Back to Intelligence

APT73 Ransomware Gang: 4 New Victims Posted — Sector Targeting Analysis & Detection Rules

SA
Security Arsenal Team
July 9, 2026
9 min read

APT73 is a ransomware operation that emerged in late 2025 and has been active throughout 2026. Based on analysis of their leak site activity and victim patterns, the group appears to operate as a closed criminal organization rather than a traditional RaaS model.

Known Operations

  • Aliases: No confirmed aliases currently associated with APT73
  • Operational Model: Closed group operation with a relatively small footprint
  • Ransom Demands: Estimated range of $500,000 to $5 million USD based on victim profile
  • Payment Method: Likely cryptocurrency transactions (not publicly confirmed)
  • Dwell Time: Estimated 10-16 days from initial access to encryption

TTP Overview

  • Initial Access: Primarily through exploitation of critical vulnerabilities in perimeter security devices, with secondary use of phishing campaigns
  • Lateral Movement: Common use of PsExec, WMI, and customized tools for network traversal
  • Data Exfiltration: Evidence of staging exfiltration via encrypted channels prior to encryption
  • Double Extortion: Confirmed use of data leak site to pressure victims into payment
  • Encryption: Custom implementation with ransom note left as .README.txt or .DECRYPT.txt files

Current Campaign Analysis

Targeting Patterns

APT73 has demonstrated a focused campaign against specific sectors with clear geographic targeting:

  • Manufacturing: 25% of victims (1 out of 4)
  • Business Services: 25% of victims (1 out of 4)
  • Other/Not Specified: 50% of victims (2 out of 4)

Geographic Distribution

  • Algeria (DZ): 1 victim (25%)
  • Iran (IR): 1 victim (25%)
  • Argentina (AR): 1 victim (25%)
  • United States (US): 1 victim (25%)

This distribution suggests APT73 is either deliberately targeting these specific regions or has established initial access vectors (vulnerabilities) that are prevalent in these geographies.

Victim Profile

Based on the current victims:

  • Company Size: Likely mid-market to enterprise organizations (revenue $50M-$500M)
  • dgcement.com: Manufacturing sector, likely large industrial operations
  • westernint.com: Business services, likely international operations given the name
  • azarestan.com and vicentetrapani.com: Unknown sectors, but likely regional operations

Campaign Timeline

  • All four victims were posted on 2026-07-06, suggesting a coordinated release
  • This batch approach is atypical for ransomware groups, which usually stagger releases
  • May indicate a backlog of attacks or a deliberate "mass disclosure" tactic

CVE Connection Analysis

APT73 is actively exploiting several critical vulnerabilities as initial access vectors:

  • CVE-2026-50751 (Check Point Security Gateway): Likely used for perimeter breach in affected organizations
  • CVE-2026-48027 (Nx Console): Possible supply chain component in attacks
  • CVE-2024-1708 (ConnectWise ScreenConnect): Potential for establishing persistent remote access
  • CVE-2023-21529 (Microsoft Exchange Server): Could be used for email harvesting and credential theft
  • CVE-2026-20131 (Cisco Secure Firewall Management Center): Likely used to bypass network security controls

Detection Engineering

SIGMA Rules

YAML
---
title: APT73 Initial Access via Check Point Security Gateway
description: Detects potential APT73 activity exploiting CVE-2026-50751 in Check Point Security Gateway
status: stable
date: 2026/07/09
author: Security Arsenal
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
tags:
  - attack.initial_access
  - attack.t1190
  - apt73
logsource:
  product: firewall
definition: 'Criteria: Firewall must log connection attempts'
detection:
  selection:
    dst_ip|startswith:
      - '192.168.'
      - '10.'
      - '172.16.'
    src_port: 500
    protocol: 'UDP'
    msg|contains:
      - 'IKE'
      - 'VPN'
  condition: selection
falsepositives:
  - Legitimate VPN connections
level: high

---
title: APT73 Lateral Movement via PsExec
description: Detects potential APT73 lateral movement using PsExec
date: 2026/07/09
author: Security Arsenal
status: stable
references:
  - https://attack.mitre.org/techniques/T1021/002/
tags:
  - attack.lateral_movement
  - attack.t1021.002
  - apt73
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5145
    ShareName|startswith: '\\*\ADMIN$'
    RelativeTargetName|endswith: '\PSEXESVC.EXE'
  condition: selection
falsepositives:
  - System administration using PsExec
level: medium

---
title: APT73 Pre-Encryption Staging Activity
description: Detects potential APT73 pre-encryption staging indicators
date: 2026/07/09
author: Security Arsenal
status: stable
references:
  - https://attack.mitre.org/techniques/T1074/
tags:
  - attack.collection
  - attack.t1074
  - apt73
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4663
    ObjectType: 'File'
    ObjectName|contains:
      - '.encrypted'
      - '.locked'
      - '.locked2'
  filter:
    SubjectUserName:
      - 'SYSTEM'
      - 'LOCAL SERVICE'
  condition: selection and not filter
falsepositives:
  - Legitimate file encryption tools
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// APT73 Lateral Movement and Pre-Encryption Staging Hunt
let TimeRange = ago(7d);
let ProcessCreationEvents = materialize(
  SecurityEvent
  | where TimeGenerated > TimeRange
  | where EventID == 4688
);
let SuspiciousProcesses = ProcessCreationEvents
  | where NewProcessName in~ (
      "C:\\Windows\\System32\\cmd.exe", 
      "C:\\Windows\\System32\\powershell.exe", 
      "C:\\Windows\\System32\\wscript.exe",
      "C:\\Windows\\System32\\cscript.exe",
      "C:\\Windows\\System32\\mshta.exe"
    )
  | extend CommandLine = tostring(CommandLine)
  | where CommandLine contains "-enc" or 
         CommandLine contains "Invoke-Expression" or
         CommandLine contains "DownloadString" or
         CommandLine contains "IEX";
let NetworkActivity = 
  DeviceNetworkEvents
  | where TimeGenerated > TimeRange
  | where RemoteIPType == "External"
  | where InitiatingProcessFileName in~ (
      "powershell.exe", 
      "cmd.exe", 
      "wscript.exe",
      "rundll32.exe",
      "regsvr32.exe"
    );
union SuspiciousProcesses, NetworkActivity
| summarize count() by bin(TimeGenerated, 1h), Computer, InitiatingProcessFileName, RemoteIP
| where count_ > 5
| project TimeGenerated, Computer, InitiatingProcessFileName, RemoteIP, count_
| sort by count_ desc

PowerShell Response Script

PowerShell
# APT73 Rapid Response Hardening Script
# Run as Administrator

Write-Host "Starting APT73 Rapid Response Hardening Script..." -ForegroundColor Cyan

# 1. Check for exposed RDP
Write-Host "\n[1] Checking for exposed RDP access..." -ForegroundColor Yellow
$RDPStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server").fDenyTSConnections
if ($RDPStatus -eq 0) {
    Write-Host "WARNING: RDP is ENABLED. Consider disabling if not required." -ForegroundColor Red
    Write-Host "To disable RDP, run: Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1" -ForegroundColor Gray
} else {
    Write-Host "RDP is disabled. Good." -ForegroundColor Green
}

# 2. Enumerate scheduled tasks added in the last 7 days
Write-Host "\n[2] Checking for recently added scheduled tasks..." -ForegroundColor Yellow
$DateThreshold = (Get-Date).AddDays(-7)
$RecentTasks = Get-ScheduledTask | Where-Object {$_.Date -gt $DateThreshold}
if ($RecentTasks) {
    Write-Host "Found $($RecentTasks.Count) tasks added in the last 7 days:" -ForegroundColor Yellow
    $RecentTasks | Format-Table TaskName, Author, Date -AutoSize
} else {
    Write-Host "No suspicious scheduled tasks found in the last 7 days." -ForegroundColor Green
}

# 3. Find recently modified Volume Shadow Copies
Write-Host "\n[3] Checking for recently modified Volume Shadow Copies..." -ForegroundColor Yellow
try {
    $VSS = Get-WmiObject -Class Win32_ShadowCopy | Sort-Object InstallDate -Descending | Select-Object -First 10
    if ($VSS) {
        Write-Host "Recent Volume Shadow Copies:" -ForegroundColor Yellow
        $VSS | Format-Table DeviceObject, InstallDate, VolumeName -AutoSize
        
        # Check for suspicious shadow copy deletions
        $VSSDeletionEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; ID=12343} -ErrorAction SilentlyContinue
        if ($VSSDeletionEvents) {
            Write-Host "WARNING: Found Volume Shadow Copy deletion events:" -ForegroundColor Red
            $VSSDeletionEvents | Select-Object TimeCreated, Message | Format-List
        }
    } else {
        Write-Host "No recent Volume Shadow Copies found." -ForegroundColor Green
    }
} catch {
    Write-Host "Error checking Volume Shadow Copies: $($_.Exception.Message)" -ForegroundColor Red
}

# 4. Check for suspicious services
Write-Host "\n[4] Checking for suspicious services..." -ForegroundColor Yellow
$SuspiciousServices = Get-WmiObject Win32_Service | Where-Object {
    $_.State -eq "Running" -and 
    $_.PathName -match ".{30,}" -and 
    $_.PathName -notmatch "C:\\Windows\\System32" -and 
    $_.PathName -notmatch "C:\\Program Files" -and 
    $_.PathName -notmatch "C:\\Program Files (x86)"
}
if ($SuspiciousServices) {
    Write-Host "Found $($SuspiciousServices.Count) potentially suspicious services:" -ForegroundColor Red
    $SuspiciousServices | Format-Table Name, DisplayName, PathName, State -AutoSize
} else {
    Write-Host "No suspicious services found." -ForegroundColor Green
}

# 5. Check for Check Point and Cisco devices (based on APT73 CVE exploitation)
Write-Host "\n[5] Checking for potentially vulnerable network devices..." -ForegroundColor Yellow
$NetworkDevices = Get-NetNeighbor -State Reachable | Select-Object -ExpandProperty IPAddress | ForEach-Object {
    try {
        $hostname = [System.Net.Dns]::GetHostEntry($_).HostName
        [PSCustomObject]@{
            IP = $_
            Hostname = $hostname
        }
    } catch {
        # Skip hosts without DNS records
    }
}
$CheckPointDevices = $NetworkDevices | Where-Object { $_.Hostname -match "checkpoint|checkpoint-" }
$CiscoDevices = $NetworkDevices | Where-Object { $_.Hostname -match "cisco|cisco-" }

if ($CheckPointDevices) {
    Write-Host "Found potential Check Point devices (vulnerable to CVE-2026-50751):" -ForegroundColor Red
    $CheckPointDevices | Format-Table -AutoSize
}
if ($CiscoDevices) {
    Write-Host "Found potential Cisco devices (vulnerable to CVE-2026-20131):" -ForegroundColor Red
    $CiscoDevices | Format-Table -AutoSize
}

if (!$CheckPointDevices -and !$CiscoDevices) {
    Write-Host "No obviously vulnerable network devices found." -ForegroundColor Green
}

Write-Host "\nAPT73 Rapid Response Hardening Script completed." -ForegroundColor Cyan
Write-Host "For further investigation, consider running a full forensic analysis." -ForegroundColor Gray


# Incident Response Priorities

T-minus Detection Checklist

Critical indicators to monitor before encryption occurs:

  • Network Anomalies: Unusual inbound connections on ports 500 (UDP/IKE) and 8443 (HTTPS management)
  • Authentication Events: Multiple failed logins followed by successful ones from new locations
  • Process Execution: Spawn of unusual processes from system utilities (cmd.exe, powershell.exe)
  • File Modifications: Sudden creation of encrypted files with new extensions
  • Scheduled Tasks: Creation of new tasks with elevated privileges
  • Shadow Copy Activity: Deletion or modification of Volume Shadow Copies
  • Service Creation: New services with obscure names or unusual paths

Critical Assets Targeted for Exfiltration

Based on APT73's victim profile, prioritize protection of:

  • Manufacturing Sector: Intellectual property, production formulas, supply chain data, customer lists
  • Business Services: Client data, financial records, proprietary methodologies
  • General Targets: HR records, executive communications, credential stores

Containment Actions (by urgency)

Immediate (T-0)

  1. Isolate affected systems from the network
  2. Revoke potentially compromised credentials
  3. Disable remote access services (RDP, VPN) temporarily
  4. Preserve volatile memory for forensic analysis
  5. Block known malicious IPs and domains at the perimeter

Short-term (T+24h)

  1. Conduct thorough credential reset for privileged accounts
  2. Implement network segmentation between critical and non-critical systems
  3. Review and limit administrative access
  4. Enhance monitoring for post-compromise activity
  5. Begin restoration from verified backups

Hardening Recommendations

Immediate (24h)

  1. Patch Critical Vulnerabilities: Immediately apply patches for:

    • CVE-2026-50751 (Check Point Security Gateway)
    • CVE-2026-48027 (Nx Console)
    • CVE-2024-1708 (ConnectWise ScreenConnect)
    • CVE-2023-21529 (Microsoft Exchange Server)
    • CVE-2026-20131 (Cisco Secure Firewall Management Center)
  2. Implement Multi-Factor Authentication (MFA): Enforce MFA for all remote access and administrative accounts

  3. Review VPN Access: Audit and restrict VPN access to only those who absolutely need it

  4. Disable Unnecessary Services: Turn off RDP and other remote access services where not required

  5. Update Detection Rules: Deploy provided SIGMA rules and monitoring queries

Short-term (2 weeks)

  1. Network Segmentation: Implement strict segmentation between business functions and internet-facing systems

  2. Zero-Trust Architecture: Begin implementing zero-trust principles, especially for privileged access

  3. Endpoint Detection and Response (EDR): Deploy or enhance EDR capabilities across all endpoints

  4. Application Whitelisting: Implement application whitelisting to prevent unauthorized code execution

  5. Backup Verification: Verify that backups are immutable and test restoration procedures

  6. Incident Response Planning: Update and test incident response playbooks specific to ransomware

  7. Threat Hunting: Implement regular threat hunting exercises based on APT73 TTPs

  8. Security Awareness Training: Conduct specialized training focused on identifying sophisticated phishing attempts

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangapt73ransomwaremanufacturingbusiness-servicescve-exploitationdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.