[{"data":1,"prerenderedAt":3356},["ShallowReactive",2],{"malware-data":3},{"malware":4,"total":3352,"categories":3353,"tags":3354,"last_updated":3355},[5,28,45,62,83,103,128,139,156,175,194,208,222,242,265,279,299,318,335,355,374,394,410,429,441,458,471,491,507,519,534,546,563,578,595,649,663,676,693,707,745,760,784,824,838,855,872,890,903,916,928,949,980,994,1008,1021,1035,1046,1061,1091,1103,1116,1130,1153,1172,1186,1200,1218,1230,1250,1265,1281,1297,1312,1329,1341,1358,1375,1391,1408,1422,1440,1460,1475,1495,1506,1522,1538,1549,1563,1575,1604,1616,1632,1643,1658,1671,1684,1697,1710,1722,1734,1745,1759,1774,1786,1799,1818,1832,1859,1872,1888,1900,1913,1926,1940,1955,1975,1989,2003,2018,2029,2042,2057,2068,2086,2104,2120,2135,2148,2159,2173,2186,2204,2215,2227,2241,2252,2265,2284,2298,2312,2330,2352,2377,2390,2402,2414,2430,2449,2464,2480,2494,2507,2545,2561,2573,2586,2598,2612,2625,2638,2651,2666,2679,2693,2708,2730,2747,2765,2785,2802,2816,2828,2844,2857,2872,2888,2902,2918,2931,2960,2981,2994,3010,3034,3048,3066,3079,3092,3104,3120,3135,3146,3162,3185,3199,3220,3237,3248,3260,3274,3296,3310,3324,3337],{"malware_info":6,"category":13,"primary_tags":14,"mutexes":20},{"family":7,"aliases":8,"description":10,"threat_actor":11,"first_seen":12},"3LOSH RAT",[9],"3loshrat","3LOSH RAT (3loshrat) is a fork of AsyncRat that provides attackers with remote control capabilities over compromised systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.","Unknown","2022","rat",[15,16,17,18,19],"remote_access","backdoor","windows","asyncrat_fork","persistence",[21],{"name":22,"references":23,"date_added":26,"analyst":27},"AsyncMutex_Devil",[24,25],"https://tria.ge/221215-ssfh5acf75/behavioral3/analog?main_event=Mutex&q=&mutant=AsyncMutex_Devil","https://app.any.run/tasks/a8254afb-57de-4e78-a8b6-173ce88ffb62?malconf=66fcb7d32f4ad79febb7fb05","2024-12-19","@adhikara13",{"malware_info":29,"category":34,"primary_tags":35,"mutexes":39},{"family":30,"aliases":31,"description":32,"threat_actor":11,"first_seen":33},"5ss5c",[],"5ss5c is a ransomware family that is a rebrand of Satan ransomware. It encrypts files and demands payment for decryption, using specific mutexes to ensure only one instance runs on the infected system.","2020","ransomware",[36,37,17,38],"file_encryption","ransom_demand","satan_rebrand",[40],{"name":41,"references":42,"date_added":26,"analyst":27},"5ss5c_CRYPT",[43,44],"https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html","https://digital.nhs.uk/cyber-alerts/2020/cc-3344",{"malware_info":46,"category":34,"primary_tags":52,"mutexes":56},{"family":47,"aliases":48,"description":50,"threat_actor":11,"first_seen":51},"AiLock",[49],"AiLock Ransomware","AiLock is a ransomware-as-a-service (RaaS) operation that encrypts victim files using ChaCha20 and NTRUEncrypt algorithms, appending the .AiLock extension. The malware creates a mutex named 'FAUST' to prevent duplicate execution and ensure only one instance runs on the infected system.","2025",[36,37,17,53,54,55],"raas","chacha20","ntruencrypt",[57],{"name":58,"references":59,"date_added":61,"analyst":27},"FAUST",[60],"https://medium.com/s2wblog/detailed-analysis-of-ailock-ransomware-1d3263beff15","2025-07-16",{"malware_info":63,"category":69,"primary_tags":70,"mutexes":77},{"family":64,"aliases":65,"description":68,"threat_actor":11,"first_seen":12},"Allcome",[66,67],"Allcome Clipper","Allcome Clipbanker","Allcome is a cryptocurrency clipper malware that has emerged as a newcomer in malware underground forums. The malware is designed to intercept and modify cryptocurrency addresses in the clipboard, redirecting funds to attacker-controlled wallets. It targets cryptocurrency transactions and employs sophisticated techniques to evade detection.","clipper",[71,72,73,74,75,76],"cryptocurrency","clipboard_hijacking","address_manipulation","wallet_targeting","crypto_theft","underground_forums",[78],{"name":79,"references":80,"date_added":82,"analyst":27},"08841d-18c7-4e2d-f7e29d",[81],"https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums","2024-07-16",{"malware_info":84,"category":34,"primary_tags":90,"mutexes":93},{"family":85,"aliases":86,"description":88,"threat_actor":11,"first_seen":89},"Anatova",[87],"Anatova ransomware","Anatova is a sophisticated ransomware that emerged in 2019, known for its modular architecture and ability to evade detection. It encrypts files and demands cryptocurrency payments for decryption.","2019",[34,36,91,92],"modular_architecture","evasion",[94],{"name":95,"references":96,"date_added":100,"analyst":27,"notes":101},"6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO",[97,98,99],"https://whitehat.eu/anatova-ransomware-experts-believe-it-will-be-a-dangerous-threat/","https://www.mcafee.com/blogs/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/","https://www.fortinet.com/blog/threat-research/looking-into-anatova-ransomware","2024-07-19",[102],"Mutex used by Anatova ransomware for process synchronization",{"malware_info":104,"category":16,"primary_tags":114,"mutexes":119},{"family":105,"aliases":106,"description":108,"threat_actor":109,"first_seen":113},"AridGopher",[107],"Micropsia","AridGopher is a Golang-based backdoor and a variant of the Micropsia malware family, used by the Arid Viper APT group. It is known for its modular architecture and its use of DNS tunneling for C2 communication.",[110,111,112],"Arid Viper","Desert Falcons","APT-C-23","2023",[115,116,117,118],"apt","golang","dns_tunneling","micropsia",[120,125],{"name":121,"references":122,"date_added":124,"analyst":27},"ABCMedia",[123],"https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant","2025-07-12",{"name":126,"references":127,"date_added":124,"analyst":27},"SoftTookkitPSA",[123],{"malware_info":129,"category":13,"primary_tags":133,"mutexes":134},{"family":130,"aliases":131,"description":132,"threat_actor":11,"first_seen":113},"ArrowRAT",[],"ArrowRAT is a fork of AsyncRat that provides attackers with remote control capabilities over compromised systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.",[15,16,17,18,19],[135],{"name":136,"references":137,"date_added":26,"analyst":27},"ArrowRAT_Mutex_ArrowRAT",[138],"https://tria.ge/230504-pqel9scc96",{"malware_info":140,"category":34,"primary_tags":146,"mutexes":151},{"family":141,"aliases":142,"description":144,"threat_actor":11,"first_seen":145},"AstraLocker",[143],"AstraLocker Ransomware","AstraLocker is a ransomware family that has been observed pushing ransomware directly from Office documents. The malware employs sophisticated techniques to evade detection and is known for its 'smash and grab' approach to file encryption. It targets organizations globally and demands payment for decryption.","2024",[36,147,148,149,150],"office_documents","extortion","smash_and_grab","cybercriminal",[152],{"name":153,"references":154,"date_added":82,"analyst":27},"EncryptedWithAstraLocker",[155],"https://www.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs",{"malware_info":157,"category":13,"primary_tags":162,"mutexes":166},{"family":158,"aliases":159,"description":161,"threat_actor":11,"first_seen":89},"AsyncRAT",[160],"Async-RAT","AsyncRAT is an open-source Remote Access Trojan (RAT) for Windows written in C#. Its accessibility has led to widespread use by various threat actors for data theft, surveillance, and controlling compromised systems.",[15,163,164,165],"open_source","infostealer","c2",[167],{"name":168,"references":169,"date_added":172,"analyst":27,"notes":173},"AsyncMutex_\u003Cuniqueid>",[170,171],"https://blog.talosintelligence.com/nanocore-netwire-and-asyncrat-spreading/","https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection","2024-08-01",[174],"The mutex name is dynamic. The '\u003Cuniqueid>' part is a placeholder for a unique identifier, often a randomly generated string or a hash.",{"malware_info":176,"category":16,"primary_tags":183,"mutexes":188},{"family":177,"aliases":178,"description":180,"threat_actor":181,"first_seen":113},"Atharvan",[179],"AtharvanBackdoor","Atharvan is a custom-developed remote access trojan (RAT) associated with the Clasiopa threat group, targeting materials research organizations in Asia. It uses a sophisticated HTTP-based C&C communication protocol with custom encryption, employs scheduled communication patterns, and includes commands for file download, arbitrary execution, and system configuration. The malware is named after a legendary Vedic sage and uses Hindi cultural references.",[182],"Clasiopa",[16,184,185,186,187],"custom_encryption","scheduled_communication","http_c2","materials_research_targeting",[189],{"name":190,"references":191,"date_added":193,"analyst":27},"SAPTARISHI-ATHARVAN-101",[192],"https://www.security.com/threat-intelligence/clasiopa-materials-research","2025-07-30",{"malware_info":195,"category":69,"primary_tags":200,"mutexes":202},{"family":196,"aliases":197,"description":199,"threat_actor":11,"first_seen":145},"Atlas Clipper",[198],"AtlasClipper","Atlas Clipper is a malware that steals cryptocurrency by monitoring the clipboard for cryptocurrency wallet addresses and replacing them with the attacker's address.",[201,72],"cryptocurrency_stealer",[203],{"name":204,"references":205,"date_added":207,"analyst":27},"YourMutex",[206],"https://cyble.com/blog/multiple-new-clipper-malware-variants-discovered-in-the-wild/","2025-07-14",{"malware_info":209,"category":34,"primary_tags":214,"mutexes":216},{"family":210,"aliases":211,"description":213,"threat_actor":11,"first_seen":33},"Avaddon",[212],"avaddon ransomware","Avaddon is a ransomware-as-a-service (RaaS) that emerged in 2020, known for its aggressive encryption techniques and double-extortion tactics. The malware targets organizations and demands cryptocurrency payments for file decryption.",[34,36,53,215],"double_extortion",[217],{"name":218,"references":219,"date_added":100,"analyst":27},"{2A0E9C7B-6BE8-4306-9F73-1057003F605B}",[220,221],"https://bbs.360.cn/thread-15888858-1-1.html","https://id-ransomware.blogspot.com/2020/06/avaddon-ransomware.html",{"malware_info":223,"category":34,"primary_tags":229,"mutexes":231},{"family":224,"aliases":225,"description":227,"threat_actor":224,"first_seen":228},"AvosLocker",[226],"avoslocker-ransomware","AvosLocker is a Ransomware-as-a-Service (RaaS) affiliate program that has been actively targeting organizations and government institutions since July 2021.","2021",[36,230,215],"RaaS",[232,238],{"name":233,"references":234,"date_added":207,"analyst":27},"ievah8eVki3Ho4oo",[235,236,237],"https://cyble.com/blog/deep-dive-analysis-avoslocker-ransomware/","https://www.threatdown.com/blog/avoslocker-enters-the-ransomware-scene-asks-for-partners/","https://hatching.io/blog/tt-2021-08-12/",{"name":239,"references":240,"date_added":82,"analyst":27},"Cheic0WaZie6zeiy",[241],"https://www.cyfirma.com/research/avoslocker-ransomware-report/",{"malware_info":243,"category":249,"primary_tags":250,"mutexes":252},{"family":244,"aliases":245,"description":248,"threat_actor":11,"first_seen":12},"Azov",[246,247],"Azov Wiper","RANSOM.WIN64.AZVO.THJCABB","Azov is a destructive data wiper disguised as ransomware that targets Windows systems. It overwrites files with random data, rendering them unrecoverable.","wiper",[251],"data_destruction",[253,258,261],{"name":254,"references":255,"date_added":172,"analyst":27},"Local\\Kasimir_C",[256,257],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win64.azvo.thjcabb","https://blog.talosintelligence.com/threat-roundup-1021-1028-2/",{"name":259,"references":260,"date_added":172,"analyst":27},"Local\\Kasimir_E",[256,257],{"name":262,"references":263,"date_added":172,"analyst":27},"Local\\azov",[264,257],"https://tria.ge/221031-vjjkjacdbq/behavioral1/analog?main_event=Mutex",{"malware_info":266,"category":34,"primary_tags":272,"mutexes":273},{"family":267,"aliases":268,"description":271,"threat_actor":267,"first_seen":228},"Babuk",[269,270],"babuk-ransomware","Babyk","Babuk is a ransomware family that emerged in 2021. Its source code and builder were leaked, which could lead to an increase in attacks using its variants.",[36,230],[274],{"name":275,"references":276,"date_added":278,"analyst":27},"DoYouWantToHaveSexWithCuongDong",[277],"https://cyble.com/blog/deep-dive-into-builder-of-notorious-babuk-ransomware/","2025-07-15",{"malware_info":280,"category":13,"primary_tags":289,"mutexes":290},{"family":281,"aliases":282,"description":284,"threat_actor":285,"first_seen":288},"BADNEWS",[283],"BADNEWS RAT","BADNEWS is a Remote Access Trojan (RAT) that has been used by the White Elephant APT group (also known as Patchwork or APT-C-35) in various espionage campaigns.",[286,287],"White Elephant","Patchwork","2013",[15,164,165,115],[291,295],{"name":292,"references":293,"date_added":172,"analyst":27},"rendumm",[294],"https://www.antiy.cn/research/notice&report/research_report/20221027.html",{"name":296,"references":297,"date_added":193,"analyst":27},"RfmbFv8D",[298],"https://rayblog.rising.com.cn/2024/08/2024%e5%b9%b47%e6%9c%88%ef%bc%9apatchwork%e7%bb%84%e7%bb%87%e9%92%88%e5%af%b9%e6%88%91%e5%9b%bd%e7%a7%91%e7%a0%94%e6%95%99%e8%82%b2%e9%a2%86%e5%9f%9f%e7%9a%84%e6%94%bb%e5%87%bb%e4%ba%8b%e4%bb%b6/",{"malware_info":300,"category":304,"primary_tags":305,"mutexes":310},{"family":301,"aliases":302,"description":303,"threat_actor":11,"first_seen":33},"BazarLoader",[301],"BazarLoader is a sophisticated loader malware that has been observed in various cybercriminal campaigns. The malware is designed to download and execute additional payloads on compromised systems and has been analyzed for its reverse engineering techniques and multi-stage attack capabilities.","loader",[306,307,308,150,309],"payload_delivery","multi_stage","reverse_engineering","evasion_techniques",[311,315],{"name":312,"references":313,"date_added":82,"analyst":27},"{b837ef4f-10ee-4821-ac76-2331eb32a23f}",[314],"https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/",{"name":316,"references":317,"date_added":82,"analyst":27},"{0caa6ebb-cf78-4b01-9b0b-51032c9120ce}",[314],{"malware_info":319,"category":304,"primary_tags":324,"mutexes":327},{"family":320,"aliases":321,"description":323,"threat_actor":11,"first_seen":145},"BBTok",[322],"BBTok Loader","BBTok is a .NET loader malware that has been observed in various cybercriminal campaigns. The malware is designed to download and execute additional payloads on compromised systems and employs obfuscation techniques to evade detection. It has been analyzed for its deobfuscation methods and multi-stage attack capabilities.",[306,307,325,326,150],"dotnet","obfuscation",[328,332],{"name":329,"references":330,"date_added":82,"analyst":27},"TiiSbtvhvbCMW",[331],"https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader",{"name":333,"references":334,"date_added":82,"analyst":27},"KOKKIIKKKOOOO",[331],{"malware_info":336,"category":34,"primary_tags":343,"mutexes":349},{"family":337,"aliases":338,"description":341,"threat_actor":342,"first_seen":12},"Beast",[339,340],"Monster","Beast RaaS","Beast is a Ransomware-as-a-Service (RaaS) platform active since 2022 that targets Windows, Linux, and ESXi systems. It uses a combination of Elliptic-curve and ChaCha20 encryption, written in C programming language. The malware includes capabilities for shadow copy deletion, service termination, SMB scanning for lateral movement, and multithreaded file encryption. It strategically avoids CIS countries (Russia, Belarus, Moldova) by checking system language settings and IP geolocation.","Beast RaaS Group",[53,36,344,345,346,347,54,348],"multi_platform","smb_propagation","shadow_copy_delete","service_termination","elliptic_curve",[350],{"name":351,"references":352,"date_added":354,"analyst":27},"BEAST HERE?",[353],"https://www.cybereason.com/blog/threat-analysis-beast-ransomware","2025-01-15",{"malware_info":356,"category":34,"primary_tags":361,"mutexes":363},{"family":357,"aliases":358,"description":360,"threat_actor":11,"first_seen":113},"Big Head",[359],"Big Head Ransomware","Big Head ransomware is a variant that uses a fake Windows Update screen to deceive users while it encrypts files in the background. It is known for its multiple variants and diverse tactics.",[36,148,362],"fake_update",[364,369],{"name":365,"references":366,"date_added":124,"analyst":27},"8bikfjjD4JpkkAqrz",[367,368],"https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html","https://www.tanium.com/blog/attacks-ransomware-payments-spike-in-2023-cyber-threat-intelligence-roundup/",{"name":370,"references":371,"date_added":373,"analyst":27},"v6PdkcEldmq3vfupE",[372,367],"https://rayblog.rising.com.cn/2024/07/bighead%E5%8B%92%E7%B4%A2%E8%BD%AF%E4%BB%B6%E5%88%86%E6%9E%90/","2025-01-09",{"malware_info":375,"category":34,"primary_tags":381,"mutexes":383},{"family":376,"aliases":377,"description":379,"threat_actor":380,"first_seen":12},"Black Basta",[378],"BlackBasta","Black Basta is a ransomware-as-a-service (RaaS) that emerged in early 2022. It is known for its high-profile attacks and is suspected to have links to the Conti ransomware group. The ransomware is written in C++ and uses a combination of ChaCha20 and RSA-4096 for encryption.","FIN7",[53,36,148,382],"conti_link",[384,390],{"name":385,"references":386,"date_added":124,"analyst":27},"dsajdhas.0",[387,388,389],"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/","https://www.zscaler.com/blogs/security-research/back-black-basta","https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence",{"name":391,"references":392,"date_added":393,"analyst":27},"ofijweiuhuewhcsaxs.mutex",[388],"2025-07-13",{"malware_info":395,"category":34,"primary_tags":400,"mutexes":404},{"family":396,"aliases":397,"description":399,"threat_actor":11,"first_seen":113},"BlackBerserk",[398],"BlackBerserk-Ransomware","BlackBerserk is a ransomware family that emerged in mid-2023. It is known to target both Windows and Linux systems, including ESXi servers, following a double extortion model.",[36,401,402,403],"data_exfiltration","linux","esxi",[405],{"name":406,"references":407,"date_added":172,"analyst":27},"Global\\BlackMutex",[408,409],"https://tria.ge/230728-cqg16sah59/behavioral1/analog?main_event=Mutex&q=BlackMutex","https://id-ransomware.blogspot.com/2023/07/blackberserk-ransomware.html",{"malware_info":411,"category":34,"primary_tags":416,"mutexes":419},{"family":412,"aliases":413,"description":415,"threat_actor":11,"first_seen":145},"BlackHunt",[414],"BlackHunt Ransomware","BlackHunt is a ransomware written in Go, first observed in early 2024. It is often deployed by threat actors after exploiting vulnerable remote access services.",[36,417,418],"Go","remote_access_exploitation",[420,425],{"name":421,"references":422,"date_added":172,"analyst":27},"BlackKeys",[423,424],"https://x.com/malwrhunterteam/status/1744499157442666907","https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/",{"name":426,"references":427,"date_added":172,"analyst":27},"BLACK_HUNT_MUTEX",[428],"https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/ransom.win32.blackhunt.thlbhbb",{"malware_info":430,"category":34,"primary_tags":435,"mutexes":436},{"family":431,"aliases":432,"description":434,"threat_actor":431,"first_seen":228},"BlackMatter",[433],"BlackMatter Ransomware","BlackMatter is a ransomware-as-a-service (RaaS) tool that emerged in July 2021, and is believed to be a rebrand of the DarkSide ransomware group.",[36,230],[437],{"name":438,"references":439,"date_added":393,"analyst":27},"0d216858b68c0bcae655c2eaffeee2ad",[440],"https://cyble.com/blog/dissecting-blackmatter-ransomware/",{"malware_info":442,"category":449,"primary_tags":450,"mutexes":453},{"family":443,"aliases":444,"description":447,"threat_actor":11,"first_seen":448},"Blackmoon",[445,446],"Blackmoon Botnet","W32/Kryptik.G.gen!Eldorado","Blackmoon is a banking trojan and botnet that has been active since at least 2014. It uses man-in-the-browser techniques to steal banking credentials and other sensitive information.","2014","botnet",[451,164,452],"banking_trojan","man-in-the-browser",[454],{"name":455,"references":456,"date_added":172,"analyst":27},"kongxin1123",[457],"https://www.secrss.com/articles/40299",{"malware_info":459,"category":34,"primary_tags":464,"mutexes":466},{"family":460,"aliases":461,"description":463,"threat_actor":462,"first_seen":113},"BlackStore",[462],"Proxima","BlackStore is a ransomware variant from the Proxima family. It encrypts files, adds the .BlackStore extension, and is suspected of targeting Russian organizations.",[34,465],"proxima_family",[467],{"name":468,"references":469,"date_added":61,"analyst":27},"Global\\FSWiper",[470],"https://buaq.net/go-185382.html",{"malware_info":472,"category":34,"primary_tags":479,"mutexes":485},{"family":473,"aliases":474,"description":476,"threat_actor":477,"first_seen":113},"BlackSuit",[475],"BlackSuit Ransomware","BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebrand of Royal ransomware. Operated by the Ignoble Scorpius group, it targets organizations globally with a focus on construction, manufacturing, and education sectors. The group operates a dark web leak site for extortion and typically demands ransoms equal to about 1.6% of the victim organization's annual revenue. BlackSuit uses various initial access methods including phishing, SEO poisoning, legitimate VPN credentials, and supply chain attacks.",[478],"Ignoble Scorpius",[53,36,148,480,481,482,483,484,215],"leak_site","royal_rebrand","construction","manufacturing","education",[486],{"name":487,"references":488,"date_added":354,"analyst":27},"Global\\WLm87eV1oNRx6P3E4Cy9",[489,490],"https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/","https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.blacksuit.ypdjb",{"malware_info":492,"category":13,"primary_tags":498,"mutexes":502},{"family":493,"aliases":494,"description":496,"threat_actor":497,"first_seen":145},"BlotchyQuasar",[495],"NUCLEAR RAT","BlotchyQuasar (NUCLEAR RAT) is a remote access trojan used by the Hive0129 threat group to target financial institutions in Latin America. It is designed as a banking trojan that provides attackers with remote control capabilities over compromised systems and uses specific mutexes to ensure single instance execution.","Hive0129",[15,451,499,500,501,17],"financial_targeting","latam","hive0129",[503],{"name":504,"references":505,"date_added":26,"analyst":27},"44474877AKs8XXT4SylAo2kAlUS2kYkala!",[506],"https://www.ibm.com/think/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan",{"malware_info":508,"category":34,"primary_tags":513,"mutexes":514},{"family":509,"aliases":510,"description":512,"threat_actor":11,"first_seen":11},"Bluesky",[511],"bluesky ransomware","Bluesky is a ransomware family that encrypts files on compromised systems and demands cryptocurrency payments for decryption. The malware uses sophisticated encryption techniques and is designed to evade detection while maximizing damage to targeted systems.",[34,36,92],[515],{"name":516,"references":517,"date_added":100,"analyst":27},"Global\\EA408C6BF0D12F526F821798C3F54C9A",[518],"https://app.any.run/tasks/d537c305-659f-4ac8-86b5-92f79b951763",{"malware_info":520,"category":13,"primary_tags":525,"mutexes":529},{"family":521,"aliases":522,"description":524,"threat_actor":11,"first_seen":12},"Borat",[523],"Borat-RAT","Borat is a Remote Access Trojan (RAT) that combines multiple malicious capabilities, including keylogging, DDoS attacks, UAC bypass, and a ransomware module. It provides a comprehensive toolset for attackers to control and monetize compromised systems.",[15,526,527,528,164],"keylogging","ddos","ransomware_module",[530],{"name":531,"references":532,"date_added":172,"analyst":27},"boratratmutex_sa8xofh1budx",[533],"https://app.any.run/tasks/4dd0d438-f35d-489b-964a-ddf851becea3/",{"malware_info":535,"category":34,"primary_tags":540,"mutexes":541},{"family":536,"aliases":537,"description":539,"threat_actor":11,"first_seen":145},"BqtLock",[538],"BaqiyatLock","BqtLock (BaqiyatLock) is a ransomware family that encrypts files and demands payment for decryption. It uses specific mutexes to ensure only one instance runs on the system.",[36,37,17],[542],{"name":543,"references":544,"date_added":26,"analyst":27},"Global\\{00A0B0C0-D0E0-F000-1000-200030004000}",[545],"https://app.any.run/tasks/1b84c310-4494-4125-a7f2-8b15ae7dc7a9/",{"malware_info":547,"category":34,"primary_tags":553,"mutexes":557},{"family":548,"aliases":549,"description":552,"threat_actor":11,"first_seen":228},"BTCWare",[550,551],"PayDay","PayDay Ransomware","BTCWare PayDay is a variant of BTCWare ransomware discovered by security researcher Michael Gillespie. Once infiltrated, it encrypts stored files and appends filenames with extensions like '.[developer's_email]-id-***.payday'. The ransomware opens a browser window displaying ransom demands and drops a text file ('!! RETURN FILES !!.txt'). It typically demands between $500-$1500 in Bitcoin payments. The malware uses various email addresses including variations with checkzip@india.com, payday@rape.lol, and kekin@cock.li domains.",[34,36,554,555,556],"bitcoin_payment","email_contact","file_extension_change",[558],{"name":559,"references":560,"date_added":562,"analyst":27},"PAYDAYDAYPAY",[561],"https://app.any.run/tasks/1d763bab-767d-4357-9905-8836c5812adc/","2025-08-08",{"malware_info":564,"category":304,"primary_tags":569,"mutexes":571},{"family":565,"aliases":566,"description":568,"threat_actor":11,"first_seen":113},"BunnyLoader",[567],"BunnyLoader Loader","BunnyLoader is a Malware-as-a-Service (MaaS) used to drop other malware.",[570],"maas",[572],{"name":573,"references":574,"date_added":577,"analyst":27},"BunnyLoader_MUTEXCONTROL",[575,576],"https://www.cyfirma.com/news/weekly-intelligence-report-06-oct-2023/","https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service","2024-05-22",{"malware_info":579,"category":304,"primary_tags":584,"mutexes":589},{"family":580,"aliases":581,"description":583,"threat_actor":11,"first_seen":51},"CastleLoader",[582],"Castle Loader","CastleLoader is a loader malware that first emerged in early 2025, designed to distribute various information stealers and remote access trojans (RATs) through Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories. The malware uses PowerShell commands to download and execute secondary payloads including StealC, RedLine, NetSupport RAT, DeerStealer, HijackLoader, and SectopRAT. CastleLoader employs AutoIT scripts to load shellcode into memory and connects to C2 servers for additional payload delivery. The malware has been observed in campaigns targeting government entities and has achieved a 28.7% infection rate among victims who clicked on malicious links.",[306,307,304,585,586,587,588],"phishing","clickfix","powershell","autoit",[590],{"name":591,"references":592,"date_added":594,"analyst":27},"10KCnWHtIoABhkL2Cl3u",[593],"https://app.any.run/tasks/8483dc5f-e69d-4085-8f3f-09702fb60ef9/","2025-07-29",{"malware_info":596,"category":13,"primary_tags":602,"mutexes":610},{"family":597,"aliases":598,"description":600,"threat_actor":601,"first_seen":51},"CastleRAT",[599],"PyNightshade","CastleRAT is a remote access trojan (RAT) developed by TAG-150, available in both Python and C variants. The malware includes functionality for collecting system information, downloading and executing additional payloads, executing commands via CMD and PowerShell, keylogging, screen capturing, and clipboard stealing. CastleRAT uses custom binary protocol with RC4 encryption and queries ip-api.com for geolocation data. The C variant includes more advanced stealing capabilities and uses Steam Community pages for C2 dead drops. Both variants are under active development and have been observed deployed alongside CastleLoader since August 2025.","TAG-150",[603,604,605,606,607,306,608,609],"remote_access_trojan","keylogger","screen_capture","clipboard_stealer","command_execution","rc4_encryption","steam_c2",[611,616,619,622,625,628,631,634,637,640,643,646],{"name":612,"references":613,"date_added":615,"analyst":27},"BunBubunKLagfsw",[614],"https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations","2025-12-30",{"name":617,"references":618,"date_added":615,"analyst":27},"GoldVekRogerS",[614],{"name":620,"references":621,"date_added":615,"analyst":27},"Thickwick3",[614],{"name":623,"references":624,"date_added":615,"analyst":27},"BabaiMazai",[614],{"name":626,"references":627,"date_added":615,"analyst":27},"KolokolBozhii",[614],{"name":629,"references":630,"date_added":615,"analyst":27},"OaoaPupaa",[614],{"name":632,"references":633,"date_added":615,"analyst":27},"fsAiodwsfSAFuiefS",[614],{"name":635,"references":636,"date_added":615,"analyst":27},"sPEJIOGDsionsgfdUewg",[614],{"name":638,"references":639,"date_added":615,"analyst":27},"FkgfIJGgJgdiJGDGHDjMGjia",[614],{"name":641,"references":642,"date_added":615,"analyst":27},"sdgiregdsssaFWIFS",[614],{"name":644,"references":645,"date_added":615,"analyst":27},"fsAiodwsfSAFuiefS2",[614],{"name":647,"references":648,"date_added":615,"analyst":27},"XmGetzKAM8Bw8NCBTUYo5e",[614],{"malware_info":650,"category":13,"primary_tags":655,"mutexes":656},{"family":651,"aliases":652,"description":654,"threat_actor":11,"first_seen":145},"Celestial",[653],"Celestial RAT","Celestial is a Remote Access Trojan (RAT) used to gain unauthorized access and control over a victim's computer.",[15,164,165],[657],{"name":658,"references":659,"date_added":172,"analyst":27,"notes":661},"celestial_\u003Cuniqueid>",[660],"https://app.any.run/tasks/14d1c3db-c5c9-464d-95be-232cd8703aa6/",[662],"The mutex name is dynamic. The '\u003Cuniqueid>' part is a placeholder for a unique identifier.",{"malware_info":664,"category":34,"primary_tags":670,"mutexes":671},{"family":665,"aliases":666,"description":668,"threat_actor":11,"first_seen":669},"Cerber",[667],"Cerber Ransomware","Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, known for its file encryption, offline capabilities, and sophisticated evasion techniques. It creates a mutex to avoid reinfecting the same machine.","2016",[53,36,17,92],[672],{"name":673,"references":674,"date_added":393,"analyst":27},"SHELL.{\u003Cuuid>}",[675],"https://any.run/malware-trends/cerber/",{"malware_info":677,"category":34,"primary_tags":683,"mutexes":688},{"family":678,"aliases":679,"description":681,"threat_actor":11,"first_seen":682},"CHARON",[680],"CHARON ransomware","CHARON is a ransomware that emerged in July 2025, known for its sophisticated file encryption techniques and anti-EDR capabilities. It uses variable encryption patterns based on file size and creates a malicious service (WWC) as part of its persistence strategy. The ransomware terminates backup services and processes to prevent recovery attempts.","2025-07-22",[36,684,685,686,687],"anti_edr","service_creation","backup_targeting","variable_encryption",[689],{"name":690,"references":691,"date_added":193,"analyst":27},"OopsCharonHere",[692],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win64.charon.thgbcbe",{"malware_info":694,"category":34,"primary_tags":699,"mutexes":701},{"family":695,"aliases":696,"description":697,"threat_actor":698,"first_seen":228},"ChiChi",[],"ChiChi is a ransomware that encrypts user data using AES-128 + RSA-2048 and demands a ransom to restore the files. It is considered a variant of the Babuk ransomware and may be linked to the Lazarus Group.","Lazarus Group",[36,17,700],"babuk_variant",[702],{"name":703,"references":704,"date_added":393,"analyst":27},"chichigotmanagedyou",[705,706],"https://id-ransomware.blogspot.com/2021/11/chichi-ransomware.html","https://x.com/demonslay335/status/1461020406052274178",{"malware_info":708,"category":16,"primary_tags":718,"mutexes":722},{"family":709,"aliases":710,"description":712,"threat_actor":713,"first_seen":145},"CHIMNEYSWEEP",[711],"CHIMNEYSWEEP Backdoor","CHIMNEYSWEEP is a backdoor malware that has been associated with likely Iranian threat actors conducting politically motivated disruptive activities. The malware is designed to provide remote access to compromised systems and has been observed using multiple mutexes to coordinate different components and prevent multiple infections on the same system.",[714,715,716,717],"HomeLand Justice","HEXANE","Red Sandstorm","Banished Kitten",[15,719,720,721,19],"iranian_threat_actor","politically_motivated","disruptive_activity",[723,727,730,733,736,739,742],{"name":724,"references":725,"date_added":82,"analyst":27},"rerunadmn",[726],"https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/",{"name":728,"references":729,"date_added":82,"analyst":27},"subttoadmn",[726],{"name":731,"references":732,"date_added":82,"analyst":27},"runupdate",[726],{"name":734,"references":735,"date_added":82,"analyst":27},"runupdateok",[726],{"name":737,"references":738,"date_added":82,"analyst":27},"baserun",[726],{"name":740,"references":741,"date_added":82,"analyst":27},"heyirunadmn",[726],{"name":743,"references":744,"date_added":82,"analyst":27},"corerun",[726],{"malware_info":746,"category":16,"primary_tags":751,"mutexes":754},{"family":747,"aliases":748,"description":749,"threat_actor":750,"first_seen":113},"Chrysalis",[747],"Chrysalis Backdoor is a malware family associated with the Lotus Blossom threat group. It is part of Lotus Blossom's toolkit used for espionage and remote access operations. The backdoor provides persistent access to compromised systems.","Lotus Blossom",[16,752,15,753,115],"espionage","lotus_blossom",[755],{"name":756,"references":757,"date_added":759,"analyst":27},"Global\\Jdhfv_1.0.1",[758],"https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/","2026-04-02",{"malware_info":761,"category":34,"primary_tags":767,"mutexes":768},{"family":762,"aliases":763,"description":766,"threat_actor":764,"first_seen":89},"Cl0p",[764,765],"TA505","FIN11","Cl0p is a ransomware that has been active since 2019, operating as a Ransomware-as-a-Service (RaaS). It targets both Windows and Linux systems and is associated with the Russian-speaking cybercriminal group TA505.",[53,17,402,401],[769,773,777,781],{"name":770,"references":771,"date_added":61,"analyst":27},"')(%QU#jimf0932ijrkpo32jr3lfwe",[772],"https://cyble.com/blog/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/",{"name":774,"references":775,"date_added":100,"analyst":27},"LifeBeHappy#-#-#666^_-",[776],"https://www.otorio.com/blog/ransomware-targeting-industry-4-0/",{"name":778,"references":779,"date_added":100,"analyst":27},"CLOP#666",[780],"https://id-ransomware.blogspot.com/2019/02/clop-ransomware.html",{"name":782,"references":783,"date_added":100,"analyst":27},"^_-HappyLife^_-",[780],{"malware_info":785,"category":304,"primary_tags":792,"mutexes":796},{"family":786,"aliases":787,"description":788,"threat_actor":789,"first_seen":145},"Claimloader",[786],"Claimloader is a loader malware associated with the Hive0154 threat group and Mustang Panda. It is designed to download and execute additional payloads on compromised systems and has been observed in targeted attacks against organizations in the US, Philippines, Pakistan, and Taiwan.",[790,791],"Hive0154","Mustang Panda",[306,793,307,794,795],"targeted_attack","hive0154","mustang_panda",[797,803,807,812,815,818,821],{"name":798,"references":799,"date_added":82,"analyst":27,"notes":801},"TB\u003Cyearmonthdate>",[800],"https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan",[802],"The mutex name is dynamic. The '\u003Cyearmonthdate>' part is a placeholder for a date format.",{"name":804,"references":805,"date_added":82,"analyst":27,"notes":806},"MTM\u003Cyearmonthdate>",[800],[802],{"name":808,"references":809,"date_added":82,"analyst":27,"notes":810},"CATM\u003Cyearmonthdate>",[800],[811],"The mutex name is dynamic. The '\u003Cyearmonthdate>' part is a placeholder for a date format. Example: CATM20252003",{"name":813,"references":814,"date_added":82,"analyst":27},"GameBoxABC",[800],{"name":816,"references":817,"date_added":82,"analyst":27},"GameGpu0428",[800],{"name":819,"references":820,"date_added":82,"analyst":27},"GameFind057",[800],{"name":822,"references":823,"date_added":82,"analyst":27},"GameBoxTV59",[800],{"malware_info":825,"category":304,"primary_tags":831,"mutexes":833},{"family":826,"aliases":827,"description":829,"threat_actor":830,"first_seen":12},"CLRLoad",[828],"CLRLoad Loader","CLRLoad is a loader malware used by the Worok threat group. The malware is designed to download and execute additional payloads on compromised systems and has been observed in various targeted attack campaigns. It employs sophisticated techniques to evade detection and establish persistence.","Worok",[306,307,832,793,309],"worok",[834],{"name":835,"references":836,"date_added":82,"analyst":27},"Wo0r0KGWhYGO",[837],"https://www.welivesecurity.com/2022/09/06/worok-big-picture/",{"malware_info":839,"category":844,"primary_tags":845,"mutexes":848},{"family":840,"aliases":841,"description":843,"threat_actor":11,"first_seen":145},"CoinHelper",[842],"CoinHelper Miner","CoinHelper is a cryptocurrency mining malware that has been observed in various cybercriminal campaigns. The malware is designed to mine cryptocurrency on compromised systems without user consent, utilizing system resources for financial gain. It employs sophisticated techniques to evade detection and establish persistence.","miner",[846,847,150,309,19],"cryptocurrency_mining","resource_abuse",[849],{"name":850,"references":851,"date_added":82,"analyst":27,"notes":853},"QPRZ\u003Cdigit>bWvXh",[852],"https://decoded.avast.io/janrubin/toss-a-coin-to-your-helper/",[854],"The mutex name is dynamic. The '\u003Cdigit>' part can be 1, 2, or 3.",{"malware_info":856,"category":34,"primary_tags":860,"mutexes":865},{"family":857,"aliases":858,"description":859,"threat_actor":11,"first_seen":51},"Contacto",[],"Contacto is a new ransomware strain that surfaced in early January 2025, featuring advanced evasion techniques to bypass conventional security measures. It uses sophisticated threading models for efficient file encryption and employs various privilege escalation methods to maximize system control.",[36,861,862,863,864],"privilege_escalation","av_evasion","threading_model","mutex_protection",[866],{"name":867,"references":868,"date_added":871,"analyst":27},"Global\\ContactoMutex",[869,870],"https://app.any.run/tasks/917a636f-aed8-4368-81a6-1ee2634c50ec","https://gbhackers.com/new-contacto-ransomware-evades-av-detection","2025-01-22",{"malware_info":873,"category":34,"primary_tags":879,"mutexes":880},{"family":874,"aliases":875,"description":877,"threat_actor":878,"first_seen":11},"Conti",[876],"conti ransomware","Conti is a sophisticated ransomware family operated by the Conti Group, known for its aggressive double-extortion tactics and targeting of large organizations. The malware uses advanced encryption techniques and is designed to maximize damage while evading detection.","conti group",[34,36,215,115],[881,885],{"name":882,"references":883,"date_added":100,"analyst":27},"kjsidugidf99439",[884],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.conti.fajl",{"name":886,"references":887,"date_added":100,"analyst":27},"hsfjuukjzloqu28oajh727190",[888,889],"https://cyble.com/blog/new-ransomware-strains-emerging-from-leaked-contis-source-code/","https://vipre.com/blog/how-conti-ransomware-works-plus-analysis",{"malware_info":891,"category":34,"primary_tags":897,"mutexes":898},{"family":892,"aliases":893,"description":895,"threat_actor":11,"first_seen":896},"Crypt0r",[894],"GusCrypter","Crypt0r is a ransomware that encrypts user files with AES and demands a ransom. It is considered a descendant of the GusCrypter ransomware.","2018",[36,17],[899],{"name":900,"references":901,"date_added":393,"analyst":27},"crypt0r-mutex",[902],"https://id-ransomware.blogspot.com/2019/01/crypt0r-ransomware_10.html",{"malware_info":904,"category":34,"primary_tags":910,"mutexes":911},{"family":905,"aliases":906,"description":908,"threat_actor":11,"first_seen":909},"CryptoFortress",[907],"CryptoFortress ransomware","CryptoFortress is a ransomware that encrypts files on a victim's machine and demands a ransom for the decryption key.","2015",[36],[912],{"name":913,"references":914,"date_added":61,"analyst":27},"Catawba!",[915],"https://app.any.run/tasks/bda9ff74-d070-4c46-be17-add51e71fe21/",{"malware_info":917,"category":34,"primary_tags":922,"mutexes":923},{"family":918,"aliases":919,"description":921,"threat_actor":11,"first_seen":669},"CryptoLuck",[920],"RANSOM_CRYPTOLUCK.A","CryptoLuck is a ransomware that encrypts files and demands a ransom for the decryption key. It is known to drop a file named WARNING_FILES_ARE_ENCRYPTED.txt.",[36],[924],{"name":925,"references":926,"date_added":278,"analyst":27},"CryptoLuck_Instance",[927],"https://www.trendmicro.com/vinfo/au/threat-encyclopedia/malware/ransom_cryptoluck.a",{"malware_info":929,"category":34,"primary_tags":934,"mutexes":936},{"family":930,"aliases":931,"description":933,"threat_actor":11,"first_seen":145},"Crytox",[932],"Crytox Ransomware","Crytox is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It employs sophisticated encryption techniques and has been analyzed for its chaotic encryption patterns and multi-stage attack capabilities.",[36,148,150,935,307],"chaotic_encryption",[937,944],{"name":938,"references":939,"date_added":82,"analyst":27,"notes":942},"itkd\u003C4_characters_generated_based_on_targetPID>",[940,941],"https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/","https://www.trendmicro.com/vinfo/jp/threat-encyclopedia/malware/ransom.win64.crytox.a",[943],"The mutex name is dynamic. The '\u003C4_characters_generated_based_on_targetPID>' part is a placeholder for 4 characters generated based on the target process ID.",{"name":945,"references":946,"date_added":82,"analyst":27,"notes":948},"CSWS\u003C4_characters_generated_based_on_targetPID>",[947],"https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",[943],{"malware_info":950,"category":13,"primary_tags":956,"mutexes":959},{"family":951,"aliases":952,"description":955,"threat_actor":11,"first_seen":909},"Cybergate",[953,954],"Cybergate RAT","SpyNet RAT","Cybergate is a Remote Access Trojan (RAT) that provides attackers with extensive control over compromised systems. It is capable of keylogging, screen capture, file manipulation, and other surveillance activities. The malware uses multiple mutexes to coordinate different components and prevent multiple infections.",[15,604,957,958,605],"surveillance","file_manipulation",[960,964,968,971,974,977],{"name":961,"references":962,"date_added":82,"analyst":27},"***MUTEX***_SAIR",[963],"https://blog.talosintelligence.com/threat-roundup-0414-0421/",{"name":965,"references":966,"date_added":82,"analyst":27},"SPY_NET_RATMUTEX",[967],"https://blog.cyber5w.com/cybergate-malware-analysis",{"name":969,"references":970,"date_added":82,"analyst":27},"_x_X_PASSWORDLIST_X_x_",[967],{"name":972,"references":973,"date_added":82,"analyst":27},"_x_X_BLOCKMOUSE_X_x_",[967],{"name":975,"references":976,"date_added":82,"analyst":27},"xX_PROXY_SERVER_Xx",[967],{"name":978,"references":979,"date_added":82,"analyst":27},"_x_X_UPDATE_X_x_",[967],{"malware_info":981,"category":34,"primary_tags":987,"mutexes":989},{"family":982,"aliases":983,"description":986,"threat_actor":11,"first_seen":113},"Cylance",[984,985],"ShellLocker","Cylance Ransomware","Cylance is a cross-platform ransomware written in Go that targets both Windows and Linux systems.",[988,116],"cross-platform",[990],{"name":991,"references":992,"date_added":577,"analyst":27},"CylanceMutex",[993],"https://www.broadcom.com/support/security-center/protection-bulletin/cylance-ransomware-targets-both-windows-and-linux",{"malware_info":995,"category":304,"primary_tags":1000,"mutexes":1001},{"family":996,"aliases":997,"description":999,"threat_actor":11,"first_seen":11},"Cyst",[998],"cystloader","Cyst is a loader malware that has been used by various threat actors, including the Cobalt Group, to deliver additional payloads to compromised systems. The malware is designed to evade detection while establishing persistence and executing malicious code.",[304,306,92,19],[1002],{"name":1003,"references":1004,"date_added":100,"analyst":27,"notes":1006},"syst\u003C10 digits>",[1005],"https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target",[1007],"The mutex name is dynamic. The '\u003C10 digits>' part is a placeholder for 10 random digits generated on the compromised machine.",{"malware_info":1009,"category":34,"primary_tags":1015,"mutexes":1016},{"family":1010,"aliases":1011,"description":1014,"threat_actor":11,"first_seen":145},"d0glun",[1012,1013],"doglun","d0glun Ransomware","d0glun is a ransomware variant that encrypts files on a victim's system and demands a ransom for their decryption.",[36],[1017],{"name":1018,"references":1019,"date_added":172,"analyst":27},"dawdhahdaw",[1020],"https://app.any.run/tasks/24679d01-a0c3-4b91-adc1-db5937e6e651/",{"malware_info":1022,"category":304,"primary_tags":1029,"mutexes":1030},{"family":1023,"aliases":1024,"description":1028,"threat_actor":11,"first_seen":145},"D3F@ck",[1025,1026,1027],"D3F@ck Loader","defack","defuck","D3F@ck is a loader malware that has been observed in various cybercriminal campaigns. The malware is designed to download and execute additional payloads on compromised systems and is known for its evasion techniques and multi-stage attack capabilities.",[306,307,309,150],[1031],{"name":1032,"references":1033,"date_added":82,"analyst":27},"Little further",[1034],"https://app.any.run/tasks/bc01e10a-8d7b-4641-bb42-22c5fe8ff579",{"malware_info":1036,"category":34,"primary_tags":1041,"mutexes":1042},{"family":1037,"aliases":1038,"description":1040,"threat_actor":1037,"first_seen":12},"DarkAngels",[1039],"DarkAngels Ransomware","DarkAngels is a ransomware believed to be a rebrand of Babuk. It performs targeted attacks, encrypts files with the .crypt extension, and can spread through network shares.",[36,793],[1043],{"name":1037,"references":1044,"date_added":278,"analyst":27},[1045],"https://cyble.com/blog/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/",{"malware_info":1047,"category":34,"primary_tags":1052,"mutexes":1055},{"family":1048,"aliases":1049,"description":1051,"threat_actor":1048,"first_seen":113},"DarkBit",[1050],"DarkBit Ransomware","DarkBit is a politically motivated ransomware that has targeted organizations in Israel. It encrypts files and appends the .Darkbit extension.",[1053,1054],"political_motive","hacktivism",[1056],{"name":1057,"references":1058,"date_added":577,"analyst":27},"Global\\dbdbdbdb",[1059,1060],"https://cyble.com/blog/uncovering-the-dark-side-of-darkbit-ransomware/","https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel",{"malware_info":1062,"category":13,"primary_tags":1069,"mutexes":1071},{"family":1063,"aliases":1064,"description":1067,"threat_actor":11,"first_seen":1068},"DarkComet",[1065,1066],"DarkComet RAT","darkkomet","DarkComet is a long-standing and feature-rich Remote Access Trojan (RAT) that has been used by various threat actors for years. It provides extensive capabilities for remote control, surveillance, and data theft.","2008",[15,1070,526,164,165],"commodity_RAT",[1072,1079,1084,1087],{"name":1073,"references":1074,"date_added":172,"analyst":27,"notes":1077},"DC_MUTEX-\u003C7 Alphanumeric Characters>",[1075,1076],"https://blog.talosintelligence.com/ding-your-rat-has-been-delivered/","https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/",[1078],"The mutex name is dynamic. The '\u003C7 Alphanumeric Characters>' part is a placeholder for a randomly generated string.",{"name":1080,"references":1081,"date_added":172,"analyst":27,"notes":1083},"DCMIN_MUTEX-\u003C7 Alphanumeric Characters>",[1082],"https://blog.talosintelligence.com/threat-roundup-0122/",[1078],{"name":1085,"references":1086,"date_added":172,"analyst":27},"DCMUTEX",[1082],{"name":1088,"references":1089,"date_added":172,"analyst":27},"DCPERSFWBP",[1090],"https://tria.ge/240426-n1ymfsba99/behavioral2/analog?q=DCPERSFWBP&main_event=Mutex",{"malware_info":1092,"category":34,"primary_tags":1095,"mutexes":1098},{"family":1093,"description":1094,"threat_actor":11,"first_seen":113},"Darkrace","Darkrace is a ransomware that shares similarities with LockBit and employs a double-extortion strategy by exfiltrating data before encryption.",[34,1096,1097,401],"lockbit_variant","double-extortion",[1099],{"name":1100,"references":1101,"date_added":61,"analyst":27},"CheckMutex",[1102],"https://cyble.com/blog/unmasking-the-darkrace-ransomware-gang",{"malware_info":1104,"category":304,"primary_tags":1109,"mutexes":1111},{"family":1105,"aliases":1106,"description":1108,"threat_actor":11,"first_seen":909},"DarkTortilla",[1107],"DarkTortilla Crypter","DarkTortilla is a sophisticated .NET-based crypter used to deliver various malicious payloads, including information stealers, RATs, and ransomware, often distributed via phishing campaigns.",[1110,585],"crypter",[1112],{"name":1113,"references":1114,"date_added":61,"analyst":27},"NUkiklN\u003CyjUKNj",[1115],"https://cyble.com/blog/sophisticated-darktortilla-malware-spreading-via-phishing-sites/",{"malware_info":1117,"category":13,"primary_tags":1122,"mutexes":1123},{"family":1118,"aliases":1119,"description":1121,"threat_actor":11,"first_seen":909},"DarkTrack",[1120],"DarkTrack RAT","DarkTrack is a commodity Remote Access Trojan (RAT) that provides a wide range of features for controlling and monitoring compromised systems. It has been used by various threat actors since its release.",[15,164,165],[1124],{"name":1125,"references":1126,"date_added":172,"analyst":27,"notes":1128},"I_AM_DT\u003Cuniqueid>",[1127],"https://app.any.run/tasks/720cbf18-903d-4a55-9ea1-4e8a92b4ee4d/",[1129],"The mutex name is dynamic. The '\u003Cuniqueid>' part is a placeholder, often representing a unique identifier such as a hash of the machine's GUID.",{"malware_info":1131,"category":13,"primary_tags":1136,"mutexes":1139},{"family":1132,"aliases":1133,"description":1135,"threat_actor":11,"first_seen":12},"Dark Crystal RAT",[1134],"DCRat","Dark Crystal RAT (DCRat) is a Russian-developed remote access trojan that provides attackers with extensive control over compromised systems. It is sold as a commercial RAT and has been used in various cybercriminal campaigns. The malware uses specific mutexes to ensure single instance execution and coordinate its activities.",[15,1137,1138,16,17],"commercial_rat","russian_origin",[1140,1147],{"name":1141,"references":1142,"date_added":26,"analyst":27,"notes":1145},"DCR_MUTEX-\u003C20_random_alphanumeric_characters>",[1143,1144],"https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html","https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",[1146],"The mutex name is dynamic. The '\u003C20_random_alphanumeric_characters>' part is a placeholder for 20 random alphanumeric characters generated on the compromised machine.",{"name":1148,"references":1149,"date_added":100,"analyst":27,"notes":1151},"DcRatMutex_qwqdanchun",[1150],"https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government",[1152],"Static mutex used by DCRat variant impersonating Colombian government",{"malware_info":1154,"category":16,"primary_tags":1161,"mutexes":1166},{"family":1155,"aliases":1156,"description":1158,"threat_actor":1159,"first_seen":228},"DFKRAT",[1157],"DFKRAT backdoor","DFKRAT is a sophisticated backdoor malware associated with the NGC2180 threat group, designed for cyberespionage targeting high-ranking entities. It uses multi-stage delivery mechanisms including DLL side-loading and shellcode injection, employs RC4 encryption for C&C communication, and supports interactive shell, file exfiltration, and potential additional malware download capabilities.",[1160],"NGC2180",[16,1162,1163,1164,608,1165],"cyberespionage","dll_side_loading","shellcode_injection","file_exfiltration",[1167],{"name":1168,"references":1169,"date_added":1171,"analyst":27},"loasd6asdg6",[1170],"https://rt-solar.ru/solar-4rays/blog/4124/","2025-01-27",{"malware_info":1173,"category":34,"primary_tags":1178,"mutexes":1179},{"family":1174,"aliases":1175,"description":1177,"threat_actor":11,"first_seen":669},"Dharma",[1176],"CrySiS","Dharma is a ransomware family that has been active since 2016. It operates as a Ransomware-as-a-Service (RaaS) and new variants are continuously released. This variant uses a mutex to ensure only one instance runs on the system.",[36,53,17],[1180],{"name":1181,"references":1182,"date_added":1185,"analyst":27},"Global\\syncronize_\u003Cuniqueid>",[1183,1184],"https://cymulate.com/blog/immediate-threat-analysis-new-dharma-ransomware/","https://www.threatdown.com/blog/a-deep-dive-into-phobos-ransomware/","2025-01-05",{"malware_info":1187,"category":34,"primary_tags":1193,"mutexes":1195},{"family":1188,"aliases":1189,"description":1191,"threat_actor":1192,"first_seen":51},"DireWolf",[1190,1188],"Dire Wolf Ransomware","DireWolf (also known as Dire Wolf) is an emerging ransomware variant that employs double extortion tactics, encrypting victim files and threatening to publish stolen data. The ransomware group claims to be financially motivated with 'no morals, no political stance.' The malware creates a global mutex to prevent multiple instances from running simultaneously.","DireWolf Ransomware Group",[36,37,17,215,1194],"emerging_threat",[1196],{"name":1197,"references":1198,"date_added":61,"analyst":27},"Global\\direwolfAppMutex",[1199],"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors/",{"malware_info":1201,"category":34,"primary_tags":1207,"mutexes":1209},{"family":1202,"aliases":1203,"description":1206,"threat_actor":11,"first_seen":12},"DJVU",[1204,1205],"DJVU Ransomware","Stop Ransomware","DJVU (also known as Stop) is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been noted for its familiar characteristics and sophisticated encryption techniques.",[36,148,150,1208],"stop_family",[1210,1214],{"name":1211,"references":1212,"date_added":82,"analyst":27},"{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}",[1213],"https://blogs.blackberry.com/en/2022/09/djvu-the-ransomware-that-seems-strangely-familiar",{"name":1215,"references":1216,"date_added":82,"analyst":27},"{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}",[1213,1217],"https://tria.ge/230108-wwfvvaec82/behavioral2/analog?proc=100&main_event=Mutex&mutant=%7B1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D%7D",{"malware_info":1219,"category":34,"primary_tags":1224,"mutexes":1225},{"family":1220,"aliases":1221,"description":1223,"threat_actor":11,"first_seen":145},"DragonForce",[1222],"DragonForce Ransomware","DragonForce is a ransomware family that encrypts files on victim systems and appends a unique extension. It is known for its double extortion tactics and for targeting organizations globally. The malware creates a mutex to prevent multiple infections on the same system.",[36,215,17],[1226],{"name":1227,"references":1228,"date_added":82,"analyst":27},"dragonforce_encrypted_system",[1229],"https://www.group-ib.com/blog/dragonforce-ransomware/",{"malware_info":1231,"category":1238,"primary_tags":1239,"mutexes":1244},{"family":1232,"aliases":1233,"description":1235,"threat_actor":1236,"first_seen":1237},"Ducktail",[1234],"DuckTail Stealer","Ducktail is a stealer malware that targets professionals on LinkedIn to steal browser credentials and session data, ultimately to hijack Facebook Business accounts.","cluster25","2023-10","stealer",[1240,1241,1242,1243],"linkedin","facebook_business","credential_theft","session_hijacking",[1245],{"name":1246,"references":1247,"date_added":577,"analyst":27},"ICollectVASD",[1248,1249],"https://www.duskrise.com/2023/10/25/the-duck-is-hiring-in-italy-ducktail-spread-via-compromised-linkedin-profiles/","https://www.appgate.com/blog/vietnamese-information-stealer-campaigns-target-professionals-on-linkedin",{"malware_info":1251,"category":249,"primary_tags":1259,"mutexes":1260},{"family":1252,"aliases":1253,"description":1255,"threat_actor":1256,"first_seen":89},"Dustman",[1254],"Dustman Wiper","Dustman is a wiper malware that overwrites data on logical drives with politically motivated messages.",[1257,1258],"OilRig","APT 34",[251,1053],[1261],{"name":1262,"references":1263,"date_added":577,"analyst":27},"Down With Bin Salman",[1264],"https://www.sonicwall.com/blog/dustman-malware-overwrites-logical-drives-data-with-down-with-saudi-kingdom-down-with-bin-salman",{"malware_info":1266,"category":1272,"primary_tags":1273,"mutexes":1276},{"family":1267,"aliases":1268,"description":1270,"threat_actor":1271,"first_seen":145},"DUSTTRAP",[1269],"DUSTTRAP Dropper","DUSTTRAP is a dropper used by APT41 that decrypts and executes a malicious payload in memory to establish command and control.","APT41","dropper",[1274,1275],"in-memory_execution","apt41",[1277],{"name":1278,"references":1279,"date_added":577,"analyst":27},"ICMzUEkdLNayBdWF",[1280],"https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust",{"malware_info":1282,"category":16,"primary_tags":1288,"mutexes":1289},{"family":1283,"aliases":1284,"description":1286,"threat_actor":1287,"first_seen":11},"Eagerbee",[1285],"eagerbee backdoor","Eagerbee is a sophisticated backdoor malware used by the REF5961 threat group (also known as CoughingDown) for persistent access and data exfiltration from compromised systems.","REF5961",[16,19,401,115],[1290],{"name":1291,"references":1292,"date_added":100,"analyst":27,"notes":1295},"mstoolFtip32W",[1293,1294],"https://www.elastic.co/de/security-labs/introducing-the-ref5961-intrusion-set","https://securelist.com/eagerbee-backdoor/115175/",[1296],"Mutex used by Eagerbee backdoor for process synchronization",{"malware_info":1298,"category":34,"primary_tags":1304,"mutexes":1306},{"family":1299,"aliases":1300,"description":1303,"threat_actor":11,"first_seen":89},"EKANS",[1301,1302],"Snake","Snake-Ekans","EKANS, also known as Snake, is a ransomware written in Go that has been observed targeting Industrial Control Systems (ICS) environments.",[36,1305],"ICS",[1307],{"name":1299,"references":1308,"date_added":172,"analyst":27},[1309,1310,1311],"https://id-ransomware.blogspot.com/2020/01/ekans-snake-ransomware.html","https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/","https://www.acronis.com/en-sg/blog/posts/snakeekans-ransomware-attacks-industrial-control-systems-acronis-stops-it/",{"malware_info":1313,"category":34,"primary_tags":1318,"mutexes":1320},{"family":1314,"aliases":1315,"description":1317,"threat_actor":11,"first_seen":145},"Embargo",[1316],"Embargo Ransomware","Embargo ransomware is a cross-platform ransomware written in Rust that uses double extortion techniques.",[1319,988,1097],"rust",[1321,1325],{"name":1322,"references":1323,"date_added":577,"analyst":27},"LoadUpOnGunsBringYourFriends",[1324],"https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/",{"name":1326,"references":1327,"date_added":61,"analyst":27},"IntoTheFloodAgainSameOldTrip",[1328],"https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/",{"malware_info":1330,"category":1238,"primary_tags":1335,"mutexes":1336},{"family":1331,"aliases":1332,"description":1334,"threat_actor":11,"first_seen":113},"Exela",[1333],"Exela Stealer","Exela Stealer is a malware that targets social media giants and is capable of stealing sensitive information such as credentials and session data.",[164,1242],[1337],{"name":1338,"references":1339,"date_added":61,"analyst":27},"Exela | Stealar | on top |",[1340],"https://cyble.com/blog/exela-stealer-spotted-targeting-social-media-giants/",{"malware_info":1342,"category":16,"primary_tags":1350,"mutexes":1351},{"family":1343,"aliases":1344,"description":1346,"threat_actor":1347,"first_seen":11},"FalseFront",[1345],"falsefront backdoor","FalseFront is a sophisticated backdoor malware used by the Peach Sandstorm threat actor (Curious Serpens). The malware is designed to provide persistent access to compromised systems and is known for its advanced evasion techniques and modular architecture.",[1348,1349],"Peach Sandstorm","Curious Serpens",[16,19,115,92],[1352],{"name":1353,"references":1354,"date_added":100,"analyst":27},"864H!NKLNB*x_H?5",[1355,1356,1357],"https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/","https://www.nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/","https://www.cyfirma.com/news/weekly-intelligence-report-29-mar-2024/",{"malware_info":1359,"category":304,"primary_tags":1366,"mutexes":1370},{"family":1360,"aliases":1361,"description":1363,"threat_actor":1364,"first_seen":51},"Fangao",[1362],"Fangao loader","Fangao is a sophisticated multi-stage loader malware associated with the SalmonSlalom threat group, targeting industrial organizations in the Asia-Pacific region. It uses complex delivery mechanisms including DLL side-loading, leverages Chinese CDN services (myqcloud) and Youdao Cloud Notes for payload storage, and employs publicly available packers for encryption. The loader is designed to bypass security solutions through dynamic C2 server changes and legitimate application functionality abuse.",[1365],"SalmonSlalom",[304,307,1163,1367,1368,1369],"cdn_abuse","industrial_targeting","packer_encryption",[1371],{"name":1372,"references":1373,"date_added":193,"analyst":27},"UniqueMutexName",[1374],"https://ics-cert.kaspersky.ru/publications/reports/2025/03/27/operation-salmonslalom/",{"malware_info":1376,"category":1238,"primary_tags":1381,"mutexes":1384},{"family":1377,"aliases":1378,"description":1380,"threat_actor":11,"first_seen":11},"FFDroider",[1379],"FFDroider stealer","FFDroider is a stealer malware that targets social media platform users, designed to extract credentials, cookies, and other sensitive information from compromised systems.",[164,1382,1242,1383],"social_media_targeting","cookie_theft",[1385],{"name":1386,"references":1387,"date_added":100,"analyst":27,"notes":1389},"37238328-1324242-5456786-8fdff0-67547552436675",[1388],"https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users",[1390],"Mutex used by FFDroider stealer for process synchronization",{"malware_info":1392,"category":34,"primary_tags":1397,"mutexes":1398},{"family":1393,"aliases":1394,"description":1396,"threat_actor":11,"first_seen":145},"Fog",[1395],"Fog Ransomware","Fog is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It employs sophisticated encryption techniques and has been analyzed by multiple security researchers for its evasion capabilities and attack patterns.",[36,148,150,309],[1399,1404],{"name":1400,"references":1401,"date_added":82,"analyst":27},"6jSf6QFH0VGR5XL4RGYarc5YVpB4W1H3",[1402,1403],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.fog.thdodbe","https://app.threat.zone/submission/efe469fe-d299-42d0-baf0-c01a2f5af95d/dynamic-scan-report/behaviour/mutex",{"name":1405,"references":1406,"date_added":82,"analyst":27},"BgGnsEdRrztEhEfg0vF8ZaFPYtoyg4lDQ",[1407],"https://www.ionsec.io/resources/clearing-the-mist-unveiling-fog-ransomware",{"malware_info":1409,"category":16,"primary_tags":1415,"mutexes":1417},{"family":1410,"aliases":1411,"description":1413,"threat_actor":1414,"first_seen":145},"FROSTRIFT",[1412],"FROSTRIFT Backdoor","FROSTRIFT is a backdoor malware that has been observed being distributed through fake AI websites. The malware is designed to provide remote access to compromised systems and is part of broader cybercriminal campaigns that weaponize fake AI platforms for malware distribution.","UNC6032",[15,1416,150,19],"fake_ai_websites",[1418],{"name":1419,"references":1420,"date_added":82,"analyst":27},"7d9196467986",[1421],"https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites",{"malware_info":1423,"category":16,"primary_tags":1430,"mutexes":1435},{"family":1424,"aliases":1425,"description":1428,"threat_actor":11,"first_seen":1429},"Gamarue",[1426,1427],"Andromeda","Wauchos","Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue we observe most frequently is a worm that spreads primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as click fraud. Despite being disrupted in 2017, it continues to be prevalent and was in the top 10 threats eight times in 12 months in 2024, with new C2 infrastructure observed as of December 2024.","2011",[16,449,1431,1432,1433,1434],"worm","usb_spreader","click_fraud","c2_communication",[1436],{"name":1437,"references":1438,"date_added":562,"analyst":27},"345rdxcvgt567yhjm",[1439],"https://blog.talosintelligence.com/threat-roundup-0617-0624/",{"malware_info":1441,"category":34,"primary_tags":1446,"mutexes":1449},{"family":1442,"aliases":1443,"description":1445,"threat_actor":1442,"first_seen":896},"GandCrab",[1444],"gandcrab-ransomware","GandCrab was a highly prolific Ransomware-as-a-Service (RaaS) that operated from early 2018 to mid-2019. It was distributed through various methods, including exploit kits and spam email campaigns, before its operators announced their retirement.",[36,230,1447,1448],"exploit_kit","spam",[1450,1456],{"name":1451,"references":1452,"date_added":172,"analyst":27,"notes":1454},"Global\\pc_group=\u003CPc_Group>&ransom_id=\u003CVictim_id>",[1453],"https://www.acronis.com/en-sg/blog/posts/gandcrab/",[1455],"The mutex name is dynamic. The '\u003CPc_Group>' and '\u003CVictim_id>' parts are placeholders for the specific infection details.",{"name":1457,"references":1458,"date_added":172,"analyst":27},"AversSucksForever",[1459],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.gandcrab.tioiboch",{"malware_info":1461,"category":34,"primary_tags":1468,"mutexes":1470},{"family":1462,"aliases":1463,"description":1467,"threat_actor":11,"first_seen":896},"GarrantyDecrypt",[1464,1465,1466],"GarrantyDecrypt Ransomware","GarrantyDecrypt NextGen Ransomware","DecryptGarranty","GarrantyDecrypt is a ransomware family first seen in 2018, known for its numerous variants. It encrypts files and demands a ransom for a decryption key.",[36,1469],"RDP_bruteforce",[1471],{"name":1472,"references":1473,"date_added":172,"analyst":27},"666_nop_nop_nop_nop",[1474],"https://id-ransomware.blogspot.com/2018/10/garrantydecrypt-ransomware.html",{"malware_info":1476,"category":16,"primary_tags":1481,"mutexes":1482},{"family":1477,"aliases":1478,"description":1480,"threat_actor":11,"first_seen":89},"Glupteba",[1479],"Glupteba Backdoor","Glupteba is a sophisticated backdoor malware that has been observed in various cybercriminal campaigns. The malware is designed to provide remote access to compromised systems and has been analyzed for its advanced evasion techniques and multi-stage attack capabilities. It employs multiple mutexes to coordinate different components and prevent multiple infections.",[15,307,309,150,19],[1483,1489,1492],{"name":1484,"references":1485,"date_added":82,"analyst":27},"Global\\h48yorbq6rm87zot",[1486,1487,1488],"https://rt-solar.ru/solar-4rays/blog/3832/","https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba","https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/malware/trojan.win32.glupteba.ta",{"name":1490,"references":1491,"date_added":82,"analyst":27},"Global\\y7ze3fznx1u0yc2z",[1488],{"name":1493,"references":1494,"date_added":82,"analyst":27},"Global\\Mp6c3Ygukx29GbDk",[1488],{"malware_info":1496,"category":16,"primary_tags":1500,"mutexes":1501},{"family":1497,"aliases":1498,"description":1499,"threat_actor":11,"first_seen":33},"GoldenSpy",[],"GoldenSpy is a backdoor malware that provides remote access capabilities to compromised systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.",[15,16,17,19],[1502],{"name":1503,"references":1504,"date_added":26,"analyst":27},"nb_app_log_mutex",[1505],"https://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/backdoor.win32.goldenspy.ypah-a",{"malware_info":1507,"category":1110,"primary_tags":1512,"mutexes":1517},{"family":1508,"aliases":1509,"description":1511,"threat_actor":11,"first_seen":113},"Graven",[1510],"Graven Crypter","Graven is a crypter malware that has been observed in various cybercriminal campaigns. The malware is designed to encrypt and obfuscate other malicious payloads to evade detection by security solutions. It has been analyzed in the context of cooperation between cybercriminal groups and employs sophisticated obfuscation techniques.",[1513,1514,1515,309,1516],"payload_obfuscation","encryption","cybercriminal_cooperation","malware_protection",[1518],{"name":1519,"references":1520,"date_added":82,"analyst":27},"7ce3e80173264ea19b05306b865eadf9",[1521],"https://www.ibm.com/think/x-force/itg23-crypters-cooperation-between-cybercriminal-groups",{"malware_info":1523,"category":16,"primary_tags":1531,"mutexes":1533},{"family":1524,"aliases":1525,"description":1527,"threat_actor":1528,"first_seen":11},"GrimAgent",[1526],"GrimAgent backdoor","GrimAgent is a sophisticated backdoor malware designed to provide persistent access to compromised systems. The malware uses advanced evasion techniques and is capable of executing various commands from command and control servers.",[1529,1530],"FIN6","Wizard Spider",[16,19,1532,92],"remote_control",[1534],{"name":1535,"references":1536,"date_added":100,"analyst":27},"mymutex",[1537],"https://www.group-ib.com/blog/grimagent/",{"malware_info":1539,"category":304,"primary_tags":1544,"mutexes":1545},{"family":1540,"aliases":1541,"description":1543,"threat_actor":1414,"first_seen":145},"GRIMPULL",[1542],"GRIMPULL Loader","GRIMPULL is a loader malware that has been observed being distributed through fake AI websites. The malware is designed to download and execute additional payloads on compromised systems and is part of broader cybercriminal campaigns that weaponize fake AI platforms for malware distribution.",[306,1416,150,307],[1546],{"name":1547,"references":1548,"date_added":82,"analyst":27},"aff391c406ebc4c3",[1421],{"malware_info":1550,"category":34,"primary_tags":1556,"mutexes":1558},{"family":1551,"aliases":1552,"description":1554,"threat_actor":11,"first_seen":1555},"Gryphon",[1553],"BTCWare Gryphon","Gryphon is a ransomware-type virus discovered by malware security researcher Leo. It's a variant of BTCWare ransomware. Once infiltrated, Gryphon encrypts stored data and appends filenames with extensions like '.[test].gryphon', '.[decr@cock.li].gryphon', and '.[bravobravo@cock.li].gryphon'. Following successful encryption, it creates a text file ('!## DECRYPT FILES ##!.txt') containing ransom demands in each folder with encrypted files. Updated variants use .crypton extensions with email addresses like gladius_rectus@aol.com and macgregor@aolonline.top.","2017",[34,36,1557,555,556],"btcware_variant",[1559],{"name":1560,"references":1561,"date_added":1171,"analyst":27},"GIVEMEBTC",[1562],"https://app.any.run/tasks/e04d831c-a42d-4f5b-9ff0-efee309eaa59/",{"malware_info":1564,"category":34,"primary_tags":1569,"mutexes":1570},{"family":1565,"aliases":1566,"description":1568,"threat_actor":11,"first_seen":145},"Gunra",[1567],"Gunra Ransomware","Gunra is a ransomware variant that encrypts files and demands a ransom for their decryption.",[36,148],[1571],{"name":1572,"references":1573,"date_added":124,"analyst":27},"kjsidugiaadf99439",[1574],"https://github.com/TheRavenFile/Daily-Hunt/blob/main/Gunra%20Ransomware",{"malware_info":1576,"category":844,"primary_tags":1580,"mutexes":1583},{"family":1577,"aliases":1578,"description":1579,"threat_actor":11,"first_seen":145},"GuptiMiner",[1577],"GuptiMiner is a sophisticated malware that hijacks antivirus updates to distribute backdoors and cryptocurrency miners. The malware employs advanced techniques to evade detection and has been observed using multiple mutexes to coordinate different components and prevent multiple infections on the same system.",[846,16,1581,1582,309],"antivirus_hijacking","update_abuse",[1584,1590,1595,1598,1601],{"name":1585,"references":1586,"date_added":82,"analyst":27,"notes":1588},"Mutex_ONLY_ME_V\u003Cversion>",[1587],"https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/",[1589],"The mutex name is dynamic. The '\u003Cversion>' part can be 1, 2, or three.",{"name":1591,"references":1592,"date_added":82,"analyst":27,"notes":1593},"SLDV\u003C2-3 numeric>",[1587],[1594],"The mutex name is dynamic. The '\u003C2-3 numeric>' part is a placeholder for 2-3 numeric characters.",{"name":1596,"references":1597,"date_added":82,"analyst":27},"GlobalMIVOD_V4",[1587],{"name":1599,"references":1600,"date_added":82,"analyst":27},"MIVOD_6",[1587],{"name":1602,"references":1603,"date_added":82,"analyst":27},"MTX_EX01",[1587],{"malware_info":1605,"category":34,"primary_tags":1610,"mutexes":1611},{"family":1606,"aliases":1607,"description":1609,"threat_actor":11,"first_seen":228},"Hamster",[1608],"Hamster Ransomware","Hamster Ransomware is a variant of Babuk ransomware observed in late 2021. It encrypts files and appends the .hamster extension.",[36,401],[1612],{"name":1613,"references":1614,"date_added":172,"analyst":27},"HamsterLiveHere",[1615],"https://id-ransomware.blogspot.com/2021/11/hamster-ransomware.html",{"malware_info":1617,"category":34,"primary_tags":1624,"mutexes":1626},{"family":1618,"aliases":1619,"description":1622,"threat_actor":1623,"first_seen":33},"HelloKitty",[1620,1621],"HelloKitty Ransomware","FiveHands","HelloKitty is a ransomware variant known for targeting large corporations and was famously used in the attack against CD Projekt Red. It is often associated with the FiveHands ransomware due to shared infrastructure and tactics.","UNC2447",[36,148,1625],"cd_projekt_red",[1627],{"name":1628,"references":1629,"date_added":124,"analyst":27},"HELLOKITTYMutex",[1630,1631],"https://www.sentinelone.com/anthology/hello-kitty/","https://cloud.google.com/blog/topics/threat-intelligence/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat",{"malware_info":1633,"category":34,"primary_tags":1637,"mutexes":1638},{"family":1634,"aliases":1635,"description":1636,"threat_actor":11,"first_seen":145},"HelloXD",[],"HelloXD is a ransomware family that encrypts files and demands payment for decryption. It uses specific mutexes to ensure only one instance runs on the infected system and has been analyzed for its encryption techniques and ransom note characteristics.",[36,37,17,148],[1639],{"name":1640,"references":1641,"date_added":26,"analyst":27},"With best wishes And good intentions...",[1642],"https://unit42.paloaltonetworks.com/helloxd-ransomware/",{"malware_info":1644,"category":34,"primary_tags":1650,"mutexes":1653},{"family":1645,"aliases":1646,"description":1649,"threat_actor":11,"first_seen":1555},"Hermes",[1647,1648],"Hermes Ransomware","Hermes 2.1","Hermes is a ransomware family that has been distributed through various means, including malvertising campaigns and zero-day exploits. The 2.1 variant was notably spread via a Flash zero-day targeting South Korean users.",[36,1651,1652],"zero-day","malvertising",[1654],{"name":1655,"references":1656,"date_added":172,"analyst":27},"tech",[1657],"https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day",{"malware_info":1659,"category":304,"primary_tags":1664,"mutexes":1666},{"family":1660,"aliases":1661,"description":1663,"threat_actor":11,"first_seen":113},"HijackLoader",[1662],"hijackloader loader","HijackLoader is a modular malware loader that is used to load various malicious payloads onto a victim's system. It often employs advanced evasion techniques to avoid detection.",[1665,1272],"modular",[1667],{"name":1668,"references":1669,"date_added":61,"analyst":27},"BOGLVGAU",[1670],"https://app.any.run/tasks/7a48176e-b683-4472-98fd-b824935db29f",{"malware_info":1672,"category":34,"primary_tags":1678,"mutexes":1679},{"family":1673,"aliases":1674,"description":1676,"threat_actor":1677,"first_seen":33},"Hydra",[1675],"Flamingo","Hydra is a variant of the Flamingo ransomware family. It encrypts user files with AES+RSA and demands a ransom. The threat actors behind this family call themselves 'King Of Ransom'.","King Of Ransom",[36,17],[1680],{"name":1681,"references":1682,"date_added":393,"analyst":27},"Local\\$hYdr4Rans$",[1683],"https://id-ransomware.blogspot.com/2020/09/flamingo-ransomware.html",{"malware_info":1685,"category":34,"primary_tags":1690,"mutexes":1692},{"family":1686,"aliases":1687,"description":1689,"threat_actor":11,"first_seen":89},"Indrik",[1688],"indrik-ransomware","Indrik is a ransomware family that appeared in early 2019 and is believed to be a predecessor to Desync ransomware.",[36,1691],"corporate_network",[1693],{"name":1694,"references":1695,"date_added":172,"analyst":27},"Global\\Indrik",[1696],"https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html",{"malware_info":1698,"category":13,"primary_tags":1703,"mutexes":1704},{"family":1699,"aliases":1700,"description":1702,"threat_actor":11,"first_seen":12},"Jason",[1701],"Jason RAT","Jason RAT is a Remote Access Trojan used to gain unauthorized access and control over a victim's computer.",[15,164,165],[1705],{"name":1706,"references":1707,"date_added":172,"analyst":27,"notes":1709},"jason_\u003Cuniqueid>",[1708],"https://app.any.run/tasks/2852bf84-8870-47b7-828e-8233e55aee54/",[662],{"malware_info":1711,"category":34,"primary_tags":1715,"mutexes":1716},{"family":1712,"aliases":1713,"description":1714,"threat_actor":1712,"first_seen":228},"Karma",[1712],"Karma ransomware is a malicious software that encrypts files on a victim's computer and demands a ransom payment in exchange for the decryption key.",[36],[1717],{"name":1718,"references":1719,"date_added":1721,"analyst":27},"KARMA",[1720],"https://cyble.com/blog/a-deep-dive-analysis-of-karma-ransomware","2025-01-12",{"malware_info":1723,"category":34,"primary_tags":1728,"mutexes":1729},{"family":1724,"aliases":1725,"description":1727,"threat_actor":11,"first_seen":145},"KawaLocker",[1726],"Kawa Ransomware","KawaLocker is a ransomware variant that encrypts files and demands a ransom for their decryption.",[36,148],[1730],{"name":1731,"references":1732,"date_added":124,"analyst":27},"SAY_HI_2025",[1733],"https://github.com/TheRavenFile/Daily-Hunt/blob/main/Kawa%20Ransomware",{"malware_info":1735,"category":69,"primary_tags":1740,"mutexes":1741},{"family":1736,"aliases":1737,"description":1739,"threat_actor":11,"first_seen":145},"Keyzetsu Clipper",[1738],"KeyzetsuClipper","Keyzetsu Clipper is a malware that steals cryptocurrency by monitoring the clipboard for cryptocurrency wallet addresses and replacing them with the attacker's address.",[201,72],[1742],{"name":1743,"references":1744,"date_added":207,"analyst":27},"2ILdX2JpexVZieT6mPv2i6Jp3HNFPlby",[206],{"malware_info":1746,"category":16,"primary_tags":1752,"mutexes":1753},{"family":1747,"aliases":1748,"description":1750,"threat_actor":1751,"first_seen":145},"Kivars",[1749],"Kivars Backdoor","Kivars is a backdoor used by the Kimsuky APT group. It establishes persistence and allows attackers to execute commands on a compromised system.","Kimsuky",[165,19,115],[1754],{"name":1755,"references":1756,"date_added":172,"analyst":27,"notes":1758},"uni-web-\u003Cuniqueid>",[1757],"https://x.com/rst_cloud/status/1896196308873969727",[662],{"malware_info":1760,"category":1238,"primary_tags":1768,"mutexes":1769},{"family":1761,"aliases":1762,"description":1764,"threat_actor":1765,"first_seen":113},"KiwiStealer",[1763],"Kiwi-Stealer","KiwiStealer is an information stealer designed to exfiltrate sensitive data from compromised systems, such as credentials, cookies, and cryptocurrency wallets.",[1766,1767],"APT-C-08","Manlinghua",[164,1242],[1770],{"name":1771,"references":1772,"date_added":172,"analyst":27},"rabadaisunique",[1773],"https://www.ctfiot.com/219079.html",{"malware_info":1775,"category":34,"primary_tags":1780,"mutexes":1781},{"family":1776,"aliases":1777,"description":1779,"threat_actor":11,"first_seen":12},"Koxic",[1778],"koxic-ransomwar","Koxic ransomware is a malware that encrypts files on a victim's machine and demands a ransom for the decryption key.",[36],[1782],{"name":1783,"references":1784,"date_added":278,"analyst":27},"_atus_",[1785],"https://cyble.com/blog/koxic-ransomware-deep-diveanalysis/",{"malware_info":1787,"category":34,"primary_tags":1792,"mutexes":1794},{"family":1788,"aliases":1789,"description":1791,"threat_actor":11,"first_seen":896},"Kraken",[1790],"Kraken Ransomware","Kraken is a ransomware variant that utilizes obfuscation and various evasion techniques. It is known for its dynamic mutex generation, which incorporates the victim's computer name.",[36,326,1793],"dynamic_mutex",[1795],{"name":1796,"references":1797,"date_added":172,"analyst":27},"Microsoft-Kraken-\u003CComputerName>",[1798],"https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/ise2.12004",{"malware_info":1800,"category":304,"primary_tags":1806,"mutexes":1809},{"family":1801,"aliases":1802,"description":1805,"threat_actor":11,"first_seen":113},"Latrodectus",[1803,1804],"Latrodectus Loader","BlackWidow","Latrodectus is a sophisticated loader malware, considered a successor to IcedID, used to deliver additional payloads and establish persistence on infected systems. It employs advanced evasion techniques, creates a mutex to prevent reinfection, and is distributed primarily via phishing campaigns.",[304,585,92,19,1807,1808],"dll","msi",[1810],{"name":1811,"references":1812,"date_added":82,"analyst":27,"notes":1816},"runnung",[1813,1814,1815],"https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus","https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice","https://www.vmray.com/latrodectus-a-year-in-the-making/",[1817],"The mutex name 'runnung' is a consistent typo used by all observed Latrodectus samples to prevent multiple infections.",{"malware_info":1819,"category":304,"primary_tags":1824,"mutexes":1827},{"family":1820,"aliases":1821,"description":1823,"threat_actor":11,"first_seen":145},"Leprechaun",[1822],"Leprechaun Loader","Leprechaun is a new malware loader that has been observed in recent campaigns. It serves as an initial access tool designed to download and execute additional payloads on compromised systems.",[304,1825,306,1826],"initial_access","download_execute",[1828],{"name":1829,"references":1830,"date_added":26,"analyst":27},"LeprechaunHvnc",[1831],"https://gurucul.com/blog/leprechaun-a-new-malware-loader/",{"malware_info":1833,"category":16,"primary_tags":1846,"mutexes":1853},{"family":1834,"aliases":1835,"description":1837,"threat_actor":1838,"first_seen":896},"LoptikMod",[1836],"loptik","LoptikMod is malware used by the DoNot APT group that primarily targets South Asian countries including Pakistan, Bangladesh, and Sri Lanka to conduct cyber-espionage activities against government agencies, defense and military, diplomatic sector, and important business figures. The group has dual-platform attack capabilities for Windows and Android, often using PDF document decoys, malicious Office documents with macro code, and EXE files disguised as PDF documents. They employ sophisticated attack chains including phishing links, scheduled tasks for persistence, and AES encryption for data exfiltration.",[1839,1840,1841,1842,1843,1844,1845],"DoNot APT group","APT-Q-38","APT-C-35","Mint Tempest","Origami Elephant","SECTOR02","Viceroy Tiger",[1847,1848,1849,1850,1851,19,1852,307],"cyber_espionage","south_asia","pdf_decoy","macro_malware","scheduled_tasks","aes_encryption",[1854],{"name":1855,"references":1856,"date_added":354,"analyst":27},"08808",[1857,1858],"https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-en/?utm_source=chatgpt.com","https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/",{"malware_info":1860,"category":34,"primary_tags":1866,"mutexes":1867},{"family":1861,"aliases":1862,"description":1864,"threat_actor":1865,"first_seen":11},"Lorenz",[1863],"Lorenz ransomware","Lorenz is a ransomware family operated by the Lorenz Group, known for targeting organizations and demanding cryptocurrency payments for file decryption. The malware uses sophisticated encryption techniques and is designed to evade detection.","lorenz group",[34,36,115,401],[1868],{"name":1869,"references":1870,"date_added":100,"analyst":27},"wolf",[1871],"https://lmntrix.com/blog/lmntrix-vs-lorenz-ransomware/",{"malware_info":1873,"category":1238,"primary_tags":1878,"mutexes":1883},{"family":1874,"aliases":1875,"description":1877,"threat_actor":11,"first_seen":12},"Lumma",[1876],"Lumma Stealer","Lumma Stealer is an information-stealing malware that has been observed being distributed through Telegram channels. The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It is part of a broader trend of malware proliferation through social media platforms.",[1879,1242,1880,1881,1882],"information_stealer","browser_theft","telegram_distribution","social_media_malware",[1884],{"name":1885,"references":1886,"date_added":82,"analyst":27},"sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef",[1887],"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-rise-how-telegram-channels-are-fueling-malware-proliferation/",{"malware_info":1889,"category":1238,"primary_tags":1894,"mutexes":1895},{"family":1890,"aliases":1891,"description":1893,"threat_actor":11,"first_seen":11},"Luxy",[1892],"luxy stealer","Luxy is an information stealer malware designed to extract sensitive data from compromised systems, including credentials, cookies, and other valuable information for cybercriminal operations.",[164,1242,1383],[1896],{"name":1897,"references":1898,"date_added":100,"analyst":27},"DBPC303NG10hWTOR7NoN",[1899],"https://app.any.run/tasks/449fa9a2-cccc-4d03-822c-dd6ccbf0a883",{"malware_info":1901,"category":304,"primary_tags":1905,"mutexes":1908},{"family":1902,"aliases":1903,"description":1904,"threat_actor":11,"first_seen":145},"MagnetLoader",[1902],"MagnetLoader is a loader malware that has been observed in various cybercriminal campaigns. The malware is designed to download and execute additional payloads on compromised systems and has been analyzed in the context of Cobalt Strike memory analysis. It employs sophisticated techniques to evade detection and establish persistence.",[306,307,1906,1907,150],"cobalt_strike","memory_analysis",[1909],{"name":1910,"references":1911,"date_added":82,"analyst":27},"SM0:220:304:WilStaging_02_p1h",[1912],"https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/",{"malware_info":1914,"category":34,"primary_tags":1919,"mutexes":1920},{"family":1915,"aliases":1916,"description":1918,"threat_actor":11,"first_seen":33},"Makop",[1917],"Makop Ransomware","Makop ransomware encrypts user’s files and expects a ransom for the decryption key. It uses an AES256 key to decrypt important strings at runtime including a RSA public key. The process creates a mutex to ensure that it avoids infecting the system more than once and uses an entry under the Run key to establish persistence on the host.",[36,19,17],[1921],{"name":1922,"references":1923,"date_added":393,"analyst":27},"m23071644",[1924,1925],"https://cybergeeks.tech/makop-ransomware/","https://x.com/darb0ng/status/1270539362942386176",{"malware_info":1927,"category":34,"primary_tags":1933,"mutexes":1935},{"family":1928,"aliases":1929,"description":1932,"threat_actor":11,"first_seen":228},"Mallox",[1930,1931],"Mallox Ransomware","TargetCompany","Mallox is a ransomware family that has been active since at least mid-2021. It is known for targeting insecure MS-SQL servers, exfiltrating data, and then encrypting the victim's files.",[36,1934,401],"mssql_bruteforce",[1936],{"name":1937,"references":1938,"date_added":172,"analyst":27},"89A72EF01",[1939],"https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/new-mallox-ransomware-variant-discovered-wild",{"malware_info":1941,"category":34,"primary_tags":1947,"mutexes":1949},{"family":1942,"aliases":1943,"description":1945,"threat_actor":1946,"first_seen":145},"Mamona",[1944],"Mamona Ransomware","Mamona is a ransomware-as-a-service (RaaS) operation that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It is associated with the Global Group and employs sophisticated encryption techniques to target organizations globally.","Mamona Group",[36,53,148,1948,150],"global_group",[1950],{"name":1951,"references":1952,"date_added":82,"analyst":27},"Global\\Fxo16jmdgujs437",[1953,1954],"https://app.threat.zone/submission/2236ec1f-eaaa-4b19-b864-4059dac59efa/dynamic-scan-report/behaviour/mutex","https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service",{"malware_info":1956,"category":1238,"primary_tags":1961,"mutexes":1962},{"family":1957,"aliases":1958,"description":1960,"threat_actor":11,"first_seen":12},"Mars",[1959],"Mars Stealer","Mars Stealer is an information-stealing malware that has been observed in various cybercriminal campaigns. The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It employs sophisticated techniques to evade detection and establish persistence.",[1879,1242,1880,150,309],[1963,1967,1971],{"name":1964,"references":1965,"date_added":82,"analyst":27},"67820366929896267194",[1966],"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer",{"name":1968,"references":1969,"date_added":82,"analyst":27},"92550737836278980100",[1970],"https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html",{"name":1972,"references":1973,"date_added":82,"analyst":27},"86223203794583053453",[1974],"https://3xp0rt.com/posts/mars-stealer/",{"malware_info":1976,"category":13,"primary_tags":1980,"mutexes":1984},{"family":1977,"aliases":1978,"description":1979,"threat_actor":11,"first_seen":145},"MasonRAT",[1977],"MasonRAT is a Remote Access Trojan (RAT) that has been observed in targeted attacks against Windows Server environments. The malware is designed to provide remote access to compromised systems and has been detected using Elastic SIEM for threat hunting and analysis.",[15,1981,165,1982,1983],"windows_server","threat_hunting","elastic_siem",[1985],{"name":1986,"references":1987,"date_added":82,"analyst":27},"rmldKj40qW2UTlEe",[1988],"https://daniyyell.com/threat%20hunting/tools/malware%20analysis/Threat-Hunting-on-Windows-Server-2016-Uncovering-Hidden-C2-Malware-Using-Elastic-SIEM/",{"malware_info":1990,"category":304,"primary_tags":1995,"mutexes":1996},{"family":1991,"aliases":1992,"description":1994,"threat_actor":11,"first_seen":11},"Matanbuchus",[1993],"matanbuchus loader","Matanbuchus is a sophisticated loader malware that operates as Malware-as-a-Service (MaaS), designed to deliver additional payloads to compromised systems. The malware uses advanced evasion techniques and is known for its modular architecture.",[304,570,92,306],[1997],{"name":1998,"references":1999,"date_added":100,"analyst":27,"notes":2001},"sync\u003CUniqueID>",[2000],"https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/",[2002],"The mutex name is dynamic. The '\u003CUniqueID>' part is a placeholder for a unique identifier generated on the compromised machine.",{"malware_info":2004,"category":34,"primary_tags":2009,"mutexes":2010},{"family":2005,"aliases":2006,"description":2008,"threat_actor":11,"first_seen":145},"Matrix",[2007],"Matrix Ransomware","Matrix is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It employs sophisticated encryption techniques and has been analyzed for its attack patterns and evasion capabilities.",[36,148,150,309],[2011,2015],{"name":2012,"references":2013,"date_added":82,"analyst":27},"OurMainMutex999",[2014],"https://github.com/sophoslabs/IoCs/blob/4b06149929305d1431a425d2b271a0e04f855f4a/Ransomware-Matrix",{"name":2016,"references":2017,"date_added":82,"analyst":27},"OurMainMutex999net",[2014],{"malware_info":2019,"category":34,"primary_tags":2022,"mutexes":2024},{"family":2020,"description":2021,"first_seen":89,"threat_actor":11},"MedusaLocker","MedusaLocker is a ransomware that has been in operation since 2019. It operates as a Ransomware-as-a-Service (RaaS) and primarily gains access to victim networks through vulnerable Remote Desktop Protocol (RDP) configurations.",[53,17,2023],"rdp",[2025],{"name":2026,"references":2027,"date_added":61,"analyst":27},"8761ABBD-7F85-42EE-B272-A76179687C63",[2028],"https://cyble.com/blog/unmasking-medusalocker-ransomware/",{"malware_info":2030,"category":1238,"primary_tags":2035,"mutexes":2036},{"family":2031,"aliases":2032,"description":2034,"threat_actor":11,"first_seen":113},"Meduza",[2033],"Meduza Stealer","Meduza is an information stealer designed to exfiltrate sensitive data from compromised systems, such as browser credentials, system information, and cryptocurrency wallets.",[164,1242,165],[2037],{"name":2038,"references":2039,"date_added":172,"analyst":27,"notes":2041},"mmm-\u003Cuniqueid>",[2040],"https://app.any.run/tasks/6aa87dc7-0625-462e-a8b3-41776473a28f/",[662],{"malware_info":2043,"category":34,"primary_tags":2048,"mutexes":2049},{"family":2044,"aliases":2045,"description":2047,"threat_actor":11,"first_seen":145},"Moisha",[2046],"Moisha Ransomware","Moisha is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been analyzed for its attack patterns and sophisticated encryption techniques, employing advanced evasion capabilities.",[36,148,150,309],[2050],{"name":2051,"references":2052,"date_added":82,"analyst":27,"notes":2055},"Global\\__w3616de3-6u4b-32fc-97b1-de928faadf50",[2053,2054],"https://cyble.com/blog/moisha-ransomware-in-action","https://app.any.run/tasks/11f66692-6cf7-4672-b6ba-a0095ac4dd3c",[2056],"No specific mutex identified in the provided references. This entry serves as a placeholder for future mutex discoveries.",{"malware_info":2058,"category":34,"primary_tags":2061,"mutexes":2063},{"family":2059,"description":2060,"threat_actor":11,"first_seen":113},"Money Message","Money Message is a ransomware strain that encrypts network shares and has targeted high-profile organizations. It is known to demand large ransoms.",[34,2062,401],"network_shares",[2064],{"name":2065,"references":2066,"date_added":61,"analyst":27},"12345-12345-12235-12354",[2067],"https://cyble.com/blog/demystifying-money-message-ransomware",{"malware_info":2069,"category":34,"primary_tags":2076,"mutexes":2081},{"family":2070,"aliases":2071,"description":2073,"threat_actor":2074,"first_seen":113},"NailaoLocker",[2072],"NailaoLocker Ransomware","NailaoLocker is a ransomware strain distributed alongside the ShadowPad and PlugX backdoors, primarily targeting European organizations. It is suspected to be linked to Chinese-nexus threat actors.",[2075],"Green Nailao",[2077,2078,2079,2080],"shadowpad","plugx","dll_sideloading","europe",[2082],{"name":2083,"references":2084,"date_added":124,"analyst":27},"Global\\lockv7",[2085],"https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors",{"malware_info":2087,"category":34,"primary_tags":2093,"mutexes":2094},{"family":2088,"aliases":2089,"description":2092,"threat_actor":11,"first_seen":33},"Nefilim",[2090,2091],"Nefilim-Ransomware","RANSOM.WIN32.NEFILIM.G","Nefilim is a ransomware family that emerged around March 2020. It is known for its double extortion tactics, exfiltrating sensitive data from victims and threatening to publish it if the ransom is not paid.",[36,401,215],[2095,2099],{"name":2096,"references":2097,"date_added":172,"analyst":27},"ONA MOYA ROZA I YA EE LUBLUUUUUUUU, ONA MOYA DOZA - SEGODNYA ZATYANU",[2098],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.nefilim.g",{"name":2100,"references":2101,"date_added":2103,"analyst":27},"Den'gi plyvut v karmany rekoy. My khodim po krayu nozha...",[2102],"https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware","2026-02-27",{"malware_info":2105,"category":34,"primary_tags":2110,"mutexes":2111},{"family":2106,"aliases":2107,"description":2109,"threat_actor":11,"first_seen":89},"Nemty",[2108],"nemty-ransomware","Nemty is a ransomware family that emerged in 2019, known for its aggressive encryption techniques and targeting of organizations. The malware uses sophisticated evasion methods and demands cryptocurrency payments for file decryption.",[34,36,92],[2112,2117],{"name":2113,"references":2114,"date_added":100,"analyst":27},"hate",[2115,2116],"https://securityaffairs.com/90396/malware/nemty-ransomware.html","https://id-ransomware.blogspot.com/2019/08/nemty-ransomware.html",{"name":2118,"references":2119,"date_added":100,"analyst":27},"just_a_game",[2116],{"malware_info":2121,"category":13,"primary_tags":2126,"mutexes":2130},{"family":2122,"aliases":2123,"description":2125,"threat_actor":11,"first_seen":12},"Netdooka",[2124],"Netdooka RAT","Netdooka is a Remote Access Trojan (RAT) framework that has been observed being distributed via PrivateLoader PPI (Pay-Per-Install) services. The malware is designed to provide remote access to compromised systems and has been analyzed for its sophisticated evasion techniques and multi-stage attack capabilities.",[15,2127,2128,2129,307,309],"framework","privateloader","ppi",[2131],{"name":2132,"references":2133,"date_added":82,"analyst":27},"3f0d73e2-4b8e-4539-90fd-812330bb39c8",[2134],"https://www.trendmicro.com/en_se/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html",{"malware_info":2136,"category":16,"primary_tags":2141,"mutexes":2143},{"family":2137,"aliases":2138,"description":2140,"threat_actor":287,"first_seen":145},"Nexe",[2139],"Nexe Backdoor","Nexe Backdoor is a sophisticated malware used by the Patchwork APT group, known for its advanced evasion techniques.",[2142,752],"APT",[2144],{"name":2145,"references":2146,"date_added":207,"analyst":27},"dsds",[2147],"https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/",{"malware_info":2149,"category":34,"primary_tags":2152,"mutexes":2154},{"family":2150,"description":2151,"threat_actor":11},"Nitrogen","Nitrogen is a ransomware that has been observed targeting the financial sector.",[34,2153],"financial",[2155],{"name":2156,"references":2157,"date_added":61,"analyst":27},"nvxkjcv7yxctvgsdfjhv6esdvsx",[2158],"https://any.run/cybersecurity-blog/nitrogen-ransomware-report/",{"malware_info":2160,"category":34,"primary_tags":2165,"mutexes":2166},{"family":2161,"aliases":2162,"description":2164,"threat_actor":11,"first_seen":145},"Noblis",[2163],"Noblis Ransomware","Noblis is a ransomware that encrypts files on a victim's system and demands a ransom. It creates a mutex to ensure only a single instance of the malware runs on the infected machine.",[36,17],[2167],{"name":2168,"references":2169,"date_added":2172,"analyst":27},"mutex_rr_windows",[2170,2171],"https://app.any.run/tasks/e2f4531f-e73b-4a14-99da-48f13dddf5ac/","https://cyble.com/blog/threat-actor-targets-russian-gaming-community-with-wannacry-imitator/","2024-05-18",{"malware_info":2174,"category":13,"primary_tags":2180,"mutexes":2181},{"family":2175,"aliases":2176,"description":2178,"threat_actor":2179,"first_seen":145},"NodeSnake",[2177],"NodeSnake RAT","NodeSnake is a Remote Access Trojan (RAT) written in Golang, used by the Interlock ransomware group to maintain persistence in compromised networks.","Interlock",[116,19],[2182],{"name":2183,"references":2184,"date_added":577,"analyst":27},"Global\\NodeSnakeMutex",[2185],"https://cyberpress.org/interlock-ransomware-deploys-nodesnake-rat",{"malware_info":2187,"category":34,"primary_tags":2192,"mutexes":2193},{"family":2188,"aliases":2189,"description":2191,"threat_actor":11,"first_seen":12},"Pandora",[2190],"Pandora Ransomware","Pandora is a ransomware-as-a-service (RaaS) operation that emerged in 2022, targeting Windows and Linux systems. It uses custom encryption algorithms and is designed to evade detection while maximizing damage. The malware creates mutexes to prevent multiple instances from running simultaneously and uses sophisticated techniques to bypass security measures.",[36,37,17,402,53,344,92],[2194,2200],{"name":2195,"references":2196,"date_added":354,"analyst":27},"ThisisMutexa",[2197,2198,2199],"https://www.avertium.com/resources/threat-reports/in-depth-pandora-ransomware","https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box","https://cyble.com/blog/deep-dive-analysis-pandora-ransomware/",{"name":2201,"references":2202,"date_added":100,"analyst":27},"FFFFFMutex",[2203],"https://app.any.run/tasks/a6b6fe42-6b10-471e-9fc8-8bc8b793601d",{"malware_info":2205,"category":69,"primary_tags":2209,"mutexes":2210},{"family":2206,"aliases":2207,"description":2208,"threat_actor":11,"first_seen":145},"Paradies Clipper",[2206],"Paradies Clipper is a cryptocurrency clipper malware that targets cryptocurrency wallets and transactions. The malware is designed to intercept and modify cryptocurrency addresses in the clipboard, redirecting funds to attacker-controlled wallets. It employs sophisticated techniques to evade detection and target specific cryptocurrency operations.",[71,72,73,74,75],[2211],{"name":2212,"references":2213,"date_added":82,"analyst":27},"7CmLQX",[2214],"https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/",{"malware_info":2216,"category":34,"primary_tags":2221,"mutexes":2222},{"family":2217,"aliases":2218,"description":2220,"threat_actor":11,"first_seen":145},"Pay2Key",[2219],"Pay2Key Ransomware","Pay2Key is a ransomware variant that encrypts files and demands a ransom for their decryption.",[36,148],[2223],{"name":2224,"references":2225,"date_added":124,"analyst":27},"BooYYoYnYoooY",[2226],"https://github.com/TheRavenFile/Daily-Hunt/blob/main/Pay2Key%20Ransomware",{"malware_info":2228,"category":34,"primary_tags":2234,"mutexes":2236},{"family":2229,"aliases":2230,"description":2232,"threat_actor":2229,"first_seen":2233},"Payload",[2231],"Payload Ransomware","Payload Ransomware is a ransomware malware family. It encrypts files on compromised systems and demands payment for decryption. The malware uses a distinctive mutex for process synchronization.","2026",[34,36,2235],"data_extortion",[2237],{"name":2238,"references":2239,"date_added":2103,"analyst":27},"MakeAmericaGreatAgain",[2240],"https://www.reddit.com/r/MalwareAnalysis/comments/1reut0s/new_payload_ransomware_malware_analysis/",{"malware_info":2242,"category":13,"primary_tags":2246,"mutexes":2247},{"family":2243,"aliases":2244,"description":2245,"threat_actor":11,"first_seen":145},"PegasusRAT",[],"PegasusRAT is a remote access trojan (RAT) that provides attackers with remote control capabilities over infected systems. It uses specific mutexes to ensure single instance execution and coordinate its activities.",[15,16,17,13],[2248],{"name":2249,"references":2250,"date_added":26,"analyst":27},"PEGASUS",[2251],"https://github.com/GuinnessShep/pegasusrat/blob/dbfdde88b23bca59d1d490149359c42bf019013b/Pegasus%20Hvnc%20V2/Pantheon%20V2/Program.cs#L29",{"malware_info":2253,"category":13,"primary_tags":2258,"mutexes":2261},{"family":2254,"aliases":2255,"description":2257,"threat_actor":11,"first_seen":11},"Persian RAT",[2256],"Persian","Persian RAT is a remote access trojan that provides attackers with full control over compromised systems. The malware is part of a suite of malicious tools sold by threat actors and is designed for surveillance, data theft, and system manipulation.",[15,957,2259,2260],"data_theft","system_control",[2262],{"name":2256,"references":2263,"date_added":100,"analyst":27},[2264],"https://cyble.com/blog/new-persian-remote-world-selling-a-suite-of-malicious-tools/",{"malware_info":2266,"category":34,"primary_tags":2271,"mutexes":2273},{"family":2267,"aliases":2268,"description":2270,"threat_actor":11,"first_seen":89},"Phobos",[2269],"Phobos Ransomware","Phobos is a Ransomware-as-a-Service (RaaS) first seen in 2019, and is a variant of the Dharma (CrySiS) ransomware family. It is often distributed through exposed RDP connections. It creates a global mutex to prevent multiple instances of the malware from running.",[53,2023,17,2272],"dharma_variant",[2274,2280],{"name":2275,"references":2276,"date_added":2278,"analyst":27,"notes":2279},"Global\\\u003C\u003CBID>>300AF62D00000001",[2277],"https://tria.ge/250705-gy63gstydt/behavioral2/analog?&main_event=Mutex","2025-07-05","The \u003C\u003CBID>> part of the mutex name is a 16-character hexadecimal unique ID.",{"name":2281,"references":2282,"date_added":2278,"analyst":27,"notes":2279},"Global\\\u003C\u003CBID>>C4BA364700000001",[2283],"https://app.any.run/tasks/4145f893-dccf-4f5c-964d-634b2951365c/",{"malware_info":2285,"category":16,"primary_tags":2291,"mutexes":2293},{"family":2286,"aliases":2287,"description":2289,"threat_actor":2290,"first_seen":113},"Phoenix",[2288],"Phoenix Backdoor","Phoenix Backdoor is a malware family associated with the MuddyWater threat group. It is used for espionage activities and provides remote access capabilities to compromised systems. The malware is part of MuddyWater's arsenal for conducting cyber espionage operations.","MuddyWater",[16,752,15,2292,115],"muddywater",[2294],{"name":2295,"references":2296,"date_added":615,"analyst":27},"sysprocupdate.exe",[2297],"https://www.group-ib.com/blog/muddywater-espionage/",{"malware_info":2299,"category":34,"primary_tags":2305,"mutexes":2306},{"family":2300,"aliases":2301,"description":2304,"threat_actor":11,"first_seen":669},"PrincessLocker",[2302,2303],"Princeslocker","princessevolution","PrincessLocker is a ransomware family first observed in 2016 that encrypts files on a compromised system and demands a ransom payment for their decryption.",[36],[2307],{"name":2308,"references":2309,"date_added":172,"analyst":27},"hoJUpcvgHA",[2310,2311],"https://x.com/ValthekOn/status/1029566037589729280","https://www.trendmicro.com/vinfo/tw/threat-encyclopedia/malware/ransom_princesslocker.b",{"malware_info":2313,"category":16,"primary_tags":2321,"mutexes":2325},{"family":2314,"aliases":2315,"description":2317,"threat_actor":2318,"first_seen":2320},"ProjectWood",[2316],"Project Wood","Project Wood is a sophisticated backdoor malware that has been evolving since 2005, associated with the Gelsemium APT group. It uses TEA encryption algorithm with variable rounds for C&C communication, employs kernel driver modules for process hiding, and implements multiple persistence mechanisms. The malware is known for its Linux variant FireWood and has been used in various operations including Operation TooHash.",[2319],"Gelsemium","2005",[16,2322,2323,2324,19,1434],"tea_encryption","kernel_module","process_hiding",[2326],{"name":2327,"references":2328,"date_added":193,"analyst":27},"IMPROVING CLIENT Want Wood To Exit?",[2329],"https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/",{"malware_info":2331,"category":13,"primary_tags":2340,"mutexes":2346},{"family":2332,"aliases":2333,"description":2335,"threat_actor":2336,"first_seen":51},"Protego",[2334],"Protego RAT","Protego is a sophisticated C# remote access trojan (RAT) associated with the Patchwork APT group (APT-Q-36). It is delivered through malicious LNK files disguised as PDF documents and uses Rust-based loaders with shellcode decryption. The malware establishes two-stage communication with C2 servers, collects system information including hostname, username, device UUID, and OS details, and supports extensive remote control capabilities including file operations, process management, and memory execution.",[287,286,2337,2338,2339],"Hangover","Dropping Elephant","APT-Q-36",[15,2341,2342,2343,2344,2345],"csharp","shellcode_decryption","two_stage_communication","file_operations","process_management",[2347],{"name":2348,"references":2349,"date_added":193,"analyst":27},"kiuwqyergljkwef",[2350,2351],"https://www.secrss.com/articles/80795","https://ti.qianxin.com/blog/articles/apt-q-36-impersonates-university-domain-names-to-steal-secrets-en/",{"malware_info":2353,"category":16,"primary_tags":2358,"mutexes":2361},{"family":2354,"aliases":2355,"description":2357,"threat_actor":11,"first_seen":145},"Proto8",[2356],"Proto8 Backdoor","Proto8 is a sophisticated backdoor malware that has been observed in targeted attacks against betting companies. The malware is designed to provide remote access to compromised systems and has been associated with Operation Dragon Castling APT group. It employs dynamic mutex generation based on victim information and sophisticated evasion techniques.",[15,115,2359,2360,1793,309],"betting_companies","operation_dragon_castling",[2362,2368,2372],{"name":2363,"references":2364,"date_added":82,"analyst":27,"notes":2366},"Global\\sysmon-windows-\u003CCRC32 of an MD5 hash of the victim's username>",[2365],"https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/",[2367],"The mutex name is dynamic. The '\u003CCRC32 of an MD5 hash of the victim's username>' part is a placeholder for a CRC32 hash of an MD5 hash of the victim's username.",{"name":2369,"references":2370,"date_added":82,"analyst":27,"notes":2371},"Global\\IntelGameSpeed-\u003CCRC32 of an MD5 hash of the victim's username>",[2365],[2367],{"name":2373,"references":2374,"date_added":82,"analyst":27,"notes":2375},"Global\\TencentSecuriryAgent-P01-\u003Cvictim's username>",[2365],[2376],"The mutex name is dynamic. The '\u003Cvictim's username>' part is a placeholder for the actual victim's username.",{"malware_info":2378,"category":1238,"primary_tags":2383,"mutexes":2384},{"family":2379,"aliases":2380,"description":2382,"threat_actor":11,"first_seen":113},"Prysmax",[2381],"Prysmax Stealer","Prysmax is an information stealer designed to exfiltrate sensitive data from compromised systems, such as browser credentials, system information, and cryptocurrency wallets.",[164,1242],[2385],{"name":2386,"references":2387,"date_added":172,"analyst":27},"Global\\PrysmaxSingleInstanceMutex",[2388,2389],"https://tria.ge/250523-p83f2sdq2x/behavioral1/analog?main_event=Mutex&q=PrysmaxSingleInstanceMutex","https://app.any.run/tasks/79a8e967-de3b-41ff-bc8d-0d50cce834fa/",{"malware_info":2391,"category":13,"primary_tags":2396,"mutexes":2397},{"family":2392,"aliases":2393,"description":2395,"threat_actor":11,"first_seen":11},"PureRAT",[2394],"Pure RAT","PureRAT is a remote access trojan (RAT) that provides attackers with full control over compromised systems, including file operations, process management, and data exfiltration capabilities.",[15,164],[2398],{"name":2399,"references":2400,"date_added":682,"analyst":27},"6ad742cc0dd3",[2401],"https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis",{"malware_info":2403,"category":34,"primary_tags":2408,"mutexes":2409},{"family":2404,"aliases":2405,"description":2407,"threat_actor":11,"first_seen":89},"PYSA",[2406],"Mespinoza","PYSA (also known as Mespinoza) is a ransomware family observed since late 2019, targeting various sectors including government and education. It encrypts files and appends the .pysa extension.",[53],[2410],{"name":2411,"references":2412,"date_added":577,"analyst":27},"Pysa",[2413],"https://www.acronis.com/en-us/blog/posts/pysa-ransomware/",{"malware_info":2415,"category":13,"primary_tags":2422,"mutexes":2423},{"family":2416,"aliases":2417,"description":2421,"threat_actor":11,"first_seen":909},"Quasar",[2418,2419,2420],"Quasar RAT","CinaRAT","Yggdrasil","Quasar is a popular open-source Remote Access Trojan (RAT) for Windows, written in C#. Its features and public availability have made it a common tool for various threat actors.",[15,163,164,165],[2424],{"name":2425,"references":2426,"date_added":172,"analyst":27,"notes":2428},"QSR_MUTEX_\u003Cuniqueid>",[2427],"https://daniyyell.com/threat%20hunting/tools/malware%20analysis/Using-Velociraptor-to-Detect-and-Hunt-for-Affected-Systems-Unknown-Malware-Analysis/#20-velocirator-selected-artifacts",[2429],"The mutex name is dynamic. The '\u003Cuniqueid>' part is a placeholder, often representing a hardware ID or another unique identifier for the compromised system.",{"malware_info":2431,"category":1238,"primary_tags":2440,"mutexes":2443},{"family":2432,"aliases":2433,"description":2435,"threat_actor":2436,"first_seen":228},"QuietSieve",[2434],"QuietSieve Stealer","QuietSieve is an information-stealing malware used by the Gamaredon threat group (also known as Primitive Bear or Trident Ursa). The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It has been observed targeting Ukraine and employs sophisticated techniques to evade detection.",[2437,2438,2439],"Gamaredon","Primitive Bear","Trident Ursa",[1879,1242,1880,2441,2442,115],"gamaredon","ukraine_targeting",[2444],{"name":2445,"references":2446,"date_added":82,"analyst":27},"Global\\lCHBaUZcohRgQcOfdIFaf",[2447,2448],"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/","https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.msil.quietsieve.lsa",{"malware_info":2450,"category":34,"primary_tags":2456,"mutexes":2458},{"family":2451,"aliases":2452,"description":2455,"threat_actor":2453,"first_seen":113},"RAWorld",[2453,2454],"RA Group","RA World","RA World, formerly known as RA Group, is a ransomware group that uses a multi-extortion scheme, exfiltrating data before encryption. The group is known to use a variant of the Babuk ransomware.",[34,700,2457,401],"multi-extortion",[2459],{"name":2460,"references":2461,"date_added":61,"analyst":27},"For whom the bell tolls, it tolls for thee",[2462,2463],"https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/","https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html",{"malware_info":2465,"category":1238,"primary_tags":2472,"mutexes":2475},{"family":2466,"aliases":2467,"description":2471,"threat_actor":11,"first_seen":145},"RecordBreaker",[2468,2469,2470],"Raccoonv2","Raccoon Stealer v2","RaccoonStealerv2","RecordBreaker is the second version of Raccoon Stealer, an information-stealing malware that has been observed in various cybercriminal campaigns. The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It employs sophisticated techniques to evade detection and establish persistence.",[1879,1242,1880,2473,2474,150],"raccoon_stealer","v2",[2476],{"name":2477,"references":2478,"date_added":82,"analyst":27},"iqroq5112542785672901323",[2479],"https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/",{"malware_info":2481,"category":34,"primary_tags":2487,"mutexes":2488},{"family":2482,"aliases":2483,"description":2486,"threat_actor":11,"first_seen":12},"Redeemer",[2484,2485],"redeemer-ransomware","Redeemer 2.0","Redeemer is a ransomware whose builder was distributed on underground cybercrime forums, potentially leading to its use by various affiliates.",[36],[2489],{"name":2490,"references":2491,"date_added":278,"analyst":27},"RedeemerMutex",[2492,2493],"https://cyble.com/blog/redeemer-ransomware-back-action/","https://www.cloudsek.com/blog/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis",{"malware_info":2495,"category":1238,"primary_tags":2500,"mutexes":2501},{"family":2496,"aliases":2497,"description":2499,"threat_actor":11,"first_seen":33},"RedLine",[2498],"RedLine Stealer","RedLine Stealer is a popular information-stealing malware sold on underground forums, capable of exfiltrating credentials, credit card information, and cryptocurrency wallet data from web browsers and other applications.",[570,1242,164],[2502],{"name":2503,"references":2504,"date_added":577,"analyst":27},"winter750",[2505,2506],"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/","https://www.securityhq.com/blog/april-2024-threat-advisory-top-5",{"malware_info":2508,"category":13,"primary_tags":2514,"mutexes":2516},{"family":2509,"aliases":2510,"description":2513,"threat_actor":11,"first_seen":669},"REMCOS",[2511,2512],"REMCOS RAT","Backdoor:Win32/Remcos","REMCOS is a commercial Remote Access Trojan (RAT) that has been sold since 2016. While marketed as a legitimate tool for remote administration, it is widely used by malicious actors for surveillance and unauthorized control of compromised systems.",[15,2515,526,164,165],"commercial_RAT",[2517,2521,2527,2531,2536,2541],{"name":2518,"references":2519,"date_added":172,"analyst":27},"MARE_IS_BEAUTIFUL_EX",[2520],"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two",{"name":2522,"references":2523,"date_added":172,"analyst":27,"notes":2525},"Rmc-\u003Cuniqueid>",[2524],"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/",[2526],"The mutex name is dynamic. The '\u003Cuniqueid>' part is a placeholder for a unique identifier generated on the compromised machine.",{"name":2528,"references":2529,"date_added":172,"analyst":27},"Remcos_Mutex_Inj",[2530],"https://www.splunk.com/en_us/blog/security/splunk-fin7-tool-detections-remcos.html",{"name":2532,"references":2533,"date_added":172,"analyst":27,"notes":2535},"remcos_\u003Cuniqueid>",[2534],"https://www.trendmicro.com/en_us/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html",[2526],{"name":2537,"references":2538,"date_added":172,"analyst":27,"notes":2540},"Remcos-\u003Cuniqueid>",[2539],"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Remcos",[2526],{"name":2542,"references":2543,"date_added":26,"analyst":27},"Mutex_RemWatchdog",[2544],"https://www.trendmicro.com/vinfo/de/threat-encyclopedia/malware/backdoor.msil.remcos.jcasnr",{"malware_info":2546,"category":13,"primary_tags":2552,"mutexes":2554},{"family":2547,"aliases":2548,"description":2550,"threat_actor":2551,"first_seen":11},"RevClient",[2549],"RevClient rat","RevClient is a remote access trojan (RAT) used by the Kimsuky threat group for espionage activities, providing remote control capabilities over compromised systems.","kimsuky",[15,752,115,2553],"korea",[2555],{"name":2556,"references":2557,"date_added":100,"analyst":27,"notes":2559},"ZhengReversePC",[2558],"https://asec.ahnlab.com/en/57873/",[2560],"Mutex used by RevClient RAT for process synchronization",{"malware_info":2562,"category":13,"primary_tags":2567,"mutexes":2568},{"family":2563,"aliases":2564,"description":2566,"threat_actor":11,"first_seen":669},"RevengeRAT",[2565],"Revenge-RAT","RevengeRAT is a remote access trojan (RAT) that has been active since at least 2016. It is known for its wide range of capabilities, including remote control, keylogging, and file system manipulation. The malware is often distributed through phishing campaigns.",[603,526,585],[2569],{"name":2570,"references":2571,"date_added":124,"analyst":27},"RV_MUTEX-\u003Crandom>",[2572],"https://www.fortinet.com/blog/threat-research/malware-analysis-revenge-rat-sample",{"malware_info":2574,"category":1238,"primary_tags":2579,"mutexes":2581},{"family":2575,"aliases":2576,"description":2578,"threat_actor":11,"first_seen":12},"Rhadamanthys",[2577],"Rhadamanthys Stealer","Rhadamanthys is a C++ based information stealer that has been active since late 2022, often masquerading as legitimate software to gain an initial foothold.",[164,2580],"cpp",[2582],{"name":2583,"references":2584,"date_added":577,"analyst":27},"Global\\MSCTF.Asm.{digits}",[2585],"https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",{"malware_info":2587,"category":13,"primary_tags":2591,"mutexes":2592},{"family":2588,"aliases":2589,"description":2590,"threat_actor":11,"first_seen":145},"Rimawi",[],"Rimawi is a fork of AsyncRat, a remote access trojan (RAT) that provides attackers with remote control capabilities over compromised systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.",[15,16,17,19],[2593],{"name":2594,"references":2595,"date_added":26,"analyst":27},"AZSXDCFVGBHNqwertyui",[2596,2597],"https://tria.ge/240623-ntewrsyhpg/behavioral15","https://app.any.run/tasks/eeed2f54-4dbb-43d8-ac4a-5dc3b24c2419",{"malware_info":2599,"category":34,"primary_tags":2605,"mutexes":2607},{"family":2600,"aliases":2601,"description":2603,"threat_actor":2604,"first_seen":11},"Risen",[2602],"risen ransomware","Risen is a ransomware family operated by the Risen Group, designed to encrypt files on compromised systems and demand cryptocurrency payments for decryption. The malware uses sophisticated encryption techniques and is known for its targeted attacks.","risen group",[34,36,115,2606],"targeted_attacks",[2608],{"name":2609,"references":2610,"date_added":100,"analyst":27},"risen_mutex",[2611],"https://motasem-notes.net/ranswomare-analysis-reverse-engineering-risen-ransomware-letsdefend-walkthrough/",{"malware_info":2613,"category":34,"primary_tags":2618,"mutexes":2620},{"family":2614,"aliases":2615,"description":2617,"threat_actor":714,"first_seen":145},"ROADSWEEP",[2616],"ROADSWEEP Ransomware","ROADSWEEP is a ransomware family that has been associated with likely Iranian threat actors conducting politically motivated disruptive activities. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been observed using stolen certificates and employing sophisticated techniques to evade detection.",[36,148,719,720,2619,721],"stolen_certificates",[2621],{"name":2622,"references":2623,"date_added":82,"analyst":27},"abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890",[726,2624],"https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/",{"malware_info":2626,"category":34,"primary_tags":2631,"mutexes":2632},{"family":2627,"aliases":2628,"description":2630,"threat_actor":11,"first_seen":11},"Rook",[2629],"rook ransomware","Rook is a ransomware family designed to encrypt files on compromised systems and demand cryptocurrency payments for decryption. The malware uses sophisticated encryption techniques and is known for its targeted attacks against organizations.",[34,36,2606],[2633],{"name":2634,"references":2635,"date_added":100,"analyst":27},"asfgjkl878645165456fa888",[2636,2637],"https://www.infosecinstitute.com/resources/malware-analysis/rook-ransomware-analysis/","https://seguranca-informatica.pt/rook-ransomware-analysis/",{"malware_info":2639,"category":16,"primary_tags":2644,"mutexes":2645},{"family":2640,"aliases":2641,"description":2643,"threat_actor":11,"first_seen":11},"RUDEBIRD",[2642],"RUDEBIRD backdoor","RUDEBIRD is a backdoor malware associated with the REF5961 threat group, used for remote access and control of compromised systems.",[16,15,115],[2646],{"name":2647,"references":2648,"date_added":100,"analyst":27,"notes":2649},"VV.0",[1293],[2650],"Mutex used by RUDEBIRD backdoor for process synchronization",{"malware_info":2652,"category":34,"primary_tags":2657,"mutexes":2659},{"family":2653,"aliases":2654,"description":2656,"threat_actor":1530,"first_seen":896},"Ryuk",[2655],"Ransom.Ryuk","Ryuk is ransomware known for targeting large organizations and asking for rather large ransom payments to recover the encrypted files. The infection has been associated with emails that contain malicious attachments that first deliver Emotet, which is used to deliver modular payloads such as Ryuk. Ryuk encrypts a user's files using AES-256 + RSA2048 encryption algorithms.",[36,793,2658],"emotet",[2660],{"name":2661,"references":2662,"date_added":2665,"analyst":27},"rykmutex",[2663,2664],"https://blog.talosintelligence.com/threat-roundup-0602-0609-23/","https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win64.ryuk.smb","2023-06-09",{"malware_info":2667,"category":13,"primary_tags":2671,"mutexes":2674},{"family":2668,"aliases":2669,"description":2670,"threat_actor":11,"first_seen":12},"Santarat",[],"Santarat is a fork of AsyncRat, a remote access trojan (RAT) that provides attackers with remote control capabilities over infected systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.",[2672,2673,17],"malware","single_instance",[2675],{"name":2676,"references":2677,"date_added":26,"analyst":27},"setox-7yssdee",[2678],"https://tria.ge/220809-t38hbsefa3/behavioral2/analog?main_event=Mutex&mutant=setox-7yssdee",{"malware_info":2680,"category":34,"primary_tags":2684,"mutexes":2685},{"family":2681,"aliases":2682,"description":2683,"threat_actor":11,"first_seen":1555},"Satan",[],"Satan is a ransomware family that encrypts files and demands payment for decryption. It uses specific mutexes to ensure only one instance runs on the infected system and has been rebranded as 5ss5c in later variants.",[36,37,17],[2686,2690],{"name":2687,"references":2688,"date_added":26,"analyst":27},"SSSS_Scan",[2689,43],"https://www.trendmicro.com/vinfo/fi/threat-encyclopedia/malware/ransom.win32.satana.a",{"name":2691,"references":2692,"date_added":26,"analyst":27},"SATAN_CRYPT",[2689],{"malware_info":2694,"category":34,"primary_tags":2699,"mutexes":2701},{"family":2695,"aliases":2696,"description":2698,"threat_actor":11,"first_seen":1555},"Scarabey",[2697],"Scarab","Scarabey is a variant of the Scarab ransomware that was discovered in December 2017. It is written in Delphi and was found targeting Russian users, being distributed via RDP/manual dropping on servers and systems.",[36,17,2023,2700],"delphi",[2702],{"name":2703,"references":2704,"date_added":2707,"analyst":27},"STOPSCARABSTOPSCARABSTOPSCARABSTOPSCARABSTOPSCARAB",[2705,2706],"https://www.malwarebytes.com/blog/news/2018/01/scarab-ransomware-new-variant-changes-tactics","https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html","2017-12-19",{"malware_info":2709,"category":304,"primary_tags":2718,"mutexes":2723},{"family":2710,"aliases":2711,"description":2716,"threat_actor":2717,"first_seen":145},"Sharp Dragon",[2712,2713,2714,2715],"Sharp Dragon Loader","SharpDragon","FirePeony","SharpPanda","Sharp Dragon is a loader malware used by the FirePeony (also known as SharpPanda) threat group. The malware is designed to download and execute additional payloads on compromised systems and has been observed expanding its operations towards Africa and the Caribbean. It employs sophisticated techniques to evade detection and establish persistence.",[2714,2715],[306,307,793,2719,2720,2721,2722],"africa","caribbean","firepeony","sharppanda",[2724],{"name":2725,"references":2726,"date_added":82,"analyst":27},"mt_app_http_get_zed2vsp",[2727,2728,2729],"https://x.com/t3ft3lb/status/1740661367299010957","https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/","https://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html",{"malware_info":2731,"category":16,"primary_tags":2738,"mutexes":2742},{"family":2732,"aliases":2733,"description":2736,"threat_actor":2737,"first_seen":51},"SHELBY",[2734,2735],"SHELBYLOADER","SHELBYC2","SHELBY is a sophisticated backdoor malware family that abuses GitHub for command-and-control operations. It consists of two main components: SHELBYLOADER and SHELBYC2. The malware employs advanced sandbox detection techniques, uses obfuscation with Obfuscar, and establishes persistence through Windows Registry. It targets telecommunications companies and airports, particularly in Iraq and UAE regions.","REF8685",[2739,2740,326,19,2741,793],"github_c2","sandbox_evasion","reflective_loading",[2743],{"name":2744,"references":2745,"date_added":354,"analyst":27},"Global\\GHS\u003CUniqueID>",[2746],"https://www.elastic.co/security-labs/the-shelby-strategy",{"malware_info":2748,"category":13,"primary_tags":2756,"mutexes":2760},{"family":2749,"aliases":2750,"description":2753,"threat_actor":2754,"first_seen":12},"SilverFox",[2751,2752],"SilverFox RAT","ValleyRAT","SilverFox is a sophisticated remote access trojan (RAT) that emerged in 2022, known for its advanced process injection techniques and anti-analysis capabilities. It uses process hollowing to inject malicious code into system processes like VSSV.exe and explorer.exe, employs ALPC (Advanced Local Procedure Call) for inter-process communication, and implements multiple persistence mechanisms including service creation and scheduled tasks.",[2749,2755],"Void Arachne",[15,2757,2758,685,19,2759],"process_injection","alpc_communication","anti_analysis",[2761],{"name":2762,"references":2763,"date_added":193,"analyst":27},"Global\\IsUserAnAdmin",[2764],"https://www.xtcaq.com/nd.jsp?id=9361",{"malware_info":2766,"category":16,"primary_tags":2773,"mutexes":2775},{"family":2767,"aliases":2768,"description":2771,"threat_actor":2772,"first_seen":113},"SingleCamper",[2767,2769,2770],"RomCom 5.0","SnipBot","SingleCamper is a DLL-based RAT variant of RomCom, used by the UAT‑5647 threat group (also known as Russian‑speaking RomCom). It’s loaded from registry into memory via ShadyHammock, communicates over localhost, and prevents concurrent instances via a global mutex. It performs system recon, tunneling, and exfiltration.","UAT‑5647 (aka RomCom, Storm‑0978, Tropical Scorpius, Void Rabisu)",[19,17,2673,2774],"mutex_based",[2776,2781],{"name":2777,"references":2778,"date_added":2780,"analyst":27},"Global\\srvmutex",[2779],"https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader","2025‑01‑12",{"name":2782,"references":2783,"date_added":871,"analyst":27},"SnipMutex",[2784],"https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/",{"malware_info":2786,"category":1238,"primary_tags":2791,"mutexes":2796},{"family":2787,"aliases":2788,"description":2790,"threat_actor":11,"first_seen":51},"Skuld",[2789],"Skuld Stealer","Skuld is a customized stealer malware that specifically targets cryptocurrency wallets and sensitive data. It's delivered through sophisticated multi-stage attack campaigns that exploit hijacked Discord invite links and use the ClickFix phishing technique. The malware is part of a broader operation that combines time-based evasions and trusted cloud services (GitHub, Bitbucket, Pastebin, Discord) for payload delivery and data exfiltration to avoid detection by security tools.",[2792,2793,307,2794,2795,309,74],"crypto_stealer","discord_delivery","clickfix_phishing","cloud_services",[2797],{"name":2798,"references":2799,"date_added":354,"analyst":27},"global\\3575651c-bb47-448e-a514-22865732bbc",[2800,2801],"https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/","https://www.secureblink.com/cyber-security-news/discord-malware-hijacks-expired-invite-links-to-steal-crypto-wallets-in-2025",{"malware_info":2803,"category":1238,"primary_tags":2809,"mutexes":2811},{"family":2804,"aliases":2805,"description":2808,"threat_actor":11,"first_seen":288},"Socelars",[2806,2807],"Socelars Stealer","TROJANSPY.WIN32.SOCELARS.D","Socelars is an information stealer that primarily targets login credentials for social media and other online accounts by monitoring browser activity.",[164,1242,2810],"social_media",[2812],{"name":2813,"references":2814,"date_added":172,"analyst":27},"patatoes",[2815],"https://www.trendmicro.com/vinfo/jp/threat-encyclopedia/malware/trojanspy.win32.socelars.d",{"malware_info":2817,"category":1238,"primary_tags":2822,"mutexes":2823},{"family":2818,"aliases":2819,"description":2821,"threat_actor":11,"first_seen":113},"SpeedStealer",[2820],"Speed","SpeedStealer is a malware family designed for data theft and system compromise. It uses various techniques to steal sensitive information and maintain persistence on compromised systems.",[1238,2259,19],[2824],{"name":2825,"references":2826,"date_added":193,"analyst":27},"gamcop",[2827],"https://cacts.cn/anquanjujiao/495.html",{"malware_info":2829,"category":13,"primary_tags":2833,"mutexes":2835},{"family":2830,"aliases":2831,"description":2832,"threat_actor":11,"first_seen":113},"SpiceRAT",[2830],"SpiceRAT is a Remote Access Trojan (RAT) that has been observed in various cybercriminal campaigns. The malware is designed to provide remote access to compromised systems and is known for its sophisticated evasion techniques and multi-stage attack capabilities. It has been associated with the SneakyChef threat group.",[15,307,309,150,2834],"sneakychef",[2836,2841],{"name":2837,"references":2838,"date_added":82,"analyst":27},"{00866F68-6C46-4ABD-A8D6-2246FE482F99}",[2839,2840],"https://medium.com/@MateoPappa/letsdefend-spicerat-medium-881a474c0982","https://blog.talosintelligence.com/new-spicerat-sneakychef/",{"name":2842,"references":2843,"date_added":82,"analyst":27},"{00861111-3333-4ABD-GGGG-2246FE482F99}",[2840],{"malware_info":2845,"category":34,"primary_tags":2850,"mutexes":2851},{"family":2846,"aliases":2847,"description":2849,"threat_actor":11,"first_seen":145},"StarCat",[2848],"StarCat Ransomware","StarCat is a ransomware that encrypts files on a victim's computer and demands a ransom payment for the decryption key.",[36,17],[2852],{"name":2853,"references":2854,"date_added":2856,"analyst":27},"start_cat_encrypt",[2855],"https://tria.ge/241215-jkxb8szkhq/behavioral2/analog?main_event=Mutex&q=start_cat_encrypt","2024-12-15",{"malware_info":2858,"category":304,"primary_tags":2864,"mutexes":2867},{"family":2859,"aliases":2860,"description":2862,"threat_actor":11,"first_seen":2863},"StaryDobry",[2861],"Stary Dobry","StaryDobry is a sophisticated multi-stage loader malware that spreads through trojanized game installers on torrent sites. It uses a complex infection chain involving DLL side-loading, AES encryption, and process injection to deploy XMRig cryptocurrency miners. The malware targets gaming computers with sufficient processing power for continuous mining operations and employs DNS over HTTPS (DoH) to hide C&C communications.","2024-09",[304,2865,1163,2866,2757,1852],"cryptominer","torrent_spread",[2868],{"name":2869,"references":2870,"date_added":193,"analyst":27},"com_curruser_mttx",[2871],"https://securelist.ru/starydobry-campaign-spreads-xmrig-miner-via-torrents/111841/",{"malware_info":2873,"category":1238,"primary_tags":2878,"mutexes":2879},{"family":2874,"aliases":2875,"description":2877,"threat_actor":11,"first_seen":113},"Stealc",[2876],"Stealerc","Stealc is an information-stealing malware that has been observed in various cybercriminal campaigns. The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It employs sophisticated techniques to evade detection and establish persistence.",[1879,1242,1880,150,309],[2880,2884],{"name":2881,"references":2882,"date_added":82,"analyst":27},"GentleSpade",[2883],"https://app.any.run/tasks/9777d1a9-134f-453a-a74b-18c6ea1bb030/",{"name":2885,"references":2886,"date_added":82,"analyst":27},"5rjtejk5rytrr",[2887],"https://app.threat.zone/submission/51bd0182-a70d-40ca-b081-c4902a37b88b/dynamic-scan-report/behaviour/mutex",{"malware_info":2889,"category":34,"primary_tags":2894,"mutexes":2896},{"family":2890,"aliases":2891,"description":2893,"threat_actor":11,"first_seen":145},"Suncrypt",[2892],"Suncrypt Ransomware","Suncrypt is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been analyzed for its new features and sophisticated encryption techniques, employing advanced evasion capabilities.",[36,148,150,2895,309],"new_features",[2897],{"name":2898,"references":2899,"date_added":82,"analyst":27},"0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e",[2900,2901],"https://www.pico-t.co.jp/product/minerva-tpp/suncrypt%E3%83%A9%E3%83%B3%E3%82%B5%E3%83%A0%E3%82%A6%E3%82%A7%E3%82%A2%E3%81%AF%E6%96%B0%E3%81%9F%E3%81%AA%E7%89%B9%E6%80%A7%E6%A9%9F%E8%83%BD%E3%82%92%E8%A3%85%E5%82%99/","https://security.packt.com/suncrypt-ransomware/",{"malware_info":2903,"category":34,"primary_tags":2908,"mutexes":2910},{"family":2904,"aliases":2905,"description":2907,"threat_actor":11,"first_seen":145},"Surtr",[2906],"Surtr Ransomware","Surtr is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It is known for its tribute to REvil and employs sophisticated encryption and evasion techniques.",[36,148,150,2909,309],"revil_tribute",[2911],{"name":2912,"references":2913,"date_added":82,"analyst":27},"SurtrMUTEX",[2914,2915,2916,2917],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win64.surtr.a","https://areteir.com/article/surtr-ransomware-pays-tribute-to-revil/","https://malgamy.github.io/malware-analysis/YARA_Surtr_Ransomware/","https://www.piolink.com/_dev/data/file/security/ckm921ke7j3wzr8.pdf",{"malware_info":2919,"category":34,"primary_tags":2925,"mutexes":2927},{"family":2920,"aliases":2921,"description":2924,"threat_actor":11,"first_seen":145},"TaRRaK",[2922,2923],"TaRRaK Ransomware","tarrak-ransomware","TaRRaK is a ransomware family that has been observed in various cybercriminal campaigns. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been analyzed for its decryption capabilities and employs sophisticated encryption techniques to evade detection.",[36,148,150,2926,309],"decryption_analysis",[2928],{"name":2920,"references":2929,"date_added":82,"analyst":27},[2930],"https://decoded.avast.io/threatresearch/decrypted-tarrak-ransomware/",{"malware_info":2932,"category":34,"primary_tags":2937,"mutexes":2940},{"family":2933,"aliases":2934,"description":2936,"threat_actor":2933,"first_seen":909},"TeslaCrypt",[2935],"Tescrypt","TeslaCrypt is a now-defunct ransomware family that was active between 2015 and 2016. Initially targeting gamers by encrypting game-related files, it later broadened its scope. The operators eventually released the master decryption key.",[36,2938,2939],"gamers","defunct",[2941,2945,2949,2953,2956],{"name":2942,"references":2943,"date_added":172,"analyst":27},"8765-123rvr4",[2944],"https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf",{"name":2946,"references":2947,"date_added":172,"analyst":27},"2134-1234-1324-2134-1324-2134",[2948],"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",{"name":2950,"references":2951,"date_added":172,"analyst":27},"System1230123",[2952],"https://www.secureworks.com/research/teslacrypt-ransomware-threat-analysis",{"name":2954,"references":2955,"date_added":172,"analyst":27},"dslhufdks3",[2952],{"name":2957,"references":2958,"date_added":172,"analyst":27},"9_9_9_9",[2959],"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tescrypt.R",{"malware_info":2961,"category":16,"primary_tags":2968,"mutexes":2976},{"family":2962,"aliases":2963,"description":2965,"threat_actor":2966,"first_seen":113},"TinyNote",[2964],"TinyNote Backdoor","TinyNote is a Go-based backdoor developed by Camaro Dragon APT group, associated with Chinese state-sponsored threat actors including Mustang Panda. The malware targets European foreign affairs entities linked to Southeast and East Asia, particularly Myanmar and Indonesia. It features SmadAV antivirus evasion capabilities, uses XOR encryption with the key 'NASA', and employs deceptive folder icons with diplomatic-themed naming conventions. The backdoor focuses on redundancy for persistence, including multiple C&C servers and different command execution methods through PowerShell and Goroutines.",[2967,791],"Camaro Dragon",[115,2969,2970,116,2971,2972,2973,2974,19,2975],"china","diplomacy_targeting","smadav_evasion","xor_encryption","foreign_affairs","southeast_asia","multi_c2",[2977],{"name":2978,"references":2979,"date_added":354,"analyst":27},"NASA&USA",[2980],"https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor",{"malware_info":2982,"category":34,"primary_tags":2988,"mutexes":2989},{"family":2983,"aliases":2984,"description":2987,"threat_actor":11,"first_seen":12},"Tisak",[2985,2986],"Tisak-Ransomware","RANSOM.WIN32.CELANCYC.SMYXDJA","Tisak is a ransomware family that encrypts a victim's files and demands a ransom for their recovery. It is known to create a specific mutex to ensure only one instance of the malware runs at a time.",[36],[2990],{"name":2991,"references":2992,"date_added":172,"analyst":27},"Global\\TisakMutex",[2993],"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.celancyc.smyxdja",{"malware_info":2995,"category":16,"primary_tags":3000,"mutexes":3001},{"family":2996,"aliases":2997,"description":2999,"threat_actor":11,"first_seen":145},"Toneshell",[2998],"Toneshell Backdoor","Toneshell is a backdoor malware that has been observed in targeted attacks against organizations in the US, Philippines, Pakistan, and Taiwan. The malware is designed to provide remote access to compromised systems and is associated with the Hive0154 threat group.",[15,793,19,794],[3002,3005],{"name":3003,"references":3004,"date_added":82,"analyst":27},"Fool87012900137",[800],{"name":3006,"references":3007,"date_added":3009,"analyst":27},"Global\\SingleCorporation12AD8B",[3008],"https://intezer.com/blog/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/","2024-12-30",{"malware_info":3011,"category":304,"primary_tags":3022,"mutexes":3023},{"family":3012,"aliases":3013,"description":3015,"threat_actor":3016,"first_seen":896},"Tonto Team",[3014],"TontoTeam","Tonto Team is a sophisticated loader malware used by a threat group known by multiple aliases including HeartBeat, Karma Panda, CactusPete, Bronze Huntley, and Earth Akhlut. The malware is designed to download and execute additional payloads on compromised systems and has been observed in various targeted attack campaigns.",[3012,3017,3018,3019,3020,3021],"HeartBeat","Karma Panda","CactusPete","Bronze Huntley","Earth Akhlut",[306,307,793,115,19],[3024,3028],{"name":3025,"references":3026,"date_added":82,"analyst":27},"{A931568B-94AF-449D-B7F6-6585EF9E9839}",[3027],"https://www.f6.ru/blog/tonto-team/",{"name":3029,"references":3030,"date_added":82,"analyst":27,"notes":3032},"QuitMutex\u003Cpid>",[3031],"https://www.group-ib.com/blog/tonto-team/",[3033],"The mutex name is dynamic. The '\u003Cpid>' part is a placeholder for the PID of the currently running process (downloader).",{"malware_info":3035,"category":34,"primary_tags":3042,"mutexes":3043},{"family":3036,"aliases":3037,"description":3041,"threat_actor":3036,"first_seen":145},"Trinity",[3038,3039,3040],"Trinity Ransomware","2023Lock","Venus","Trinity is a ransomware variant that exhibits similarities with other ransomware like 2023Lock and Venus. It employs a double extortion strategy.",[36,215],[3044],{"name":3045,"references":3046,"date_added":124,"analyst":27},"48065934119990121",[3047],"https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties",{"malware_info":3049,"category":16,"primary_tags":3056,"mutexes":3059},{"family":3050,"aliases":3051,"description":3054,"threat_actor":3055,"first_seen":11},"Trojanized Plink",[3052,3053],"backdoored plink","plink","Trojanized Plink is a backdoored version of the legitimate PuTTY Link (plink) tool, modified by threat actors to provide remote access capabilities while appearing as legitimate software.","lazarus",[3057,15,3058],"trojanized","legitimate_software_abuse",[3060],{"name":3061,"references":3062,"date_added":100,"analyst":27,"notes":3064},"Global\\WindowsSvchost",[3063],"https://blog.talosintelligence.com/lazarus-collectionrat/",[3065],"Global mutex used by Trojanized Plink to ensure single instance execution",{"malware_info":3067,"category":1238,"primary_tags":3073,"mutexes":3074},{"family":3068,"aliases":3069,"description":3072,"threat_actor":11,"first_seen":113},"Typhon",[3070,3071],"typhon-stealer","Typhon Stealer","Typhon Stealer is an information-stealing malware spread through phishing sites. It is capable of stealing credentials, cookies, and other sensitive information from infected systems.",[164,1242,585],[3075],{"name":3076,"references":3077,"date_added":278,"analyst":27},"GOJJL2LPIZM04XC0NQ4I",[3078],"https://cyble.com/blog/phishing-site-used-to-spread-typhon-stealer/",{"malware_info":3080,"category":16,"primary_tags":3085,"mutexes":3087},{"family":3081,"aliases":3082,"description":3084,"threat_actor":2290,"first_seen":51},"UDPGangster",[3083],"UDP Gangster","UDPGangster is a malware family associated with the MuddyWater threat group. It has been observed in campaigns targeting multiple countries and is used for espionage activities. The malware leverages UDP communication for command and control operations.",[16,752,3086,2292,115],"udp_c2",[3088],{"name":3089,"references":3090,"date_added":615,"analyst":27},"xhxhxhxhxhxpp",[3091],"https://www.fortinet.com/blog/threat-research/udpgangster-campaigns-target-multiple-countries",{"malware_info":3093,"category":34,"primary_tags":3098,"mutexes":3099},{"family":3094,"aliases":3095,"description":3097,"threat_actor":11,"first_seen":12},"Underground",[3096],"Underground Ransomware","Underground is a ransomware family observed in the wild that encrypts files and holds them for ransom.",[36],[3100],{"name":3101,"references":3102,"date_added":172,"analyst":27},"8DC1F7B9D2F4EA58",[3103],"https://app.any.run/tasks/4f71bbd3-4e7b-41ac-bf4b-1817442ea5bf/",{"malware_info":3105,"category":34,"primary_tags":3110,"mutexes":3112},{"family":3106,"aliases":3107,"description":3109,"threat_actor":11,"first_seen":51},"VanHelsing",[3108],"VanHelsing Ransomware","VanHelsing is a ransomware-as-a-service (RaaS) operation attributed to Russian cybercriminals. The ransomware encrypts victim files and demands payment for decryption, employing double extortion tactics. The threat actors prohibit targeting Commonwealth of Independent States (CIS) countries, a characteristic behavior of Russian cybercrime groups. The malware creates a global mutex to prevent multiple instances from running simultaneously.",[36,37,17,53,215,3111,344],"russian_cybercrime",[3113],{"name":3114,"references":3115,"date_added":61,"analyst":27},"Global\\VanHelsing",[3116,3117,3118,3119],"https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing","https://www.cyfirma.com/research/vanhelsing-ransomware/","https://www.tripwire.com/state-of-security/vanhelsing-ransomware-what-you-need-know","https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/",{"malware_info":3121,"category":1238,"primary_tags":3126,"mutexes":3127},{"family":3122,"aliases":3123,"description":3125,"threat_actor":11,"first_seen":51},"VipersoftX",[3124],"VipersoftX Stealer","VipersoftX is an information-stealing malware that has been active since 2025. The malware is designed to steal sensitive information from compromised systems including credentials, browser data, and other valuable information. It employs sophisticated techniques to evade detection and establish persistence on infected systems.",[1879,1242,1880,309,19],[3128,3132],{"name":3129,"references":3130,"date_added":82,"analyst":27},"acb2f45f62c34c94bbd6e86734eb01a1",[3131],"https://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant/",{"name":3133,"references":3134,"date_added":82,"analyst":27},"8cda13f8-a407-4a48-8284-411709e090",[3131],{"malware_info":3136,"category":34,"primary_tags":3139,"mutexes":3141},{"family":3137,"description":3138,"threat_actor":11},"Vohuk","Vohuk is a ransomware that has been observed using Qakbot for initial access.",[3140,34],"qakbot",[3142],{"name":3143,"references":3144,"date_added":61,"analyst":27},"Global\\VohukMutex",[3145],"https://www.tanium.com/blog/qbot-malware-in-svg-files-cyber-threat-intelligence-roundup",{"malware_info":3147,"category":16,"primary_tags":3153,"mutexes":3157},{"family":3148,"aliases":3149,"description":3152,"threat_actor":11,"first_seen":33},"WailingCrab",[3150,3151],"WailingCrab Backdoor","WikiLoader","WailingCrab is a backdoor that uses the MQTT messaging protocol for command and control (C2) communication. This allows it to blend in with legitimate IoT traffic and evade detection.",[3154,3155,3156],"c2_protocol","mqtt","iot_traffic",[3158],{"name":3159,"references":3160,"date_added":124,"analyst":27},"823264",[3161],"https://www.ibm.com/think/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol",{"malware_info":3163,"category":34,"primary_tags":3171,"mutexes":3176},{"family":3164,"aliases":3165,"description":3169,"threat_actor":3170,"first_seen":1555},"WannaCry",[3166,3167,3168],"WannaCrypt","WCry","Wana Decrypt0r","WannaCry is a ransomware cryptoworm that spread rapidly across computer networks in May 2017. It exploited the EternalBlue vulnerability in Microsoft Windows systems and was attributed to the Lazarus Group.","Lazarus Group (North Korea)",[3172,3173,3174,36,3175],"cryptoworm","self-propagating","smb_exploit","kill_switch",[3177,3181],{"name":3178,"references":3179,"date_added":373,"analyst":27},"MsWinZonesCacheCounterMutexA",[3180],"https://www.group-ib.com/blog/echoes/",{"name":3182,"references":3183,"date_added":373,"analyst":27},"Global\\MsWinZonesCacheCounterMutexW",[3184],"https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis",{"malware_info":3186,"category":1238,"primary_tags":3192,"mutexes":3194},{"family":3187,"aliases":3188,"description":3190,"threat_actor":3191,"first_seen":113},"WhiteSnake",[3189],"WhiteSnake Stealer","WhiteSnake is a new information stealer malware offered for sale via Malware-as-a-Service (MaaS) model. It is designed to steal sensitive information from infected systems including credentials, browser data, and other valuable information.","Whitesnake",[1879,570,3193,1880,864],"credentials_theft",[3195],{"name":3196,"references":3197,"date_added":871,"analyst":27},"kwnmsgyyay",[3198],"https://cyble.com/blog/new-whitesnake-stealer-offered-for-sale-via-maas-model/",{"malware_info":3200,"category":13,"primary_tags":3206,"mutexes":3207},{"family":3201,"aliases":3202,"description":3205,"threat_actor":11,"first_seen":145},"Xeno",[3203,3204],"Xeno RAT","XenoRAT","Xeno RAT is a commodity Remote Access Trojan written in C# that provides a range of capabilities for controlling and stealing information from compromised systems.",[15,164,165],[3208,3214],{"name":3209,"references":3210,"date_added":172,"analyst":27,"notes":3212},"xeno_rat_nd\u003C5 Alphanumeric Characters>",[3211],"https://app.any.run/tasks/b1aee0cb-c267-447f-a996-a991fcb0dee7/",[3213],"The mutex name is dynamic. The '\u003C5 Alphanumeric Characters>' part is a placeholder for a randomly generated string.",{"name":3215,"references":3216,"date_added":172,"analyst":27,"notes":3218},"xeno_rat_nd\u003C5 Alphanumeric Characters>-admin",[3217],"https://tria.ge/250630-d62aeszkw5/behavioral2/analog?main_event=Mutex&mutant=Xeno_rat_nd8912d-admin",[3219],"The mutex name is dynamic. The '\u003C5 Alphanumeric Characters>' part is a placeholder for a randomly generated string. The '-admin' suffix may indicate a specific variant or configuration.",{"malware_info":3221,"category":1238,"primary_tags":3226,"mutexes":3232},{"family":3222,"aliases":3223,"description":3225,"threat_actor":11,"first_seen":51},"XenoStealer",[3224],"Xeno Stealer","XenoStealer is a sophisticated information stealer malware based on an open-source framework that targets browsers, email clients, chat applications, and cryptocurrency wallets. It uses advanced obfuscation techniques including Microsoft Script Encoder and .NET Reactor to evade detection.",[164,3227,3228,3229,3230,3231,2757,19],"browser_data_theft","cryptocurrency_theft","email_client_theft","chat_application_theft","obfuscated_code",[3233],{"name":3234,"references":3235,"date_added":193,"analyst":27},"aMdFrsHoGcGgAKUyLCoEIuoHpvwCAzaz",[3236],"https://www.huorong.cn/document/tech/vir_report/1833",{"malware_info":3238,"category":13,"primary_tags":3242,"mutexes":3243},{"family":3239,"aliases":3240,"description":3241,"threat_actor":11,"first_seen":145},"XieBroRAT",[],"XieBroRAT is a fork of AsyncRat that provides attackers with remote control capabilities over compromised systems. It uses specific mutexes to ensure single instance execution and coordinate its activities on the infected system.",[15,16,17,18,19],[3244],{"name":3245,"references":3246,"date_added":26,"analyst":27},"pLONGFEIFFmm1",[3247],"https://app.any.run/tasks/c2f62dff-09bd-4498-b528-9154c87dc101?malconf=682e320dafec3767f7fee726",{"malware_info":3249,"category":1238,"primary_tags":3254,"mutexes":3255},{"family":3250,"aliases":3251,"description":3253,"threat_actor":11,"first_seen":33},"XLoader",[3252],"XLoader Infostealer","XLoader is a stealer malware that is a successor to Formbook. It is often distributed via phishing campaigns and is capable of stealing credentials from various applications.",[164,1242],[3256],{"name":3257,"references":3258,"date_added":393,"analyst":27},"fBEQVtAy",[3259],"https://cyble.com/blog/xloader-returns-with-new-infection-technique/",{"malware_info":3261,"category":13,"primary_tags":3267,"mutexes":3268},{"family":3262,"aliases":3263,"description":3265,"threat_actor":11,"first_seen":3266},"Xtreme",[3264],"Xtreme RAT","Xtreme RAT is a long-standing Remote Access Trojan (RAT) that provides attackers with extensive capabilities to control a compromised machine, including keylogging, file management, and remote desktop access.","2010",[15,526,164,165],[3269],{"name":3270,"references":3271,"date_added":172,"analyst":27},"XTREMEUPDATE",[3272,3273],"https://blog.talosintelligence.com/threat-roundup-0221-0228/","https://tria.ge/201109-zfdsa4p7qe/behavioral2/analog?main_event=Mutex&q=xtreme",{"malware_info":3275,"category":13,"primary_tags":3288,"mutexes":3291},{"family":3276,"aliases":3277,"description":3278,"threat_actor":3279,"first_seen":145},"YaRAT",[],"YaRAT is a remote access trojan (RAT) attributed to APT31, a Chinese state-sponsored threat group. It is used for cyber-espionage and persistent access, often leveraging cloud services for C2 and data exfiltration.",[3280,3281,3282,3283,3284,3285,3286,3287],"APT31","BRONZE VINEWOOD","JUDGMENT PANDA","Red keres","TA412","Violet Typhoon","ZIRCONIUM","Zirconium",[115,3289,15,3290,17,19],"apt31","cloud",[3292],{"name":3293,"references":3294,"date_added":26,"analyst":27},"YandexDisk",[3295],"https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/apt31-cloud-attacks/",{"malware_info":3297,"category":16,"primary_tags":3303,"mutexes":3305},{"family":3298,"aliases":3299,"description":3301,"threat_actor":3302,"first_seen":145},"Yokai",[3300],"Yokai Backdoor","Yokai is a backdoor malware associated with threat actors Hive0154 and Mustang Panda. The malware is designed to provide remote access to compromised systems and has been observed in targeted attacks. Yokai is related to the Toneshell backdoor family and represents an updated variant used by these threat groups.","Hive0154, Mustang Panda",[15,793,19,794,795,3304],"toneshell_variant",[3306],{"name":3307,"references":3308,"date_added":3009,"analyst":27},"k1tpddvivh74fo1et725okr1c1",[3309],"https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor",{"malware_info":3311,"category":34,"primary_tags":3316,"mutexes":3319},{"family":3312,"aliases":3313,"description":3315,"threat_actor":11,"first_seen":669},"ZCryptor",[3314],"zcryptor-ransomware","ZCryptor is a ransomware that spreads via removable drives and encrypts files on infected systems. It was first discovered in 2016 and uses sophisticated propagation techniques to infect multiple systems through USB drives and other removable media.",[34,36,3317,3318],"removable_drive_spread","usb_propagation",[3320],{"name":3321,"references":3322,"date_added":100,"analyst":27},"zcrypt1.0",[3323],"https://www.helpnetsecurity.com/2016/05/27/zcryptor-ransomware-spreads-via-removable-drives/",{"malware_info":3325,"category":13,"primary_tags":3329,"mutexes":3330},{"family":3326,"aliases":3327,"description":3328,"threat_actor":11,"first_seen":11},"Zenrat",[3326],"Zenrat is a remote access trojan (RAT) that provides attackers with full control over compromised systems, including file operations, process management, and data exfiltration capabilities.",[15,164,2344,2345],[3331],{"name":3332,"references":3333,"date_added":100,"analyst":27,"notes":3335},"System.Byte[]",[3334],"https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm",[3336],"Mutex used by Zenrat RAT for process synchronization",{"malware_info":3338,"category":34,"primary_tags":3343,"mutexes":3345},{"family":3339,"aliases":3340,"description":3342,"threat_actor":11,"first_seen":145},"Zola",[3341],"Zola Ransomware","Zola is a ransomware variant that belongs to the Proton family of malware. The ransomware is designed to encrypt files on victim systems and demand payment for decryption. It is known for its sophisticated encryption techniques and has been observed in various cybercriminal campaigns targeting organizations globally.",[36,3344,148,150],"proton_family",[3346],{"name":3347,"references":3348,"date_added":82,"analyst":27},"4B991369-7C7C-47AA-A81E-EF6ED1F5E24C",[3349,3350,3351],"https://www.acronis.com/en-gb/tru/posts/zola-ransomware-the-many-faces-of-the-proton-family/","https://www.loginsoft.com/post/zola-ransomware","https://cyberinsider.com/zola-ransomware-springs-to-action-as-latest-proton-variant/",206,[16,449,69,1110,1272,304,844,34,13,1238,249],[2142,417,1305,1469,230,73,1852,2719,2758,2759,684,1581,115,3289,1275,18,588,862,700,16,686,451,2359,554,449,3227,1880,1557,165,1434,3154,2720,1625,1367,54,935,3230,2969,1433,586,2794,72,606,3290,2795,1906,607,2515,1137,1070,482,382,1383,1691,2580,1242,3193,988,1110,2792,75,71,846,201,3228,2865,3172,2341,184,1847,150,1515,1162,251,401,2235,2259,527,2926,2939,2700,2272,2970,2793,721,1807,1163,2079,117,325,1097,215,1826,1272,1793,484,1983,348,3229,555,1194,2658,1514,752,403,2080,92,309,1447,148,1241,1416,362,36,1165,556,958,2344,2153,499,2721,2973,2127,2441,2938,2739,1948,116,1054,501,794,186,1274,1368,1879,164,1825,3156,719,2323,604,526,3175,2553,500,480,3058,1240,402,304,1096,753,570,1850,1652,2672,1516,452,483,187,1907,118,1665,91,3155,1808,1934,2292,2457,2975,344,307,795,2774,864,2062,2895,55,3231,326,147,163,2360,1369,306,1513,1849,19,585,2078,1053,720,587,2129,2128,861,2324,2757,2345,3344,465,3140,53,2473,37,34,528,13,608,2023,2741,15,418,603,1532,3317,847,308,2909,481,3111,1138,1319,2740,38,185,1851,605,3173,685,347,1243,346,2077,2722,2342,1164,2673,2971,149,3174,345,2834,2810,1882,1382,1848,2974,1448,1238,609,2619,1208,957,2260,793,2606,2322,1881,863,1982,3304,2866,3057,2343,3086,2442,76,1582,3318,1432,2474,687,74,17,1981,1431,832,2972,1651],"2026-04-02T06:17:00.709Z",1775110629777]