ShadowSyndicate Adopts Advanced SSH Key Rotation to Evade Detection The cybercriminal group ShadowSyndicate, first identified in 2022, has refined its infrastructure management tactics by rotating SSH keys across multiple servers a technique designed to obscure its operations and complicate tracking efforts. Initially, the group relied on a single SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d), creating a detectable pattern. However, its latest shift involves reusing servers and cycling SSH keys in ways that mimic legitimate server transfers, though operational errors have exposed these connections. Researchers from Group-IB uncovered two additional SSH fingerprints (ddd9ca54c1309cde578062cba965571e and 55c658703c07d6344e325ea26cf96c3b) linked to the group, following a 2025 report by Intrinsec that flagged another fingerprint. These findings reveal ShadowSyndicate’s infrastructure now spans at least 20 command-and-control (C2) servers, supporting attack frameworks like Cobalt Strike, MetaSploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. These tools enable persistent network access and ransomware deployment. Analysis of the group’s server clusters ties ShadowSyndicate to multiple ransomware operations, including Cl0p, ALPHV/BlackCat, Black Basta, Ryuk, and Malsmoke. This suggests the group may function as an Initial Access Broker (IAB) or provide bulletproof hosting for other cybercriminals. Despite using diverse hosting providers and geographic locations, ShadowSyndicate’s preference for specific autonomous system numbers (ASNs) creates identifiable patterns, aiding proactive detection. Security teams are advised to monitor for repeated MFA failures, high-volume login attempts, and rapid valid credential usage, as well as geographic mismatches between login attempts and device locations. The group’s evolving tactics underscore the need for continuous infrastructure correlation to counter its adaptive evasion strategies.