A previously unknown gang dubbed Triplestrength poses a triple threat to organizations: It infects victims’ computers with ransomware, then hijacks their cloud accounts to illegally mine for cryptocurrency.
Google’s threat intelligence group has been tracking Triplestrength since 2023, and only recently started talking about this financially motivated criminal crew. It’s a small-ish group, “probably focused around a handful of individuals,” Kristen Dennesen, a Google threat intel analyst told The Register.
But, despite lacking in numbers, the gang is very active in hacking and cybercrime forums, and the cloud giant’s incident responders have seen online personas connected to Triplestrength advertise access to compromised servers, including those in Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, and recruiting other criminals for its extortion work.
On the ransomware front, it appears that the gang’s members have carried out attacks since at least 2020, “based on the activity we’ve seen in underground forums,” Dennesen said.
These ransomware infections target on-premises systems only — not cloud infrastructure — and unlike most modern ransomware criminals, they don’t involve double-extortion. This is where the thieves first steal victims’ files, then encrypt the stolen data, and threaten to leak or sell it if the victim doesn’t pay a ransom demand. Instead, files are encrypted, and payment is demanded to provide a means for unscrambling that data, the old school way.
The Microsoft Windows malware used in these infections has included Phobos, LokiLocker, and RCRU64, which are all leased to criminal groups under a ransomware-as-a-service model (RaaS) – but aren’t the more popular brands like RansomHub and Lockbit, typically seen in recent intrusions.
“It’s more reminiscent of old school ransomware activity,” Dennesen said, adding that in addition to using the older malware varieties from RaaS operations that don’t provide additional services to affiliates, such as dark-web sites to leak stolen data and ransom negotiating services, “the actors are more likely to rely on automated attack techniques such as brute-force attacks for their initial access.”
In these ransomware attacks, Google’s threat hunters haven’t seen the group exploit any specific software vulnerabilities to gain access or to escalate privilege. Thus, you’re not going to be zero-day’d or similar from this lot.
One intrusion in May 2024, for example: Triplestrength gained initial access after brute-force password guessing a remote-desktop server. After the initial break-in, the criminals moved laterally through the victim’s environment, disabled antivirus tools, and then deployed RCRU64 ransomware on multiple Windows hosts.
Hunting a triple threat
“The tools that we saw used in that activity were very common utilities and malware that we kind of see across a lot of ransomware activity,” Dennesen said. “We saw them use things like Mimikatz, NetScan — very widely adopted, publicly available tools.” That is to say, if you can prevent password brute-forcing to a publicly reachable RDP service, and/or can rapidly detect and react to Mimikatz et al, on your network, you’re already ahead of these crooks.
And while “they appear to keep their ransomware activity separate from their cryptomining efforts,” according to Google’s first Threat Horizons report of 2025, Triplestrength’s adverts calling for help in spreading RCRU64 and recruiting blackmailers on Telegram helped the cloud giant’s analysts link the crew to illicit cryptomining activity that began around 2022. The giveaway was online accounts and postings associated running cryptocurrency mining on compromised systems matched those being used to carry out extortion, we’re told.
“When you think about the types of activity you see in illicit crypto mining and ransomware, the technical indicators are very different,” Dennesen said.
“So we focus a little bit more here on some of the more actor-based characteristics, like the accounts they’re using, and what they’re putting on underground forums,” she continued.
“That makes this a little bit atypical for us, since we are usually very focused on what we’re seeing in overlaps, whether that’s something like overlapping specific malware that we think is exclusive to the group, or infrastructure.”
According to Dennesen, Triplestrength’s crypto-mining activity likely shifted from on-premises deployments to targeting victims’ cloud infrastructure: The gang in its early days would run software on an organization’s compromised on-prem computers to as quietly as possible mine cryptocurrency, using the victim’s resources, and send the digital cash off to the crooks. Then the crew moved on to snatching access to a victim’s cloud servers, and doing the mining there, while hitting them with ransomware.
While the incident responders spotted miners in Google Cloud customers’ environments, the criminals “almost certainly targeted multiple cloud providers’ services” by 2023, Dennesen noted.
An analysis of Triplestrength’s infrastructure revealed the gang indeed used stolen account credentials for Google Cloud, Amazon Web Services, and Linode, obtaining at least some of these creds from people’s Windows PCs via the Raccoon infostealer malware, and then the unMiner application and the unMineable mining pool for performing crypto-mining on hijacked cloud compute resources.
While these attacks, which Google says have likely targeted organizations across sectors and geographic regions, may only yield a few hundred dollars or a few thousand dollars per victim, the cost to the compromised organizations could be upwards of hundreds of thousands of dollars in cloud computing fees.
Dennesen declined to provide a victim count for any of Triplestrength’s criminal endeavors, though said the threat hunters “identified numerous TRX cryptocurrency addresses that we believe are associated with Triplestrength.”
These are based on wallet addresses recovered from configuration files, payouts received from the unMineable mining pool, and deposits made to cryptocurrency exchange deposit addresses.
“And at last count, which is now months outdated, there were over 600 payments to these addresses,” she said. “That at least gives you some idea of the volume of mining activity that they’re likely conducting.” ®