Stranger Strings: Yurei Ransomware Operator Toolkit Exposed

Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.

Pulse ID: 69cd66412a30a525e66b507d
Pulse Link: https://otx.alienvault.com/pulse/69cd66412a30a525e66b507d
Pulse Author: AlienVault
Created: 2026-04-01 18:38:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CheckPoint #CyberSecurity #Extortion #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RansomWare #Rust #VirusTotal #bot #AlienVault