NightSpire Ransomware Group Hits Egypt’s Future Microfinance Association

Future Microfinance Association, a non-profit civil society providing microfinance services in Egypt, is reportedly hit by a ransomware attack.

The attack is said to have compromised 8 gigabytes of data belonging to the Future Microfinance Association.

Behind the attack is NightSpire, a financially motivated ransomware group emerging in early 2025. The said hacking group publicly disclosed the breach on their leak portal on May 5, 2025, although the initial compromise occurred on April 30, 2025.

Driving the news, threat intelligence company FalconFeeds broke the news on X, citing a ransomware alert involving the Future Microfinance Association of Egypt.

To gather accurate information, Top Tech approached the threat intelligence company for further details of the incident. FalconFeeds responded.

In a shared document by FalconFeeds, NightSpire claims to have stolen 8 GB of sensitive organizational data. Compromised data includes financial documents such as invoice details, transaction records, and order forms.

In addition, human resources files likely containing sensitive employee information, legal and audit reports, along with internal operations-related documents, were also part of the breach.

FalconFeeds highlighted the initial compromise of the Future Microfinance Association occurred on April 30, 2025, however, the hacking group publicly disclosed on their leak portal on May 5, 2025, citing “a deliberate strategy” to meet extortion demands.

Is NightSpire Broadly Targeting Fintech in Egypt?

FalconFeeds believes the attack is part of a broader campaign targeting Egypt’s financial and civil sectors.

According to the threat intelligence company, NightSpire attacked one Egyptian organization per month over the last three months—March, April, and May 2025. Out of the three attacks, two involved financial institutions, a sign of interest for the threat group.

The USA is often a primary target of NightSpire( 6 victims) followed by China (4). Egypt has somehow entered the scene(3 victims) becoming a top three most targeted country potentially due to lower cyber defenses or a higher likelihood of ransom payment.

Also read: Over 107,000 Records Breached from Egypt’s Social Insurance Authority

How NightSpire Operates

NightSpire was first observed in early March 2025 and has since compromised 43 organisations globally. The group likely leverages unpatched systems or weak remote access credentials (RDP, VPNs) to gain unauthorized access to computer systems.

Initially, NightSpire operations were solely focused on data theft and extortion.

However, recent observations show they’ve adopted a double extortion model where they combine data thefts and public leak threats.

Since its discovery in March to early May 2025, the group has caused over 40 cyber incidents, with most incidents occurring in April.

Cyber incidents caused by NightSpire, shared by FalconFeeds

NightSpire likely operates as a private or semi-private group because there is no indication that the group operates on a public Ransomware-as-a-Service (RaaS) model.