successful Ransomware Hit.

ADDITIONAL INTEL

The following are the revelations at different time while observing the activity of TENGU Ransomware Group from multiple sources:-

➤During the analysis of the leaks, it is found that the group is using Brave Browser, without directly relying on TOR.

➤The group had attacked a Japanese Religious Entity named on 18th February 2026 . But the group claims not to attack any religious institutions stating that “Unfortunately, we will be deleting this case. We will not target any temple or religious site again” on February 21, 2026.

➤In February 2026, the group tried to change their name from TENGU to SHISA, but scrapped it and kept it as Page Title, again switched back to SHISA in March 2026.

➤On February 22, they have advertised a custom file upload service called “StealTENGU”.

➤On February 28, the group claimed to have developed “StealTG” for Windows and Linux.

➤A US company claimed to be “22.9TB was encrypted in 14 hours on 3/5/2026”. This indirectly means the group makes use of Intermittent Encryption — a faster approach to achieve encryption within a limited time. 

➤The group had successfully exploited ZeroLogon (CVE-2020–1472) on a Domain Controller.

➤Apart from Onion DLS Promotion, the group is active in Forums like RootSploit to recruit strong affiliates.

➤The group also attacks the entities that had already been attacked earlier by other Ransomware Groups.

➤Like other Ransomware Groups, Tengu provides a unique ID to the victim for Negotiation. 

TWITTER ACTIVITY

The group joined X/Twitter in January 2026 to voice their leaked claims over social media. 

Initially, their Twitter Profile Picture was a Tiger, which later changed to a Tengu (Mythical Character). 

It is notable that the group follows the Twitter Profile of Devman Ransomware, though not active at the moment, as Devman had set the status as voluntary retirement in various Forums and is inactive at the moment. 

Apart from Devman, the group follows the prominent accounts like FalconFeeds, Dark Web Informer, totaling 7 accounts. 

RANSOM NOTE ANALYSIS

We have got 3 Ransom Note from the group and they evolved over time, making them better each time. 

Here is the latest Ransom Note of the Group:-

             TENGU Locker
████████╗███████╗███╗░░██╗░██████╗░██╗░░░██╗
╚══██╔══╝██╔════╝████╗░██║██╔════╝░██║░░░██║
░░░██║░░░█████╗░░██╔██╗██║██║░░██╗░██║░░░██║
░░░██║░░░██╔══╝░░██║╚████║██║░░╚██╗██║░░░██║
░░░██║░░░███████╗██║░╚███║╚██████╔╝╚██████╔╝
░░░╚═╝░░░╚══════╝╚═╝░░╚══╝░╚═════╝░░╚═════╝░

Blog:http://longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion/

We've hacked your network and copied your data.

We've hacked your entire network and searched all your data.

We've copied all your confidential data and uploaded it to a private storage device.

You run a high-value business, and your data is critical.

We've encrypted your files.

As you're reading this message, your files and data have been encrypted by the world's most powerful ransomware.

Your files have been encrypted with a new military-grade encryption algorithm, and you can't decrypt them.

But don't worry, we can decrypt your files.

There's only one way to recover your computers and servers and maintain your privacy: contact us via live chat and pay for the TENGU DECRYPTOR device and private decryption keys.

The TENGU DECRYPTOR will restore your entire network in less than 5 hours. What are the guarantees?
------------------

We can make all your important data public and send emails to your competitors.

We have a dedicated Open Network Intelligence (OSINT) team and a media team specializing in data leaks across Telegram, Facebook, Twitter, and major news sites. You can easily reach us.
You could face major problems with serious consequences, including the loss of valuable intellectual property and other sensitive information, increased incident response costs, misuse of information, loss of customer trust, damage to your brand and reputation, and legal and regulatory issues. After paying the costs of a data breach and decryption, we guarantee that your data will never be leaked, and we remain completely silent to protect our reputation. Be careful!
------------------
We will only speak with authorized individuals. This could be your CEO, senior management, or others.

If you're not one of these people, don't contact us! Your decisions and actions could seriously damage your company!

Inform your superiors and stay calm! If you don't hear from us within 48 hours, we'll start posting your status on our official blog, and everyone will start noticing!

Your Next Steps
└─ Contact us via live chat to start the process and request a decryption test.

1) Download Tor Browser: https://www.torproject.org/download/

2) Chat:http://longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion/ID

3) Use this code— id —to log in to the chat

CONCLUSION

The group consists of members who are good in exploiting any vulnerabilities (unpatched ones) and Brute Forcing. It also does not rule out the possibility of Phishing. 

Obtain the IOCs and add it to your watch list/block list to avoid a catastrophic attack which is menacing the moment. 

We also have seen the evidence of exploiting ZeroLogon which was unpatched. 

The group is expected to thrive on coming days and the group does not have a X-Claim so far, which makes them an ideal player in the Ransomware Ecosystem.

IOCs

ONION DOMAINS
=============
fuvodyoktsjdwu3mrbbrmdsmtblkxau6l7r5dygfwgzhf36mabjtcjad.onion
longcc4fqrfcqt5lzceutylaxir6h66fp6df3oin6mvwvz6pfdbxc6qd.onion
longvqprqrb4zbxooswz4upefhtikhnyqv4gw4fkzpkc2wjpvxsucwid.onion
longejh5gj5igfinj36rmqt2ydx2vun6zmditi3ij6hebawnn4xucqad.onion
longf6faa6tiudn5n6ar77z5balign2cxo2tjfsxuf6wnlzjamqew2yd.onion
longhbqhzlv3p7tvx3iwhfizkmtkm2nhnlbw5d4qr65wjz5e6aa23mid.onion
longjr5sl6a57ajn52nysmvgobmb7lktjthssmt2jeyjagk3rw36djyd.onion
IP
==
110.227.205.232
123.255.248.97
94.26.88.100
94.26.88.101
94.26.88.102
94.26.88.103
117.239.53.213
117.240.9.147
117.244.244.52
192.168.1.3
206.168.81.33
61.0.226.126
103.80.211.131
117.250.6.65
122.129.85.250
149.88.72.63
185.11.61.27
192.168.1.106
192.168.1.75
194.165.16.161
194.165.16.163
194.165.16.164
194.165.16.167
45.227.254.151
45.227.254.152
45.227.254.153
45.227.254.156
49.51.142.252
71.6.134.232
88.214.25.121
88.214.25.125
91.238.181.93
91.238.181.95
91.238.181.96
HostNames
=========
WIN-VNPNGV0B7GQ
WIN-DI3NSODDMLO
WIN-4324J6071OG
WIN-J7O3HGLKHP1
WIN-60V56FLEGSG
WIN-4EESR4GKNLO
WIN-T898MO3KJ7C
WIN-4BCLP741LDI
TOX ID
A458DAEFD26B207A65C2D0164B354DA25F7A77D7E52D1B16E577F3A143D8EC7C272B58F72FDD
6077C3785BB99C4C7DDB8B6D589BD390371AEDAE15DE365BDD0ADC8B9448153035901FCA4AD5

Here you can find the Git Repo for Tengu Ransomware for future reference. 

Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings!