NightSpire emerged in February 2025 and launched its dark web leak site on March 12, 2025. Within weeks of going operational, the group transitioned from pure data theft and extortion to a full double extortion model — combining data exfiltration with file encryption. That speed of capability escalation is unusual for a genuinely new operation, and the reason is straightforward: NightSpire is not new.
The Rbfs Connection
Multiple threat intelligence firms assess NightSpire as a rebrand of the Rbfs ransomware operation. The evidence supporting this includes overlapping victims listed on both groups' leak sites, shared infrastructure between the two operations, and the complete cessation of all Rbfs-related activity coinciding precisely with NightSpire's launch. Halcyon's research further traces the operator handle xdragon128 to 2024 affiliations with Paranodeus ransomware, CyberVolk, and DarkAssault, though the exact nature of those relationships remains unclear.
Closed Shop, Not RaaS
Unlike most ransomware operations in 2025-2026, NightSpire does not operate a Ransomware-as-a-Service affiliate program. Every attack is handled in-house from initial access through extortion. This closed model gives the group tighter operational control but limits their scale compared to franchise operations like LockBit or RansomHub. Ransom demands range from $150,000 to $2 million, targeting predominantly small and medium-sized enterprises.
Operational Immaturity
Despite an aggressive posture, NightSpire exhibits significant tradecraft weaknesses that distinguish it from mature ransomware operations. The group has used Gmail addresses for victim communications — a major OPSEC failure that creates a larger digital footprint and increases vulnerability to law enforcement. Their leak site exposes Apache, OpenSSL, and PHP version information in server headers, providing defenders with technical intelligence for potential countermeasures. These errors suggest a group with ambition exceeding its operational security discipline.
Tactical Connections
Halcyon identifies tactical connections to Storm-1567, UNC4393, and TA2101 based on overlapping infrastructure and campaign tactics. Stylistic similarities to BlackCat/ALPHV in branding and intimidation rhetoric have been noted, with possible inspiration drawn from LockBit and Conti operational models. The ransomware payload itself is written in Go (Golang) and appends the .nspire extension to encrypted files.
Assessment
NightSpire represents a pattern increasingly common in the post-LockBit ransomware ecosystem: operators cycling through brands to shed law enforcement attention and negative reputation while preserving core infrastructure and TTPs. The Rbfs-to-NightSpire transition mirrors similar rebrands across the landscape, from DarkSide to BlackMatter to ALPHV. Organizations should treat NightSpire as a continuation of Rbfs operations rather than a novel threat.