The Google Threat Analysis Department has released new information regarding the activities of the hacker group Triplestrength, which has been carrying out operations since 2020. Headed by Genevieve Stark, the analysis of cybercrime, hactivism, and information operations at Google Threat Intelligence Group revealed that while the group consists of only a few individuals, their scale of operations is significant.
The criminals use a comprehensive approach to their attacks, infecting victims’ computers with malware while also taking control of cloud accounts for cryptocurrency mining. Additionally, the group members are actively involved in hacker forums, offering access to compromised servers.
The hackers have targeted servers of major cloud platforms including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, Ovhcloud, and Digital Ocean. Investigations have shown that users gain access to accounting data through the malicious Raccoon program, which extracts information from infected Windows machines.
Analysts have observed that the group openly shares information about their extortion and cryptocurrency mining activities. They use sniffing programs solely for local system attacks, leaving the cloud infrastructure unharmed. Unlike other criminal groups, Triplestrength does not engage in double extortion tactics by stealing data; instead, they encrypt files and demand a ransom for their release.
Triplestrength employs various malware variants like Phobos, Lokilocker, and RCRU64 for encryption, operating on the ‘Monitoring Model as a Service’ principle. Unlike popular ransomware solutions, Triplestrength does not offer additional services such as hosting stolen data on darknet sites or assisting with ransom negotiations.
The group’s initial methods of infiltrating victims’ systems are relatively simple, avoiding zero-day vulnerabilities and complex privilege escalation techniques. They primarily use automated password attacks to gain access to remote desktop servers. Once inside the network, they disable antivirus software and utilize publicly available tools like Mimikatz and Netscan.
An notable attack took place in May 2024, where hackers breached an RDP server by guessing the password, then proceeded to infiltrate the corporate network, disable security measures, and deploy RCRU64 on multiple Windows computers.
Details about Triplestrength’s operations were revealed in Google Threat Horizons’ first report for 2025. The link between extortion and cryptocurrency mining was established through ads on Telegram, where the group sought assistance in spreading RCRU64. The accounts associated with these messages were found to be connected to those used for illegal mining activities.