ShellCodeX
Tools β€’ Events β€’ News β€’ Insights
Threat Group Profile

play

● Active β€” last 30 days
Victim claims 38
First seen Apr 2026
Last activity 07 Jul 2026
Tracked since β€”

Group overview

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises. On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs

Preferred targets

Business Services Β· 5 Technology Β· 5 Consumer Services Β· 4 Transportation/Logistics Β· 4 Construction Β· 4 Agriculture and Food Production Β· 3

Most targeted countries

US Β· 24 CA Β· 4 DE Β· 3 NL Β· 2 AU Β· 1 GB Β· 1

Tactics & techniques (MITRE ATT&CK)

Initial Access

Valid Accounts Exploit Public-Facing Application

Execution

Scheduled Task/Job: Scheduled Task Command and Scripting Interpreter Command and Scripting Interpreter: PowerShell

Defense Evasion

Obfuscated Files or Information Indicator Removal Indicator Removal: Clear Windows Event Logs Domain or Tenant Policy Modification Domain or Tenant Policy Modification: Group Policy Modification Disable or Modify Tools

Credential Access

OS Credential Dumping OS Credential Dumping: LSASS Memory OS Credential Dumping: NTDS Unsecured Credentials

Discovery

System Network Configuration Discovery Network Service Discovery Account Discovery: Domain Account Software Discovery Software Discovery: Security Software Discovery

Lateral Movement

Remote Services: Remote Desktop Protocol Remote Services: SMB/Windows Admin Shares Lateral Tool Transfer

Collection

Archive Collected Data Archive Collected Data: Archive via Utility

Exfiltration

Exfiltration Over Alternative Protocol

Victim Claims Timeline

Back to radar
Northern Mechanical Contractors
πŸ‡¨πŸ‡¦ CA Construction www.northernmc.com
IWC Food Service
πŸ‡ΊπŸ‡Έ US Agriculture and Food Production www.goiwc.com
Ashcroft Homes
πŸ‡¨πŸ‡¦ CA Construction www.ashcrofthomes.ca
K & E Distributing
πŸ‡ΊπŸ‡Έ US Transportation/Logistics www.kedistributing.com
Accessoires Outillage Ltee
πŸ‡¨πŸ‡¦ CA Manufacturing www.aolaml.com
EMA Engineering & Consulting
πŸ‡ΊπŸ‡Έ US Business Services www.emaengineer.com
Crystal Point
πŸ‡ΊπŸ‡Έ US www.crystalpoint.com
Morphosis
πŸ‡ΊπŸ‡Έ US Technology www.morphosis.com