{ "id": "aab3e383-e53a-4298-9c67-12ac56f131c3", "created_at": "2026-05-20T02:03:15.369662Z", "updated_at": "2026-05-20T02:03:46.067007Z", "deleted_at": null, "sha1_hash": "0c38ea6297dcd938c89f74e5b2a157deace8b387", "title": "Payload Ransomware: In-depth technical analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35956, "plain_text": "Payload Ransomware: In-depth technical analysis\r\nBy Editor\r\nPublished: 2026-05-05 · Archived: 2026-05-20 02:01:25 UTC\r\nPayload is a cross-platform ransomware family with both Windows and Linux variants. In this blog, we will\r\nprimarily focus on the Windows variant and its behavior in detail.\r\nPayload provides extensive support for command-line arguments, suggesting it can be operated manually or\r\nremotely. It appears to work as an operator-driven ransomware executable rather than a simple one-click . This\r\ndesign allows operators to selectively enable or disable features based on the target environment or operational\r\nobjectives . \r\nBelow is the list of arguments that can be supplied by the operators:\r\nFlag Effect when present Default behavior\r\n`–\r\nbackground`\r\nRuns encryption in the background (no console\r\nwindow); does NOT re-spawn itself\r\nN/A\r\n`-m`\r\nSkips mutex creation/check (allows multiple\r\ninstances)\r\nMutex is created to enforce single\r\ninstance\r\n`-n` Does NOT write the ransom note to disk Ransom note is written\r\n`-d` Disables self-deletion Self-deletion is executed after run\r\n`-k` Does NOT kill processes or stop services\r\nTarget processes/services are\r\nterminated\r\n`-s`\r\nSkips network share enumeration (only local\r\ndrives targeted)\r\nNetwork shares are also enumerated\r\nand encrypted\r\n`-l`\r\nWipes all Windows Event Logs after encryption\r\n(anti-forensics)\r\nEvent logs are left unchanged\r\n`-i`\r\nIgnores filename filters (may re-encrypt its own\r\nfiles like notes or payload artifacts)\r\nFilename filters are enforced to avoid\r\nits files and system files\r\n`–bypass-etw`Patches ETW functions in `ntdll` to disable\r\nlogging\r\nETW remains functional\r\n`–algo`\r\nForces a specific ChaCha20 implementation\r\n(AVX2 or SSE2 optimized)\r\nAlgorithm path is auto-detected based\r\non CPU\r\nhttps://www.egfincirt.org.eg/payload-ransomware\r\nPage 1 of 2\n\nFlag Effect when present Default behavior\r\n`–threads N` Sets number of worker threads for encryption Defaults to number of CPU cores\r\n`-p \u003cpath\u003e` Encrypts only the specified path\r\nAll drives are enumerated and\r\nencrypted\r\n`–log\r\n\u003cpath\u003e`\r\nOverrides default log file location Logs written to `C:\\payload.log`\r\nIOC Type Value\r\nWindows Variant Hash 1ca67af90400ee6cbbd42175293274a0f5dc05315096cb2e214e4bfe12ffb71f\r\nLinux Variant Hash bed8d1752a12e5681412efbb8283910857f7c5c431c2d73f9bbc5b379047a316\r\nMutex MakeAmericaGreatAgain\r\nLog File C:\\payload.log\r\nRansom Note C:\\RECOVER_payload.txt\r\nRansomware Infrastructure\r\n(Tor-based)\r\npayloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion\r\npayloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion\r\nSource: https://www.egfincirt.org.eg/payload-ransomware\r\nhttps://www.egfincirt.org.eg/payload-ransomware\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.egfincirt.org.eg/payload-ransomware" ], "report_names": [ "payload-ransomware" ], "threat_actors": [], "ts_created_at": 1779242595, "ts_updated_at": 1779242626, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c38ea6297dcd938c89f74e5b2a157deace8b387.pdf", "text": "https://archive.orkl.eu/0c38ea6297dcd938c89f74e5b2a157deace8b387.txt", "img": "https://archive.orkl.eu/0c38ea6297dcd938c89f74e5b2a157deace8b387.jpg" } }