[ MALWARE MUTEX INTELLIGENCE DATABASE ]
 ███████╗██╗   ██╗██╗██╗         ███╗   ███╗██╗   ██╗████████╗███████╗██╗  ██╗
 ██╔════╝██║   ██║██║██║         ████╗ ████║██║   ██║╚══██╔══╝██╔════╝╚██╗██╔╝
█████╗  ██║   ██║██║██║         ██╔████╔██║██║   ██║   ██║   █████╗   ╚███╔╝
██╔══╝  ╚██╗ ██╔╝██║██║         ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝   ██╔██╗
 ███████╗ ╚████╔╝ ██║███████╗    ██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗██╔╝ ██╗
 ╚══════╝  ╚═══╝  ╚═╝╚══════╝    ╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚═╝  ╚═╝

Advanced Malware Analysis & Threat Intelligence

06:17:12
[ALL_FAMILIES]

VanHelsing

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:
VanHelsing
CATEGORY:
RANSOMWARE
DESCRIPTION:
VanHelsing is a ransomware-as-a-service (RaaS) operation attributed to Russian cybercriminals. The ransomware encrypts victim files and demands payment for decryption, employing double extortion tactics. The threat actors prohibit targeting Commonwealth of Independent States (CIS) countries, a characteristic behavior of Russian cybercrime groups. The malware creates a global mutex to prevent multiple instances from running simultaneously.
ALIASES:
VanHelsing Ransomware
TAGS:
file_encryptionransom_demandwindowsraasdouble_extortionrussian_cybercrimemulti_platform

[MUTEX_SIGNATURES](1)

[MUTEX_01]
Global\VanHelsing
ANALYST: @adhikara13 DATE: 2025-07-16
REFERENCES:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing
https://www.cyfirma.com/research/vanhelsing-ransomware/
https://www.tripwire.com/state-of-security/vanhelsing-ransomware-what-you-need-know
https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:
Unknown
FIRST_OBSERVED:
2025

[SIGMA_RULE]

[STATISTICS]
MUTEX_COUNT:1
THREAT_ACTORS:1
ALIASES:1
TAGS:7
CATEGORY:RANSOMWARE
 Malware profile loaded successfully 
 EvilMutex Project v1.0.0 
 Open Source Threat Intelligence Database 
[GITHUB][DOCS]