{ "id": "80ecc7c3-67f2-47db-8654-a331aef66fd5", "created_at": "2026-04-06T00:10:08.990455Z", "updated_at": "2026-04-10T03:29:58.228998Z", "deleted_at": null, "sha1_hash": "11306f6a3598e0c5ee685410af151bf4e7bd8b53", "title": "Ramsay: A cyber-espionage toolkit tailored for air-gapped networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1410098, "plain_text": "Ramsay: A cyber-espionage toolkit tailored for air-gapped networks\r\nBy Ignacio Sanmillan\r\nArchived: 2026-04-05 15:58:24 UTC\r\nESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is\r\ntailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.\r\nWe initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of\r\nfurther components and versions of the framework, along with substantial evidence to conclude that this framework is at a\r\ndevelopmental stage, with its delivery vectors still undergoing fine-tuning.\r\nThe current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe\r\nthis scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the\r\nlow visibility of victims could also be due to the nature of targeted systems being in air‑gapped networks.\r\nShared artifacts were found alongside the Retro backdoor. This malware has been associated with Darkhotel, a notorious\r\nAPT group known to have conducted cyber-espionage operations since at least 2004, having targeted government entities in\r\nChina and Japan in the past.\r\nAttack vectors\r\nAlong with the discovery of the different instances of Ramsay, we found they were leveraged using a series of attack\r\nvectors. These are:\r\nFigure 1. Overview of discovered Ramsay versions\r\nMalicious documents dropping Ramsay version 1\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 1 of 18\n\nThis attack vector consists of malicious documents exploiting CVE-2017-0199 intended to drop an older version of Ramsay.\r\n \r\nThis document delivers an initial Visual Basic Script, shown in the screenshot below as OfficeTemporary.sct, that will\r\nextract within the document’s body the Ramsay agent, masquerading as a JPG image by having a base64-encoded PE under\r\na JPG header.\r\nID Index OLE Object\r\n0 0x80c8\r\nFormat_id: 2 (Embedded)\r\nClass name: ‘Package’\r\nData size: 8994\r\nOLE Package object:\r\nFilename: u‘OfficeTemporary.sct’\r\nSource path: u‘C:\\\\Intel\\\\OfficeTemporary.sct’\r\nTemp path = u:‘C\\\\Intel\\\\OfficeTemporary.sct’\r\nMD5 = ‘cf133c06180f130c471c95b3a4ebd7a5’\r\nEXECUTABLE FILE\r\n1 0xc798\r\nFormat_id: 2 (Embedded)\r\nClass name: ‘OLE2Link’\r\nData size: 2560\r\nMD5 = ‘daee337d42fba92badbea2a4e085f73f’\r\nCLSID: 00000300-0000-0000-C000-000000000046\r\nStdOleLink (embedded OLE object - known related to CVE-2017-0199, CVE-2017-8570, CVE-2017-\r\n8759 or CVE-2018-8174.\r\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)\r\nTable 1. OLE object layout contained within Ramsay version 1 RTF file as seen by oletools\r\nWe noticed that the specific Ramsay instance dropped by these documents showed low complexity in its implementation and\r\nlacked many of the more advanced features seen leveraged by later Ramsay versions.\r\nSeveral instances of these same malicious documents were found uploaded to public sandbox engines, labeled as testing\r\nartifacts such as ‘access_test.docx’ or ‘Test.docx’ denoting an ongoing effort for trial of this specific attack vector.\r\nBased on the low complexity of the Ramsay agent delivered, the threat actors may be embedding this specific instance\r\nwithin these malicious documents for evaluation purposes.\r\nDecoy installer dropping Ramsay version 2.a\r\nWe found one instance uploaded to VirusTotal of Ramsay masquerading as a 7zip installer.\r\nThe reason we named this malware Ramsay was due to some of the strings contained in this binary, such as the following:\r\nFigure 2. Strings containing \"Ramsay\"\r\nThis version of Ramsay shows a clear refinement of its evasion and persistence tactics along with the introduction of new\r\nfeatures such as a Spreader component and a rootkit; the Spreader component is documented more thoroughly in this part of\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 2 of 18\n\nthe Capabilities section.\r\nMalicious documents dropping Ramsay version 2.b\r\nThis attack vector consists of the delivery of a different malicious document abusing  CVE-2017-11882. This document will\r\ndrop a Ramsay Installer named lmsch.exe as shown in Table 2.\r\nID Index OLE Object\r\n0 0x80c8\r\nFormat_id: 2 (Embedded)\r\nClass name: ‘Package’\r\nData size: 644790\r\nOLE Package object:\r\nFilename: u‘lmsch.exe’\r\nSource path: u‘C:\\\\fakepath\\\\lmsch.exe’\r\nTemp path = u:‘C:\\\\fakepath\\\\lmsch.exe’\r\nMD5 = ‘27cd5b330a93d891bdcbd08050a5a6e1’\r\n1 0xc798\r\nFormat_id: 2 (Embedded)\r\nClass name: ‘Equation.3’\r\nData size: 3584\r\nMD5 = ‘5ae434c951b106d63d79c98b1a95e99d’\r\nCLSID: 0002CE02-0000-0000-C000-000000000046\r\nMicrosoft Equation 3.0 (Known related to CVE-2017-11882 or CVE-2018-0802)\r\nPossibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)\r\nTable 2. OLE object layout contained within Ramsay version 2.b RTF file as seen by oletools\r\nThe Ramsay version leveraged by this document is a slightly modified version of Ramsay version 2.a, with the main\r\ndifference of not leveraging the spreader component. The functionality of the remaining components is the same in regard to\r\nRamsay version 2.a.\r\nClient Execution of Infected Files\r\nAs previously mentioned, Ramsay Version 2.a delivers a Spreader component that will behave as a file infector, changing\r\nthe structure of benign PE executable files held within removable and network shared drives in order to embed malicious\r\nRamsay artifacts triggered on host file execution.\r\nThe Spreader is highly aggressive in its propagation mechanism and any PE executables residing in the targeted drives\r\nwould be candidates for infection.\r\nBased on compilation timestamps among the components of the various versions of Ramsay found, we can estimate the\r\nfollowing development timeline of this framework:\r\nFigure 3. Estimation of Ramsay’s development timeline\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 3 of 18\n\nThe analysis of the different compilation timestamps found across different components implies that this framework has\r\nbeen under development since late 2019, with the possibility of currently having two maintained versions tailored based on\r\nthe configuration of different targets.\r\nPersistence mechanisms\r\nBased on its version, Ramsay implements various persistence mechanisms of different complexity. Some of these\r\npersistence mechanisms are the following:\r\nAppInit DLL registry key\r\nThe Windows operating system provides the functionality to allow custom DLLs to be loaded into the address space of\r\nalmost all application processes via AppInit DLL registry key. This technique is not particularly complex; it is implemented\r\nin early Ramsay versions and is common in other malware families.\r\nScheduled Task via COM API\r\nScheduled tasks enable administrators to run tasks or “jobs” at designated times rather than every time the system is booted\r\nor the user logs in. This feature can be implemented via the Windows COM API, which the first versions of Ramsay have\r\ntailored. Based on the high ratio of similarity with Carberp’s implementation, it's highly probable that Ramsay's\r\nimplementation was adapted from Carberp's publicly available source code.\r\nPhantom DLL Hijacking\r\nMore mature versions of Ramsay denote an increase in complexity of its persistence techniques, which include a technique\r\nsometimes referred to as “Phantom DLL Hijacking”.\r\nPhantom DLL Hijacking abuses the fact that many Windows applications use outdated dependencies not strictly necessary\r\nfor the functionality of the application itself, allowing the possibility of leveraging malicious versions of these dependencies.\r\nTwo services will be targeted in order to enforce this technique. These are:\r\nWSearch (Windows Search) hijacking msfte.dll:\r\nFigure 4. Hijacking of Microsoft Search Service msfte.dll\r\nMSDTC (Microsoft Distributed Transaction Coordinator) service hijacking an oracle dependency seen below as\r\noci.dll:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 4 of 18\n\nFigure 5. Hijacking of MSDTC service dependency oci.dll\r\nThis persistence technique is highly versatile, enabling Ramsay agents delivered as DLLs to fragment their logic into\r\nseparated sections, implementing different functionality tailored for the subject processes where the agent will be loaded. In\r\naddition, the use of this technique makes detection more difficult since the loading of these DLLs into their respective\r\nprocesses/services won't necessarily trigger an alert.\r\nCapabilities\r\nRamsay's architecture provides a series of capabilities monitored via a logging mechanism intended to assist operators by\r\nsupplying a feed of actionable intelligence to conduct exfiltration, control, and lateral movement actions, as well as\r\nproviding overall behavioral and system statistics of each compromised system. The realization of these actions is possible\r\ndue to the following capabilities:\r\nFile collection and covert storage\r\nThe primary goal of this framework is to collect all existing Microsoft Word documents within the target's filesystem. The\r\noverall collection stages are shown in Figure 6:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 5 of 18\n\nFigure 6. Mechanism of document collection\r\nWord documents will first be collected and stored in a preliminary collection directory. The location of this directory may\r\nvary depending on the Ramsay version. Two of the directories we observed being used for this purpose were\r\n%APPDATA%\\Microsoft\\UserSetting and %APPDATA%\\Microsoft\\UserSetting\\MediaCache.\r\nDepending on the Ramsay version, file collection won't be restricted to the local system drive, but also will search additional\r\ndrives such as network or removable drives:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 6 of 18\n\nFigure 7. Hex-Rays output of procedure to scan removable drives for collection\r\nFigure 8. Hex-Rays output of procedure to scan network drives for collection\r\nCollected documents are encrypted using the RC4 Stream Cipher Algorithm.\r\nThe RC4 key used to encrypt each file will be a computed MD5 hash of a randomly generated sequence of 16 bytes, salted\r\nwith 16 bytes hardcoded in the malware sample. The first 16 bytes of the buffer where the encrypted file will be held will\r\ncorrespond to the actual RC4 key used:\r\nFigure 9. Hex-Rays output of RC4 key generation and storage\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 7 of 18\n\nCollected files under the preliminary collection directory will be compressed using a WinRAR instance that the Ramsay\r\nInstaller drops. This compressed archive will be saved within the preliminary collection directory and then generate a\r\nRamsay container artifact:\r\nFigure 10. Hex-Rays output of Ramsay container generation\r\nAs shown in the previous screenshot, these Ramsay containers contain a magic value at the beginning of the file, along with\r\na Hardware Profile GUID denoting an identifier of the victim's machine; an additional XOR-based encryption layer will be\r\napplied to the generated compressed archive. The following diagram shows the structure of these artifacts:\r\nFigure 11. Ramsay Container Structure\u003c{i\u003e\r\nRamsay implements a decentralized way of storing these artifacts among the victim's file system by using inline hooks\r\napplied on two Windows API functions, WriteFile and CloseHandle.\r\nThe hooked WriteFile procedure's main purpose is to save the file handle of the subject file to write and install another hook\r\nin the CloseHandle API function. The CloseHandle hooked procedure will then check whether the subject file name has a\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 8 of 18\n\n.doc extension; if that's the case, it will then append at the end of the subject document the Ramsay container artifact\r\nfollowed by a stream of 1024 bytes denoting a Microsoft Word document footer.\r\nThis is done as an evasion measure in order to provide a means to hide the embedded artifact within the subject document\r\nfrom the naked eye:\r\nFigure 12. Hex-Rays output of code for appending Word document footer at the end of the target document\r\nRamsay containers appended to Word documents will be marked in order to avoid redundant artifacts being appended to\r\nalready affected documents and the preliminary storage directory will be cleared in order to generate a brand-new Ramsay\r\nartifact in intervals.\r\nEven though affected documents will be modified, it won't impact their integrity; each affected Word document remains\r\nfully operational after artifact appending has taken place.\r\nExfiltration of these artifacts is done via an external component that we haven't been able to retrieve. However, based on the\r\ndecentralized methodology Ramsay implements for storage of collected artifacts, we believe this component would scan the\r\nvictim's file system in search for the Ramsay container's magic values, in order to identify the location of artifacts to\r\nexfiltrate.\r\nCommand execution\r\nUnlike most conventional malware, Ramsay does not have a network-based C\u0026C communication protocol nor does it make\r\nany attempt to connect to a remote host for communication purposes. Ramsay's control protocol follows the same\r\ndecentralized philosophy implemented for collected artifact storage.\r\nRamsay will scan all the network shares and removable drives (excluding A: and B: drives usually reserved for floppy disks)\r\nfor potential control files. First, Ramsay looks for Word documents and also, in more recent versions, for PDFs and ZIP\r\narchives:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 9 of 18\n\nFigure 13. Hex-Rays output of Ramsay Scan procedure for Control File retrieval\r\nThese files are parsed for the presence of a magic marker specific to the control file format. More specifically, Ramsay looks\r\nfor any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the\r\nother is dynamically generated based on the compromised victim’s machine. If any of the subject identifiers are found,\r\nparsing for a command signature will be attempted.\r\nFigure 14. Hex-Rays output of Ramsay Control File Parsing\r\nThe search for these two GUID instances implies that Ramsay’s control documents can be deliberately crafted to be “victim\r\nagnostic”, capable of deploying the same control document instance across a number of victims by leveraging a “global”\r\nGUID within control documents. On the other hand, control documents can be crafted by embedding a specific GUID\r\nintended to be delivered exclusively on a single victim’s machine. This indicator of Ramsay's control protocol\r\nimplementation implies that its backend counterpart may be somewhat automated.\r\nRamsay control protocol supports three different commands:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 10 of 18\n\nSignature Command\r\nRr*e#R79m3QNU3Sy File Execution\r\nCNDkS_\u0026pgaU#7Yg9 DLL Load\r\n2DWcdSqcv3?(XYqT Batch Execution\r\nTable 3. Ramsay’s control commands\r\nAfter a given command signature is retrieved, the contained artifact to execute will be extracted within the control\r\ndocument’s body to then be restored, modifying the subject control document to its original form after command execution.\r\nSpreading\r\nAmong the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will\r\nattempt to scan for network shares and removable drives excluding A: and B: drives:\r\nFigure 15. Hex-Rays output of spreader scanning routines\r\nIt is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control\r\ndocument retrieval. This assesses the relationship between Ramsay’s spreading and control capabilities showing how\r\nRamsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been\r\ndesigned to operate within air-gapped networks.\r\nThe propagation technique mainly consists of file infection much like a prepender file infector in order to generate\r\nexecutables similar in structure to Ramsay’s decoy installers for every accessible PE file within the aforementioned targeted\r\ndrives. The following diagram illustrates the changes applied to targeted executables after infection has taken place and how\r\nthese components interact on execution:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 11 of 18\n\nFigure 16. File structure changes during an infection and execution\r\nAll of the different artifacts involved in the infection stage are either within the context of the spreader or dropped\r\npreviously by another Ramsay component. Some of the artifacts are parsed for the following tokens:\r\nFigure 17. Hex-Rays output of tokens to search for different artifacts within the spreader context\r\nAfter a given file has been infected, it will be marked by writing a specific token at the end of it in order to provide the\r\nspreader an identifier to prevent redundant infection.\r\nIn addition, some components of Ramsay have implemented a network scanner intended for the discovery of machines\r\nwithin the compromised host’s subnet that are susceptible to the EternalBlue SMBv1 vulnerability. This information will be\r\ncontained within all logged information Ramsay collects and may be leveraged by operators in order to do further lateral\r\nmovement over the network in a later stage via a different channel.\r\nRamsay’s version 2.a Spreader component was found to have reused a series of tokens seen before in Darkhotel’s Retro\r\nBackdoor. These tokens are the following:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 12 of 18\n\nFigure 18. Hex-Rays output of Token Reuse with Retro\r\nFigure 19. Token Reuse on Retro URL Crafting\r\nRamsay serializes victims using the GetCurrentHwProfile API to then retrieve a GUID for the specific victim’s machine.\r\nThis is also seen implemented in Retro. They both use the same default GUID in case the API call fails:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 13 of 18\n\nFigure 20. Ramsay and Retro GUID generation\r\nBoth Ramsay and Retro share the same encoding algorithm to encode the retrieved GUID.\r\nFigure 21. Ramsay and Retro GUID encoding scheme\r\nThe GUID retrieved by GetCurrentHwProfile is specific for the system’s hardware but not for the user or PC instance.\r\nTherefore, it is likely that by just leveraging this GUID operators may encounter duplicates intended to serialize different\r\nvictims.\r\nThe purpose of this scheme is to generate a GUID that is less likely to be duplicate-prone by ‘salting’ it with the machine’s\r\nethernet adapter address. This implies that Retro and Ramsay share the same scheme to generate unique identifiers.\r\nWe also found similarities in the way Ramsay and Retro saved some of their log files, sharing a similar filename convention:\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 14 of 18\n\nFigure 22. Some of Ramsay and Retro filename convention\r\nIs important to highlight that among Retro’s documented techniques, it leverages malicious instances of msfte.dll, oci.dll and\r\nlame_enc.dll, and via Phantom DLL Hijacking. As previously documented, Ramsay also uses this technique in some of its\r\nversions also using msfte.dll and oci.dll.\r\nIn addition, we also observed similarities among Ramsay and Retro in regard to the open-source tools used among their\r\ntoolsets, such as leveraging UACMe for privilege escalation and ImprovedReflectiveDLLInjection for deploying some of\r\ntheir components.\r\nFinally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of\r\nKorean-based templates.\r\nFigure 23. Malicious document metadata showing the Korean word “title”\r\nConclusion\r\nBased on the different instances of the framework found, Ramsay has gone through various development stages, denoting an\r\nincreasing progression in the number and complexity of its capabilities.\r\nDevelopers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities\r\nfrom 2017 as well as deploying trojanized applications.\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 15 of 18\n\nWe interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors\r\nthat would successfully intrude into targeted systems without the need to waste unnecessary resources.\r\nSome stages of Ramsay’s framework are still under evaluation, which could explain the current low visibility of victims,\r\nhaving in mind that Ramsay’s intended targets may be under air-gapped networks, which would also impact victim visibility.\r\nWe will continue monitoring new Ramsay activities and will publish relevant information on our blog. For any inquiries,\r\ncontact us as threatintel@eset.com. Indicators of Compromise can also be found in our GitHub repository.\r\nIndicators of Compromise (IoCs)\r\nSHA-1 ESET detection name Comments\r\nf79da0d8bb1267f9906fad1111bd929a41b18c03 Win32/TrojanDropper.Agent.SHN Initial Installer\r\n62d2cc1f6eedba2f35a55beb96cd59a0a6c66880 Win32/Ramsay.A Installer Launcher\r\nbaa20ce99089fc35179802a0cc1149f929bdf0fa Win32/HackTool.UACMe.T UAC Bypass Module\r\n5c482bb8623329d4764492ff78b4fbc673b2ef23 Win32/HackTool.UACMe.T UAC Bypass Module\r\ne7987627200d542bb30d6f2386997f668b8a928c Win32/TrojanDropper.Agent.SHM Spreader\r\n3bb205698e89955b4bd07a8a7de3fc75f1cb5cde Win32/TrojanDropper.Agent.SHN Malware Installer\r\nbd8d0143ec75ef4c369f341c2786facbd9f73256 Win32/HideProc.M HideDriver Rootkit\r\n7d85b163d19942bb8d047793ff78ea728da19870 Win32/HideProc.M HideDriver Rootkit\r\n3849e01bff610d155a3153c897bb662f5527c04c Win64/HackTool.Inject.A Darkhotel Retro Backdoor Loader\r\n50eb291fc37fe05f9e55140b98b68d77bd61149e Win32/Ramsay.B Ramsay Initial Installer (version 2.b)\r\n87ef7bf00fe6aa928c111c472e2472d2cb047eae\r\nWin32/Exploit.CVE-2017-\r\n11882.H\r\nRTF file that drops\r\n50eb291fc37fe05f9e55140b98b68d77bd61\r\n5a5738e2ec8af9f5400952be923e55a5780a8c55 Win32/Ramsay.C Ramsay Agent DLL (32bits)\r\n19bf019fc0bf44828378f008332430a080871274 Win32/Ramsay.C Ramsay Agent EXE (32bits)\r\nbd97b31998e9d673661ea5697fe436efe026cba1 Win32/Ramsay.C Ramsay Agent DLL (32bits)\r\neb69b45faf3be0135f44293bc95f06dad73bc562 Win32/Ramsay.C Ramsay Agent DLL (32bits)\r\nf74d86b6e9bd105ab65f2af10d60c4074b8044c9 Win64/Ramsay.C Ramsay Agent DLL (64bits)\r\nae722a90098d1c95829480e056ef8fd4a98eedd7 Win64/Ramsay.C Ramsay Agent DLL (64bits)\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1091\r\nReplication Through\r\nRemovable Media\r\nRamsay’s spreading mechanism is done via removable\r\ndrives.\r\nExecution\r\nT1106 Execution through API\r\nRamsay’s embedded components are executed via\r\nCreateProcessA and ShellExecute .\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 16 of 18\n\nTactic ID Name Description\r\nT1129\r\nExecution through Module\r\nLoad\r\nRamsay agent can be delivered as a DLL.\r\nT1203\r\nExploitation for Client\r\nExecution\r\nRamsay attack vectors exploit CVE-2017-1188 or CVE-2017-0199.\r\nT1035 Service Execution\r\nRamsay components can be executed as service\r\ndependencies.\r\nT1204 User Execution\r\nRamsay Spreader component infects files within the file\r\nsystem.\r\nPersistence\r\nT1103 AppInit DLLs Ramsay can use this registry key for persistence.\r\nT1050 New Service\r\nRamsay components can be executed as service\r\ndependencies.\r\nT1053 Scheduled Task Ramsay sets a scheduled task to persist after reboot.\r\nPrivilege\r\nEscalation\r\nT1088\r\nBypass User Account\r\nControl\r\nRamsay drops UACMe instances for privilege escalation.\r\nDefense\r\nEvasion\r\nT1038 DLL Order Hijacking\r\nRamsay agents will masquerade as service dependencies\r\nleveraging Phantom DLL Hijacking.\r\nT1107 File Deletion Ramsay installer is deleted after execution.\r\nT1055 Process Injection Ramsay’s agent is injected into various processes.\r\nT1045 Software Packing Ramsay installer may be packed with UPX.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nRamsay agent scans for files and directories on the\r\nsystem drive.\r\nT1135 Network Share Discovery Ramsay agent scans for available network shares.\r\nT1057 Process Discovery\r\nRamsay will attempt to find if host is already\r\ncompromised by checking the existence of specific\r\nprocesses.\r\nLateral\r\nMovement\r\nT1210\r\nExploitation of Remote\r\nServices\r\nRamsay network scanner may scan the host’s subnet to\r\nfind targets vulnerable to EternalBlue.\r\nT1105 Remote File Copy Ramsay attempts to infect files on network shares.\r\nT1091\r\nReplication Through\r\nRemovable Media\r\nRamsay attempts to infect files on removable drives.\r\nCollection T1119 Automated Collection Ramsay agent collects files in intervals.\r\nT1005 Data from Local System Ramsay agent scans files on system drive.\r\nT1039\r\nData from Network Shared\r\nDrive\r\nRamsay agent scans files on network shares.\r\nT1025\r\nData from Removable\r\nMedia\r\nRamsay agent scans files on removable drives.\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 17 of 18\n\nTactic ID Name Description\r\nT1113 Screen Capture Ramsay agent may generate and collect screenshots.\r\nCommand and\r\nControl\r\nT1092\r\nCommunication Through\r\nRemovable Media\r\nRamsay agent scans for control files for its file-based\r\ncommunication protocol on removable drives.\r\nT1094\r\nCustom Command and\r\nControl Protocol\r\nRamsay implements a custom, file-based C\u0026C protocol.\r\nExfiltration T1002 Data Compressed Ramsay agent compresses its collection directory.\r\nSource: https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nhttps://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" ], "report_names": [ "ramsay-cyberespionage-toolkit-airgapped-networks" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434208, "ts_updated_at": 1775791798, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11306f6a3598e0c5ee685410af151bf4e7bd8b53.pdf", "text": "https://archive.orkl.eu/11306f6a3598e0c5ee685410af151bf4e7bd8b53.txt", "img": "https://archive.orkl.eu/11306f6a3598e0c5ee685410af151bf4e7bd8b53.jpg" } }