A recent infrastructure exposure provided a rare look into an active INC ransomware affiliate targeting the Asia-Pacific region. In mid-June 2026, a pair of open directories were identified on AEZA Group LLC, a known bulletproof hosting environment, revealing an operational staging server. The exposed directories contained Windows and Linux encryptors, Group Policy Object (GPO) deployment scripts for a Japanese food and beverage company, and 675 MB of operator tooling, and exfiltrated victim data. Together, these findings offered a unique view into an active ransomware campaign in near real-time.
Key Findings
- Using Hunt.io AttackCapture, two directories hosted on AEZA Group infrastructure, a known bulletproof hosting company, were observed a week apart serving distinct ransomware roles.
- 217.144.189[.]136 exposed a Linux encryptor suite cross-compiled for 14 CPU architectures, including PowerPC, SPARC64, IBM Z (s390x), and RISC-V, not previously linked to INC.
- Named after each target/victim, OpenVPN profiles on .136 indicated the operator(s) maintained persistent access across multiple victim networks.
- Exfiltrated data from an Asia-Pacific manufacturing copmany revealed the attacker specifically targeted Active Directory DPAPI backup master keys, which would enable offline decryption of all domain-protected credentials.
To understand how this infrastructure fit into INC’s broader operations, a look at the group’s history and prior campaign tracking provides additional context.
Background
INC ransomware was first detected in mid-2023 as a semi-private ransomware-as-a-service operation, quickly gaining notoriety for its double-extortion campaigns across healthcare, education, and manufacturing sectors. The group claimed nearly 1,000 victims since its inception, and in 2024, the source code for both the Windows and Linux/ESXi encryptors were sold on underground forums. That sale gave rise to at least two families, Lynx and Sinobi, and introduced an attribution complexity that persist today. The encryptors have since been rewritten in Rust, a further complication in detection and analysis, and extends the operating systems targeted.
On June 17, Acronis Threat Research Unit published analysis of INC, covering the groups full evolution, victimology, attack chain, and updated tooling including a modified Veeam credential dumper. The findings documented in this post extend what has been publicly reported, specifically infrastructure exposure revealing undocumented platform targeting, toolchain components, and direct evidence of continued campaigns against large companies in the Asia-Pacific region.
Exposed Directory Infrastructure
An open directory on 45.80.228[.]227:80, hosted under AS210644 in Finland was archived by AttackCapture on June 15, 2026. The server included two Windows encryptors, and deployment scripts listing an active directory domain name likely linked to a Japanese food and beverage company. The samples communicate with known INC Ransomware infrastructure, incblog[.]su, and its Tor-based companion domain.
A second directory on the same ASN registered to a node in the Netherlands, 217.144.189[.]136 hosted 1,853 files, taking up 675 MB. Unlike the directory displayed in the above screenshot, this server was used as an active working environment: .ssh, .config, .profile, and .gnupg to name a few sitting alongside encryptors, reconnaissance logs, and exfiltrated victim data.
A set of JSON files timestamped June 17, 2026, cover computers, containers, domains, GPOs, groups, organizational units and more, represent a full Active Directory enumeration dump. Alongside these sits Administrator.ccache, a Kerberos credential cache containing Administrator account tickets, which would enable pass-the-ticket attacks.
Two ZIP archives named after a victim company contained 884 files organized by data category; board reports, HR databases, domain controller data, etc. At the root of the loot directory are three files containing Active Directory DPAPI backup master keys. Possession of these enables offline decryption across the compromised domain. A .john directory on the server implies the actors used the same server for password cracking.
Multiple VPN routing scripts throughout the directory named after impacted organizations, establish tunneled access into victim networks. Accompanying sessionresume_* files are OpenVPN session tokens, which allow the operators to restore active connections without re-authenticating.
Additional review of the sub-directories hosted on 217.144.189[.]136 extended the ransomware’s capabilities into new territories.
Cross-Platform by Design
The payload/ directory contains 14 binaries named after their Rust compilation targets, the default output when cross-compiling from a single source tree. The x86-64 LInux and ESXi variants align with capabilities documented in previous reporting; the remaining 10 do not. A lone Windows sample was tagged as INC ransomware in Attack Capture.
All Linux binaries carry embedded build paths referencing /work/cargo/registry/src/index.crates.io-1949cf8c6b5b557f/. Acronis TRU also identified this path in their recent blog post as a signatures of the ransomware’s containerized Rust build pipeline. The Curve25519/Salsa20 encryption scheme was also observed across all the samples in this sub-directory.
| Filename | Architecture | Deployment Context |
| aarch64-unknown-linux-gnu | ARM64 | ARM-based Linux servers, network appliances |
| arm-unknown-linux-gnueabi | ARMv6 soft-float | Embedded Linux, older ARM devices |
| arm-unknown-linux-gnueabihf | ARMv6 hard-float | NAS devices, ARM-based infrastructure |
| armv7-unknown-linux-gnueabi | ARMv7 soft-float | IoT |
| armv7-unknown-linux-gnueabihf | ARMv7 hard-float | ARM-based NAS, industrial systems |
| powerpc-unknown-linux-gnu | PowerPC 32-bit | Legacy IBM POWER, embedded systems |
| powerpc64-unknown-linux-gnu | PowerPC 64-bit | IBM POWER enterprise servers |
| riscv64gc-unknown-linux-gnu | RISC-V 64-bit | Emerging enterprise and research hardware |
| s390x-unknown-linux-gnu | IBM z/Architecture | Mainframe environments |
| sparc64-unknown-linux-gnu | SPARC64 | Oracle/Sun SPARC servers |
While modern ransomware heavily favors standard x86/x64 environments, these completed samples represent a deliberate expansion into core enterprise infrastructure. As shown above, INC is actively pivoting toward IBM POWER, SPARC64, and z/Architecture mainframes, platforms that anchor global banking, telecommunications, and high-volume financial transaction processing. Although the effectiveness of these specific samples remains unverified, their existence shows a calculated effort to disrupt critical networks traditionally isolated from these types of threats.
Custom Exfiltration Script
A Python script recovered from the root of 217.144.189[.]136 serves as an exfiltration script built on the impacket library. Authentication to victim infrastructure via SMB pass-the-hash using hardcoded Administrator NTLM hashes targeted a Southeast Asian manufacturer specializing in food production, biotechnology, and chemicals. The script runs in phases, prioritizing Chrome credential stores and executive desktop contents before moving to HR and sales databases, ERP backups and related systems.
A JSON state file allows the operation to resume gracefully after interruptions, and a per-file timeout of two hours prevents data transfers from blocking the overall capabilities of the script.
Python-Rust Bridge
The cargo registry cache contains the pyo3 crate family, specifically version 0.23.5, including its build configuration and FFI support libraries. pyo3 is a Rust crate that compiles Rust code into a shared library directly importable by Python. Unfortunately, the source project consuming the libraries was not recovered from the directory, and its intended function cannot be further elaborated here. Its presence in the same build environment as the Linux binaries is undocumented for the ransomware, and something that will be monitored.
The contents of 45.80.228[.]227 and 217.144.189[.]136 identified a week apart on the same provider, expose an INC ransomware affiliate operation covering deployment infrastructure, active victim access, and a cross-platform payload suite not previously observed in the wild.
As of the publication of this post, both directories have been taken down. Collaboration with the appropriate CERTs is ongoing to assist in recovery efforts.
Indicators of Compromise (IoC)
| IP | Directory Port | Hosting Location |
| 45.80.228[.]227 | 80 | Aeza, Helsinki, Finland |
| 217.144.189[.]136 | 8080 | Aeza Group, Amsterdam, North Holland, Netherlands |
Conclusion
The two directories examined in this post offer a rare view into an active INC ransomware operation. Open directories are often a recurring consequence of operational tempo outpacing basic security hygiene, and often provide a level of intelligence closed-source reporting often cannot.
The expansion of the ransomware’s Linux payloads to cover mainframe, POWER, and SPARC64 platforms warrants more attention than the ESXi variants. Operators have established that encrypting a hypervisor is more disruptive than individual endpoints. Targeting these platforms represents a logical escalation, and organizations who have largely remained outside the crosshairs of ransomware groups, may now become a primary focus.