Huntress analyzed recent NightSpire ransomware incidents, noting a shift from using native LOLBins to deploying a suite of third-party tools for persistence, discovery, and exfiltration. The variation in TTPs and tooling between incidents suggests NightSpire may operate under a Ransomware-as-a-Service (RaaS) model with multiple affiliates.