Data Hostage Crisis: East Africa’s Twaweza Falls to NightSpire Attack
There’s a relatively new threat actor group on the scene known as NightSpire, which has claimed another victim; this time the gang has targeted the Tanzania-based non-profit civil empowerment organization, twaweza.org
According to the group’s Tor site, the attack occurred on 4 July 2025. Furthermore, the group reported that the leak will occur, amounting to 2 TB of data, on 15 July 2025. At the time of this writing, they expect the Twaweza to satisfy the ransom within the allotted timeframe, 3:13:06:17, or else they will publicize the leak. The contents of the exfiltrated data are unknown.
Twaweza, which is Swahili for “we can make it happen”, operates regional offices in Kampala, Uganda, and Nairobi, Kenya. According to their website, the organization works on empowering individuals to take initiative and advocates for governments to act with better transparency and accountability.
NightSpire did not disclose which of these locations suffered the data breach. For this reason, details about the exact nature of the attack remain unknown.
However, a closer look at what is known about how NightSpire carries out its attacks can offer key insights into what may have occurred and what will happen next.
Who is NightSpire?
NightSpire can be understood as a double-extortion ransomware group, which made its first appearance in early 2025. The gang employs' data exfiltration with file encryption tactics while pressuring victims to pay up or face the public leakage of their sensitive files using their Tor-based leak site.
Additionally, the group has claimed over 60 victims between 30 and 64 entities and has launched their attack campaigns across over 33 countries, which have impacted multiple sectors.
There is no discernible pattern to their attack campaigns, no ideological motivations. Obstensibly, the choices in attacks do not seem to discriminate - the only objective is to shake down industries for money.
The group certainly values stealth as its foremost strategy. That is because they use no public branding or operate a large affiliate network. This allows them to maintain a small digital footprint, which appears to be consolidated to their Tor site.
This OPSEC (Operational Security) strategy makes it difficult for attribution and analysis of any malware strains they may be using in the world. Furthermore, it has not been formally ascertained if the group operates as a RaaS (Ransomware As A Service) group, and to date, no public affiliate program has been officially confirmed.
Attack Vectors
NightSpire relies on public vulnerabilities and phishing attacks to gain initial access. Once access is established, they use popular toolkits easily available for download, like Mimikatz, PsExec, and similar tools for lateral movement across devices connected across the local area network.
Once sensitive data has been collected, they exfiltrate it from the network to a remote location under their control using legitimate archiving tools like 7-Zip, Rclone, MEGACmd, and WinSCP.
NightSpire’s encryption payload is a Go-based binary, popular among malware writers due to its cross-platform compatibility and easy obfuscation. The payload locks down systems, appends a .nspire extension to encrypted files, and drops readme.txt ransom notes.
In a nutshell, the group relies heavily on legitimate, widely available software, making attribution and reverse engineering harder, since there’s no custom malware directly linked to the group.
It could be said that the group only has 3 calling cards that validate their involvement in a cyberattack at all:
- Their Tor site
- The readme.txt ransom note
- The .nspire file extension, associated with their malicious payload
This gives the group an incredible amount of leverage in managing their overall internet footprint.