Listen to this Post
The Rise of GLOBAL GROUP: A New Cyber Threat Emerges
In the ever-evolving world of cybercrime, a new ransomware-as-a-service (RaaS) operation named GLOBAL GROUP is causing serious disruption across key industries worldwide. Launched in early June 2025, this operation has swiftly spread its malicious reach across Australia, Brazil, Europe, and the United States, targeting critical sectors like healthcare, oil and gas, engineering, and legal services.
Cybersecurity researchers have identified GLOBAL GROUP as a rebrand of the notorious BlackLock ransomware, which itself was a rebrand of Eldorado — demonstrating how threat actors evolve to stay undetected. The operation was promoted on Ramp4u, a known dark web forum, by a cybercriminal alias “\$\$\$”, who also ran previous operations including Mamona.
What sets GLOBAL GROUP apart is its strategic use of initial access brokers (IABs). These brokers provide pre-compromised entry into corporate networks, enabling attackers to focus on deploying payloads, exfiltrating data, and demanding ransom — often using AI-powered negotiation bots for efficiency and language adaptability.
Access points include vulnerable edge appliances from vendors like Cisco, Fortinet, and Palo Alto Networks. Attackers also employ brute-force tools against Microsoft Outlook and RDWeb portals. Once inside, they use Remote Desktop Protocol (RDP) or web shells to conduct lateral movement and post-exploitation activities.
The RaaS kit offers a sophisticated affiliate panel to manage victims, customize ransomware builds for various systems (including Windows, BSD, NAS, and VMware ESXi), and even includes a mobile-friendly design to attract more global partners. Affiliates are lured with a generous 85% revenue share, encouraging widespread adoption.
So far, 17 victims have been confirmed, including organizations in sectors such as automotive repair, industrial engineering, accident-recovery services, and business process outsourcing (BPO). Cybersecurity firms have traced GLOBAL GROUP’s infrastructure to the same Russian VPS provider used by Mamona, and observed code similarities pointing to its evolution.
Meanwhile, in the larger ransomware landscape, Qilin topped the activity chart in June 2025 with 81 known victims, followed by Akira, Play, SafePay, and DragonForce. While total ransomware attacks fell 15% from May to June, experts warn that geopolitical tensions and evolving strategies like GLOBAL GROUP’s signal a more dangerous future.
🔍 What Undercode Say:
Evolution Over Reinvention
Undercode analysts believe GLOBAL GROUP exemplifies a strategic pivot rather than a fresh threat. The rebranding from BlackLock to GLOBAL GROUP is more than just cosmetic; it’s an upgrade in infrastructure, tactics, and presentation. The deployment of AI chatbots for ransom negotiations is a game-changer, reducing the need for language skills and streamlining communication with victims.
Affiliate-First Design
One of the most compelling aspects of GLOBAL GROUP is its affiliate-friendly structure. With a robust dashboard, mobile access, customizable payloads, and a high-profit share, this RaaS offers a complete business model to budding cybercriminals. These features lower the technical barrier, meaning more criminals — even with minimal skills — can get involved.
Exploiting the Supply Chain
By depending heavily on initial access brokers, GLOBAL GROUP has essentially outsourced the hardest part of hacking. This not only speeds up operations but also makes them harder to trace. These partnerships show how cybercrime is mirroring legitimate business practices — delegation, automation, and performance incentives.
Codebase Connections & Infrastructure Overlap
GLOBAL GROUP’s Go-language architecture, shared hosting infrastructure, and payload functionality all link back to previous RaaS operations like Mamona and BlackLock. These reused elements hint at efficient development cycles and code repurposing that allow faster redeployment after setbacks like takedowns or infighting with rival groups (e.g., DragonForce’s attack on BlackLock’s site).
Threat Scope & Industry Impact
While only 17 victims have been confirmed, the breadth of sectors affected signals that GLOBAL GROUP isn’t targeting specific verticals — they’re going after anyone vulnerable. From BPOs to law firms, the variety indicates a broad victim profile, and with AI-enhanced extortion models, these attacks are becoming faster and more persuasive.
Overall Industry Insights
The 15% decline in attacks between May and June may appear promising, but it’s misleading. The rise of sophisticated groups like GLOBAL GROUP and Qilin — paired with geopolitical instability — suggests we are entering a phase of targeted, high-efficiency ransomware attacks. Quantity may dip, but quality and damage are increasing.
✅ Fact Checker Results
GLOBAL GROUP is confirmed as a rebrand of BlackLock, which itself evolved from Eldorado.
The group uses AI-powered chatbots for multilingual ransom negotiations — verified by security researchers.
Connections to Mamona and use of the same Russian VPS provider have been independently confirmed.
🔮 Prediction 🔥
Expect GLOBAL GROUP to become a top-tier RaaS contender in the next quarter. With its AI-driven strategy, user-centric platform, and aggressive affiliate recruitment, this group is set to attract more partners and more victims. If security measures aren’t updated, mid-sized businesses and legal sectors will remain especially vulnerable in Q3 and Q4 2025.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
