3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Repellent Scorpius

Repellent Scorpius

ID: 9eaee6864d7b12fb70aac239d2ce625931690
Cybercrime Cybercriminal
Threat types: Ransomware
Unknown
Updated: 2026-03-04
Created: 2026-02-24
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Repellent Scorpius is publicly described as a ransomware-as-a-service (RaaS) distributor that deploys the Cicada3301 ransomware in a double-extortion model. Incident-response reporting documents initial access via RDP with stolen credentials, batch-script orchestration, PsExec-based remote execution, Rclone-based data exfiltration, pre-impact service/VM stopping behaviors, and encryption for impact. Infrastructure indicators are time-bounded and may overlap with other ransomware ecosystems.


Technique Technique name Tactics Evidence
T1021.001 Remote Desktop Protocol TA0008
  • 2024-09-10 — RDP logon activity was captured and assessed as a likely initial access method using stolen credentials. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-09-10 — INFERENCE (confidence: medium): initial access via stolen credentials and subsequent admin activity imply use of valid accounts for operations. · ref
T1059.001 PowerShell TA0002
  • 2024-09-10 — PowerShell is used to invoke PsExec for remote execution of the encryptor across hosts. · ref
T1569.002 Service Execution TA0002
  • 2024-09-10 — Batch script execution is described for running ransomware commands against multiple hosts. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-09-10 — Rclone is identified as the tool used for exfiltration in the described incident. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-09-10 — Tooling and payloads are staged in Public/ProgramData paths, consistent with ingress tool transfer. · ref
T1489 Service Stop TA0040
  • 2024-09-10 — Pre-impact commands include stopping services and VMs to maximize encryption success and damage. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-09-10 — Encryption for impact using a Rust-based encryptor is described as the core operation. · ref
T1490 Inhibit System Recovery TA0040
  • 2024-09-10 — INFERENCE (confidence: medium): targeting of backup services and recovery components aligns with inhibiting system recovery behaviors typical of ransomware operations. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T12:50:10+00:00

Repellent Scorpius

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Repellent Scorpius


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Repellent Scorpius


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T12:51:16+00:00

IOC Appendix — Repellent Scorpius (Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T12:51:28+00:00

OSINT Library — Repellent Scorpius


2024-09-10 — Palo Alto Networks Unit 42 — “Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.