From Eraleign (APT73) to BASHE: Uncovering the Evolution of a Ransomware Operation

At first glance, BASHE looks like just another ransomware leak site: dark web panels, countdown timers, and rows of victim data quietly sitting behind onion links. But a closer look tells a different story.

What initially appears as a standalone operation starts to unravel into something deeper. Familiar infrastructure patterns, reused communication channels, and subtle overlaps begin to point toward an earlier identity: one that operated under a completely different name. That trail leads to “APT73” and a lesser-known platform called Eraleign, hinting that BASHE may not be new at all, just reintroduced.

As the investigation progressed, what stood out wasn’t just the volume of leaked data or the number of mirror domains, but how deliberately everything was structured, from affiliate onboarding to communication channels and even internal messaging. It suggests planning, continuity, and a level of organization that doesn’t usually come with newly surfaced groups.

This report follows that thread, starting from a single BASHE domain and gradually uncovering the connections that reshape how this group should be understood.

Incident Trigger and Initial Investigation

This investigation began with a single entry.

While monitoring ransomware activity on StealthMole, a Saudi Arabia–based organization appeared on a BASHE-linked leak page:

• http://bashe*******************hyd.onion/page_company*********5

At first, it looked routine: another victim page, another dataset at risk. But the presence of structured listings, dedicated URLs, and exposed data previews suggested something more active than a one-off post. It pointed to an operational leak site, not just a placeholder.

That raised a simple question: was this isolated or part of something larger?

To answer that, the investigation pivoted into StealthMole’s Ransomware Monitoring module. What initially seemed like a single incident quickly expanded into a much broader picture. BASHE was linked to 114 victims between April 2024 and April 2026, revealing a pattern of sustained activity rather than sporadic leaks.

As those entries were reviewed, another detail started to stand out. The victims weren’t concentrated in one region or industry. Instead, they were scattered, across countries like Saudi Arabia, the United States, Mexico, Serbia, Indonesia, and Ghana, and across sectors ranging from healthcare and insurance to construction and membership organizations.

It didn’t look targeted. It looked opportunistic, but consistent.

At that point, the focus shifted. BASHE was no longer just a name attached to a single victim page, it was an operation with reach, structure, and continuity. And that made one thing clear: to understand it properly, the investigation had to move beyond victims and into the infrastructure that was holding everything together.

Infrastructure Discovery and Leak Site Analysis

Following the shift in focus from victims to infrastructure, the investigation returned to the BASHE leak site itself, this time with a different objective: understanding how the operation was structured behind the scenes.

The primary entry point remained:

• bashe**********************************************hyd.onion

At surface level, the site followed the familiar layout of a ransomware leak platform: victim listings, countdown timers, and segmented data disclosures. But as different sections of the panel were explored, it became clear that this wasn’t just a static leak board.

Multiple internal pages revealed how the operation was organized:

• /contact_us.php - outlining communication channels and response expectations
• /mirrors.php - providing alternative domains to maintain uninterrupted access
• /how_to_buy_bitcoin.php - guiding victims through ransom payment methods
• /affiliate/affiliate program EU.php - detailing how external actors could join the operation
• /bug_bounty.php - encouraging vulnerability discovery and platform testing

Taken together, these sections pointed to a structured ecosystem rather than a simple leak site. The presence of an affiliate program, in particular, suggested a Ransomware-as-a-Service (RaaS)-like model, where external participants could contribute to operations in exchange for a share of the ransom.

Further analysis of the mirrors section expanded the infrastructure footprint significantly. In addition to the primary domain, nine active onion domains were identified, all following a consistent naming pattern and serving as alternative access points:

• bashe***********************************************hyad.onion
• bashe***********************************************kyqd.onion
• bashe***********************************************77qd.onion
• bashe***********************************************t3ad.onion
• bashe***********************************************ofid.onion
• bashe***********************************************fpid.onion
• bashe***********************************************x4ad.onion
• bashe***********************************************hzqd.onion
• bashe***********************************************eayd.onion

This level of redundancy indicated an effort to ensure resilience against takedowns or access disruptions, something typically seen in more established operations.

As the infrastructure mapping expanded, additional details began to emerge. Contact points embedded within the platform, such as ba******m@onionmail.org and t********e@onionmail.org, along with a dedicated TOX ID and Telegram channels, provided further pivot points for investigation.

At this stage, BASHE no longer appeared as a single leak site, but as a coordinated environment with multiple layers: access points, communication channels, and onboarding mechanisms. And it was through these layers, particularly the external communication channels, that the investigation began to uncover connections that did not align with BASHE’s current branding.

Telegram Activity and Cross-Platform Promotion

With BASHE’s infrastructure mapped, the investigation shifted toward its external communication footprint, particularly Telegram, where ransomware groups often promote leaks, distribute links, and amplify visibility.

One of the identified BASHE mirror domains was used as a pivot point in StealthMole’s Telegram Tracker. This quickly surfaced multiple messages where the domain was being circulated, not in isolation, but as part of broader ransomware-related discussions.

• bashe*****************************************ofid.onion

What stood out was where these mentions were coming from.

The domain appeared in messages associated with known ransomware ecosystems, including channels linked to LockBit 4.0 Group Communication and RaidForums | Discussion. In these messages, BASHE-associated links were shared alongside victim data descriptions and downloadable archives, suggesting that the group’s leak infrastructure was being actively promoted beyond its own controlled channels.

These weren’t original BASHE announcements. Many of the messages were forwarded posts, indicating that BASHE content was being redistributed across different Telegram communities, effectively extending its reach.

A similar pattern emerged when analyzing other BASHE-associated domains, such as:

• bashe*****************************************zqd.onion

This domain, too, appeared in Telegram messages describing leaked datasets, again tied to victim organizations and accompanied by download links hosted on BASHE infrastructure.

As more messages were reviewed, it became clear that BASHE’s presence on Telegram wasn’t limited to a single official channel. Instead, its infrastructure was being circulated across multiple communities, sometimes directly, sometimes through forwards, blurring the line between original source and secondary distribution.

This pattern raised an important question: was BASHE simply being promoted by others, or was it more deeply embedded within these existing ransomware ecosystems?

Tracing the Previous Identity: APT73 and Eraleign

Telegram activity raised more than just questions about promotion, it introduced inconsistencies.

While pivoting on one of the BASHE-associated domains, a different naming pattern began to surface. Instead of BASHE, references started pointing toward “APT73”, a name that had not appeared anywhere on BASHE’s current leak site.

• bashe*****************************************4ad.onion

Following this lead, StealthMole’s Darkweb Tracker was used to expand the search. This is where the first clear overlap emerged: a surface-accessible site tied to the same ecosystem.

• http://era*******s.com

The site presented itself as a leak blog under the name Eraleign (APT73), featuring similar structural elements: victim listings, publication-style posts, and references to leaked datasets. The layout and content format closely resembled what had already been observed on BASHE’s onion-based leak site.

Further details reinforced the connection:

• Email: apt73******p@onionmail.org
• Telegram: https://t.me/apt*******l
• Twitter: https://twitter.com/Apt73*******p

At this point, the investigation wasn’t dealing with coincidence, it was encountering continuity.

To validate this further, the Eraleign domain was run through the Telegram Tracker. The results showed that it had been circulated across multiple ransomware-related Telegram channels, much like BASHE domains. However, the links shared alongside it pointed to a different onion domain:

• http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion

This domain was explicitly referenced in Telegram messages as the APT73 leak site, with accompanying descriptions offering free access to leaked data and invitations to join the group.

Running this onion domain in StealthMole’s Darkweb Tracker brought everything together. The same communication channels, Telegram and Twitter, reappeared, matching those previously linked to Eraleign.

But the most telling detail came from historical Telegram data.

When the channel https://t.me/apt73******l was analyzed, it revealed that the account had undergone a transformation. Historical indexing showed that this was the same channel currently operating as BASHE TEAM, with changes in both username and title over time.

This wasn’t just an overlap. It was a rebrand.

What initially appeared as two separate entities, APT73 and BASHE, now pointed toward a single operation evolving over time, carrying forward its infrastructure, communication channels, and operational model under a new identity.

Operational Model and Ecosystem Structure

By this stage of the investigation, BASHE was no longer just a leak site with multiple access points or a group with a prior identity. What began to take shape instead was a structured operation with clearly defined roles, workflows, and monetization paths.

This became evident through sections of the leak site that went beyond victim listings. One of the most telling was the affiliate program, which outlined how external actors could participate in BASHE’s operations. The model followed a familiar structure: affiliates were responsible for gaining access to target networks and extracting data, while BASHE provided the infrastructure for hosting leaks, managing negotiations, and handling payments. The revenue split, favoring affiliates, suggested an effort to attract a steady pipeline of contributors rather than relying on a closed internal team.

The scope of activity wasn’t limited to encryption-based attacks. The platform described multiple approaches to monetization, including direct data extortion and the sale of stolen access or datasets. This flexibility pointed to an operation that adapts based on opportunity, rather than following a rigid attack pattern.

Another detail that stood out was the presence of a bug bounty page, an unusual feature in this context. It encouraged users to identify vulnerabilities within BASHE’s own infrastructure, including potential weaknesses in the leak site, communication channels, and underlying systems. While framed as a reward mechanism, it also reflected a level of caution and awareness around operational security.

These elements revealed an ecosystem rather than a single-function platform. BASHE appeared to operate as a coordinated environment where infrastructure, affiliates, and communication channels worked in parallel, supporting both the execution of attacks and the controlled release of stolen data.

At this point, the group’s activity was no longer defined solely by its victims or its past identity. Instead, it was the structure behind it, the way everything was organized and interconnected, that provided the clearest insight into how BASHE operates.

Conclusion

What began as a single victim entry led to something far more layered.

BASHE presents itself as a relatively recent ransomware operation, but the investigation shows that its roots extend beyond its current branding. The transition from Eraleign (APT73) to BASHE, supported by shared infrastructure and unchanged communication channels, points to continuity rather than emergence. This is not a new group, it is an existing operation adapting its identity.

At the same time, its current setup reflects a deliberate effort to scale. The combination of multiple mirror domains, structured leak infrastructure, and an affiliate-driven model suggests a system designed to sustain activity rather than operate in short bursts. Its presence across Telegram channels further extends its reach, allowing leaked data to circulate beyond its own controlled environment.

What stands out is not just the group’s activity, but how it positions itself. BASHE operates in a way that blends visibility with resilience, maintaining a public-facing leak presence while distributing its infrastructure and communication across multiple layers. This makes it harder to treat as a single point of failure and easier for the operation to persist, even under pressure.

In that sense, BASHE reflects a broader pattern within the ransomware landscape: groups are not disappearing, they are evolving, reshaping their identity while keeping the core of their operations intact.

Editorial Note

Investigations like this rarely offer clean, definitive answers. Attribution in the ransomware space is often shaped by fragments: shared infrastructure, reused channels, and patterns that only make sense when viewed together. What appears to be a new group can turn out to be a continuation, while what looks connected may sometimes be coincidence.

This case highlights how navigating that uncertainty requires careful correlation rather than assumptions. At the same time, it shows how StealthMole enables that process, by bringing together dark web, Telegram, and infrastructure-level insights in a way that allows those hidden connections to surface.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com