{
	"id": "f49eb241-137b-4b58-9a89-7371f437a82f",
	"created_at": "2026-04-06T02:11:21.824654Z",
	"updated_at": "2026-04-10T03:24:23.997138Z",
	"deleted_at": null,
	"sha1_hash": "140582da8fa2fe6fc3cb8bafe8a1b1923db3f191",
	"title": "Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 937572,
	"plain_text": "Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again\r\nBy Mandiant\r\nPublished: 2021-11-29 · Archived: 2026-04-06 01:57:44 UTC\r\nWritten by: Tyler McLellan, Brandan Schondorfer\r\nIn September 2021, Mandiant discovered a post on exploit.in seeking partners for a new ransomware affiliate program. By\r\nOctober 21, 2021, the 54BB47h (Sabbath) ransomware shaming site and blog were created and quickly became the talk of\r\nsecurity researchers. In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware\r\noperator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. While the use of BEACON\r\nis common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual\r\nand offers both a challenge for attribution efforts while also offering additional avenues for detection.\r\nMandiant Advanced Practices began proactively identifying similar BEACON infrastructure across past Mandiant\r\nConsulting engagements, Advanced Practices external adversary discovery program, and commercially available malware\r\nrepositories. Through this analysis, Advanced Practices linked the new Sabbath group to ransom activity under previously\r\nused names including Arcane and Eruption.\r\nUNC2190, operating as Arcane and Sabbath, has targeted critical infrastructure including education, health, and natural\r\nresources in the United States and Canada since June 2021. The targeting of critical infrastructure by ransomware groups has\r\nbecome increasingly concerning as evidenced by governments moving to target ransomware actors as national security level\r\nthreats with particular attention to groups that target and disrupt critical infrastructure.\r\nStealthy Ransomware\r\nIn July 2020, UNC2190 deployed ROLLCOAST ransomware while branded as Eruption. Mandiant has not observed\r\nsamples of UNC2190-deployed ransomware in 2021 and no samples of ROLLCOAST have ever been submitted to\r\nVirusTotal. In the following sections, some of the technical reasons why UNC2190’s ransomware has evaded capture and\r\ndiscovery will be discussed.\r\nNext Level Extortion and ‘Backup Killers’\r\nSabbath first came to light in October 2021 when the group publicly shamed and extorted a US school district on Reddit and\r\nfrom a now suspended Twitter account, @54BB47h. During this recent extortion, the threat actor demanded a multi-million-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of\r\nemailing staff, parents and even students directly to further apply public pressure on the school district.\r\n@54BB47h on Twitter\r\nUNC2190 uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is\r\nstolen as leverage, and the threat actor actively attempts to destroy backups.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 1 of 9\n\nRansom note example\r\nThe threat actor has utilized public data leaks to extort the victims to pay ransom demands. While Sabbath operates a public\r\nshaming blog, Mandiant only observed victims being publicly extorted beginning in mid-November 2021, where 6 victims\r\nwere added over the span of two days. Previously under the Arcane brand, Mandiant observed three victims publicly\r\nextorted in June 2021.\r\nSource: Reddit SecOpsDaily\r\nArcane Rebranded\r\nMandiant discovered that the new Sabbath public shaming web portal and blog first published in October 2021 is nearly\r\nidentical to that of Arcane from June 2021. This included the same text content, and minor changes to the name, color\r\nscheme, and logo. The threat actor kept consistent grammatical errors in their updated web forums.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 2 of 9\n\nSabbath 54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion Website October 2021\r\nthearcane.top website June 2021\r\nBehind the scenes, few technical changes were made to the affiliate model used to carry out the attacks between the\r\nrebranding from Arcane to Sabbath. BEACON samples and infrastructure from both ransomware affiliate services remained\r\nunchanged. The malware sample PE compile times were identical on Themida-packed BEACON droppers used by the threat\r\nactor (such as md5 6bd1a3849bb9d5f9ac5b4f4049081334 and 38667bc3ad2dcef35a5f343a5073e3f2).\r\nHunting for UNC2190 BEACON Samples\r\nSince July 2020, UNC2190 has utilized BEACON with unique Malleable profile elements, including:\r\nGET requests ending with kitten.gif, such as:\r\nhxxps://markettc.biz/gifs/ZsoCzxU-X-5D3ZhV2zzKgc8SHhygCYmWpBRCS_mRV_SZxyWaaSPw7FFtcZ66twQ_uTDp5Edls\r\nmRa6K8GPtMVBnKOHhM6EgcnE4znZPiyXskZJXmHLSYAnkpLwhOrxyCoRkFthelDg\r\nVnuW7k3UVzDjEz3W4xuxSKBq2DuseaG-F0dob1M/kitten.gif\r\nPOST variable “image_url”, points to a specific image hosted on popular Russian social media site VK:\r\nhxxps://sun9-23.userapi.com/G4JvdZDEfLdIPlNN1-JkMGQ2unf2KEIV54Om5g/abJ70jGHfVk.jpg\r\nUser agent, such as: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/80.0.3987.163 Safari/537.36\"\r\nMandiant discovered additional infrastructure similarities utilized by UNC2190 including:\r\nActual IPs masked using a cloud service.\r\nSelf-signed TLS certificate common name “Microsoft IT TLS CA 5”\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 3 of 9\n\nEvolving to Evade Antivirus Detection\r\nIn March 2021, Mandiant Consulting observed an intrusion for another tracked UNC group where antivirus had detected and\r\nblocked two attempts to load a BEACON payload which Mandiant attributes to UNC2190. Subsequently, a different tracked\r\nthreat actor deployed different ransomware at this victim with more success. Starting July 6, 2021, Mandiant detected the\r\nuse of Themida to pack UNC2190 BEACON malware and protect it from detection.\r\nROLLCOAST Ransomware Deep Dive\r\nIn July 2020, Mandiant first detected ROLLCOAST ransomware usage by UNC2190. ROLLCOAST\r\nis a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked\r\nLibrary (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This\r\nsuggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided\r\nto affiliates. Incident responders working on similar intrusions should capture memory for analysis. ROLLCOAST was not\r\nwritten to disk during this intrusion and was only detected in memory by Mandiant.\r\nThe malware begins by checking the system language and exits if it detects a non-supported language code from the table\r\nbelow. Many other ransomware families have similar checks to avoid encrypting systems in Russia and other\r\nCommonwealth of Independent States member countries presumably to avoid attracting the attention of law enforcement in\r\ncountries where the ransomware operator and affiliates are more likely to reside.\r\nLanguage Exclusions\r\nROLLCOAST will exit if the system language matches one of the following:\r\nLanguage ID Description\r\n0x419 Russian (Russia)\r\n0x41A Croatian (Croatia)\r\n0x41B Slovak (Slovakia)\r\n0x41C Albanian (Albania)\r\n0x41D Swedish (Sweden)\r\n0x41E Thai (Thailand)\r\n0x41F Turkish (Turkey)\r\n0x420 Urdu (Islamic Republic of Pakistan)\r\n0x421 Indonesian (Indonesia)\r\n0x422 Ukrainian (Ukraine)\r\n0x423 Belarusian (Belarus)\r\n0x424 Slovenian (Slovenia)\r\n0x425 Estonian (Estonia)\r\n0x426 Latvian (Latvia)\r\n0x427 Lithuanian (Lithuania)\r\n0x428 Tajik (Cyrillic, Tajikistan)\r\n0x429 Persian (Iran)\r\n0x42A Vietnamese (Vietnam)\r\n0x42B Armenian (Armenia)\r\n0x42C Azerbaijani (Latin, Azerbaijan)\r\n0x42D Basque (Basque)\r\n0x42E Upper Sorbian (Germany)\r\n0x42F Macedonian (Former Yugoslav Republic of Macedonia)\r\n0x430 Southern Sotho (South Africa)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 4 of 9\n\n0x431 Tsonga (South Africa)\r\n0x432 Setswana (South Africa)\r\n0x433 Venda (South Africa)\r\n0x434 isiXhosa (South Africa)\r\n0x435 isiZulu (South Africa)\r\n0x436 Afrikaans (South Africa)\r\n0x437 Georgian (Georgia)\r\n0x438 Faroese (Faroe Islands)\r\n0x439 Hindi (India)\r\n0x43A Maltese (Malta)\r\n0x43B Sami, Northern (Norway)\r\n0x43D Yiddish (World)\r\n0x43E Malay (Malaysia)\r\n0x43F Kazakh (Kazakhstan)\r\n0x440 Kyrgyz (Kyrgyzstan)\r\n0x441 Kiswahili (Kenya)\r\n0x442 Turkmen (Turkmenistan)\r\n0x443 Uzbek (Latin, Uzbekistan)\r\n0x444 Tatar (Russia)\r\nSimilarities to Tycoon\r\nMandiant compared elements of ROLLCOAST to elements of Tycoon ransomware and found some similarities:\r\nBoth ransomware families encrypt files using AES in GCM mode\r\nOverlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.\r\nThis suggests the developers modelled ROLLCOAST on, or copied elements from, Tycoon ransomware. ROLLCOAST and\r\nTYCOON differ in their overall implementations: TYCOON is a Java based ransomware whereas ROLLCOAST is not. In\r\naddition, there is functionality in the publicly reported TYCOON that ROLLCOAST does not appear to have (shell\r\ncommands, backup tampering, firewall tampering, wmic).\r\nROLLCOAST Strings\r\nFOUND DEVICE:\r\nStart encryption of %s\r\n[-] Failed to init dir traverse for: %s\r\nFinished encryption of %s\r\nWork out other countries. Don't be fool!\r\nHello from test.dll. Parameter is '%s'\r\nHello from test.dll. There is no parameter\r\nMicrosoft Primitive Provider\r\n[-] AES FAILED 1: STATUS_NOT_FOUND\r\n[-] AES FAILED 1: STATUS_INVALID_PARAMETER\r\n[-] AES FAILED 1: STATUS_NO_MEMORY\r\n[-] AES FAILED 1: UNDEFINED\r\nChainingModeGCM\r\nROLLCOAST Encrypted File Naming Convention\r\nFiles are encrypted and renamed to this format: .[].\r\nExample encrypted file recovered from VirusTotal:\r\ncovid results from .pdf.[6EEC0F355072].54bb47h\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 5 of 9\n\nConclusion\r\nAlthough UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated\r\nrebranding has allowed it to avoid much public scrutiny. In Mandiant’s 2021 Trends and 2022 Predictions report,\r\nransomware data theft operations affecting healthcare are noted as having increased from January 2020 to June 2021, despite\r\nsome groups claiming they would avoid targeting hospitals. UNC2190 has continued to operate over the past year while\r\nmaking only minor changes to their strategies and tooling, including the introduction of a commercial packer and the\r\nrebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and\r\nlucrative incidents even when leveraged by lesser-known groups.\r\nAcknowledgements\r\nWith thanks Joshua Shilko for analytical contributions, Barry Vengerik, Tufail Ahmed, Isif Ibrahima, Andrew Thompson,\r\nJake Nicastro, Nick Richard, and Moritz Raabe for technical review, and all the Mandiant Researchers, Consultants,\r\nAdvanced Practices External Collectors, and FLARE REs for support, research, and assistance to create the content of this\r\npost.\r\nMITRE ATT\u0026CK\r\nMandiant has observed UNC2190 use the following techniques:\r\nATT\u0026CK Tactic Category Techniques\r\nDiscovery\r\nT1016: System Network Configuration Discovery\r\nT1057: Process Discovery\r\nT1083: File and Directory Discovery\r\nT1518: Software Discovery\r\nImpact T1486: Data Encrypted for Impact\r\nDiscovery\r\nT1016: System Network Configuration Discovery\r\nT1057: Process Discovery\r\nT1083: File and Directory Discovery\r\nT1518: Software Discovery\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.002: Software Packing\r\nT1055: Process Injection\r\nT1497: Virtualization/Sandbox Evasion\r\nT1497.001: System Checks\r\nT1564.003: Hidden Window\r\nPersistence T1136: Create Account\r\nCommand and Control\r\nT1071.001: Web Protocols\r\nT1573.002: Asymmetric Cryptography\r\nResource Development\r\nT1587.003: Digital Certificates\r\nT1608.003: Install Digital Certificate\r\nExecution T1059.001: PowerShell\r\nYara Signatures\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 6 of 9\n\nNote: FE_Hunting rules are designed to broadly capture suspicious files and are not designed to detect a particular\r\nmalware or threat.\r\nrule FE_Hunting_THEMIDA_strings_FEBeta\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-10-26\"\r\n date_modified = \"2021-10-26\"\r\n md5 = \"7669f00b467e2990be182584b341c0e8\"\r\n rev = 2\r\n sid = 415583\r\n strings:\r\n $themida = \".themida\" nocase\r\n condition:\r\n uint16(0) == 0x5A4D and filesize \u003c 20MB and (@themida[1] \u003c 1024)\r\n}\r\nrule FE_Ransomware_Win64_ROLLCOAST_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2020-07-15\"\r\n date_modified = \"2020-07-15\"\r\n md5 = \"45882426ecddb032981fd6c299b3cc47\"\r\n rev = 2\r\n strings:\r\n $sb1 = { 48 8D [5] 48 8D ?? 24 ?? E8 [4-32] B? 30 00 00 00 [8-64] 25 FF F9 FF FF 0F BA E8 0B }\r\n $sb2 = { FF D? 85 C0 0F 84 [4] 48 8D [2-16] 83 E8 06 0F 84 [4] 83 E8 08 0F 84 [4] 83 E8 0F }\r\n $sb3 = { 41 B8 C5 02 00 00 0F 10 00 0F 10 48 10 0F 11 02 0F 10 40 20 0F 11 4A 10 0F 10 48 30 0F 11 42 20 0F 10 40\r\n $sb4 = { FF 15 [4] 05 E7 FB FF FF 83 F8 2B }\r\n $ss1 = \"\\x00Program Files\\\\\" wide\r\n $ss2 = \"\\x00Program Files (x86)\\\\\" wide\r\n $ss3 = \"\\x00.[\\x00\"\r\n $ss4 = \"\\x00].\\x00\"\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all o\r\n}\r\nIndicators\r\nMALWARE FAMILY Indicator\r\nBEACON aequuira1aedeezais5i.probes.space\r\nBEACON jeithe7eijeefohch3qu.probes.site\r\nBEACON datatransferdc.com\r\nBEACON farhadl.com\r\nBEACON markettc.biz\r\nBEACON probes.space\r\nBEACON tinysidney.com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 7 of 9\n\nBEACON helpgoldr.com\r\nBEACON frankir.com\r\nBEACON greentuks.com\r\nBEACON 45.79.55.129:443\r\nBEACON 45.146.166.24:443\r\nBEACON 45.147.230.221:2002\r\nBEACON aimee0febai5phoht2ti.probes.website\r\nBEACON cofeeloveers.com\r\nBEACON doratir.com\r\nBEACON gordonzon.com\r\nBEACON probes.site\r\nBEACON probes.website\r\nBEACON 45.79.55.129:80\r\nBEACON 45.141.84.182:443\r\nBEACON 45.147.230.137:3001\r\nBEACON PE Compile time 1622138290 (2021/05/27 17:58:10)\r\nMALWARE\r\nFAMILY\r\nMD5 SHA1 SHA256\r\nBEACON ef3363dfe2515b826584ab53c4bb7812 3357fd8d5a253b7d84101e902480bf2dd2f7773c da92878c314307a5e5c9df687ec19a40\r\nBEACON f1b2f83aa08b8f6f01cac6bf686786d2 366390c3cd829d1172f02e564d35cfb2c667e9fc 0fb410b9a4d32a473b2ee28d4dc5e19a\r\nBEACON 6bd1a3849bb9d5f9ac5b4f4049081334 a0928456f12e909ec03eadce449bc80f120bfbf8 298662f3fed24d757634a022c16f4124\r\nBEACON e94089ff2e0b93ce38076cca370cf8cc dc3c26f305648a12484c17d6166397a002a93707 afd61168c1fae6841faa3860dca0e5839\r\nBEACON ac76d6c5c223688edf2d53745036d594 5972b873977912adf06203b61685f32a6ccb9eee a053408747e9b32721d25c00351c4ce9\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 8 of 9\n\nBEACON 64da229042dffddf5bb30a4a1d8b1f1e 3dc46fa5ebc87e8adcb6eaa0b407574506c957bb b2ffd7d83e004308a97355a18529fe35\r\nBEACON 1789f6177300d503289c482910f223d9 5c3f297bab8a5e93aac91a9df920c54bee2c836d e302a958856208adeab4ab3cd6d2991e\r\nBEACON dbfa3eb08d858d5bbb0cc72f497192b0 182e9d1026c63503aadb78bbc3788b7ba2cdb69a 8ddb23c90cb4133b4624127a1db7533\r\nBEACON 79c6c4329a36df20a6abf67b01352b20 fc7b3d8beab604cf47203f4f9a2aa8594bd54fb7 1bbb11e526141af7bafb5d4db3671b1a\r\nBEACON 6ae156c0a1900b6ff2c903a950d50dce 7b178842e1b53f163f869d9da3da32032fe29abb 1cd586852d2c06b0f7209c7a4da8f3d0\r\nBEACON b0333d840e136326a2bd612fcf73fff0 8467b4f784156f2e508a3fed0ef0b6ddcf330c0d 79b47780382f54ca039ad248d8241e42\r\nBEACON 7669f00b467e2990be182584b341c0e8 2eaa91f38461d708ee6e94ec2f738f3cdfb229b7 f4ac75a045acee2cadbe9fa0e02bfd4ab\r\nBEACON 60aec56cb2262ae46fc39c45fc814711 bb22515f2e8e4d5660dc8565869d966502a0123e 3edb237aeee6efad6f21f0f2c2037ec0f9\r\nBEACON f7e7201325892dcc287c60a0748edb16 35f02a778ea7504331ddd025f0d927e0773ffd31 a4891cc85802833d9a89e2522a42a7e3\r\nBEACON c4a369880e3e5c3dc42ebf8cdacc9d6c 037889e6d714c7ff6341bdb8a8bebbddc21fc36e 756ed760cbf4b35054c78a75009f748f\r\nBEACON 98f2b23eb265d73a05b2cce17d53eba4 41cc9afc79aaee60f6436192c6582907e41d89f7 87cdcbc55aed4267f47a913b17f4bc69\r\nBEACON 38667bc3ad2dcef35a5f343a5073e3f2 22cf10ec5047a86a49c1819c4943290321a29918 a8741f6f400c7fedfbdc7a298ab4a636b\r\nBEACON aa2a14e1819f4b1cc685801e07186b0d 101930bbec76ee4a147117cdfcb56aa2208a579d 5a6b7569c2b8e91f5bd8a67322af384c\r\nBEACON 61bbe1c1b2aa40c0d8aa7e00c2c4f7b6 6eff4b7b5ccf92eb0f134591237fe1db7c71826a f883f7d7c068b6f1eb62804591d748c2\r\nROLLCOAST\r\nransom note\r\nJuly 2020\r\n0b6757090d9ebc8d497e71b177acf256 25b175a71906e354a24003803574c4420f02a82f e25f2284fc6e80011587bf95829d8ff30\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/"
	],
	"report_names": [
		"sabbath-ransomware-affiliate"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441481,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/140582da8fa2fe6fc3cb8bafe8a1b1923db3f191.pdf",
		"text": "https://archive.orkl.eu/140582da8fa2fe6fc3cb8bafe8a1b1923db3f191.txt",
		"img": "https://archive.orkl.eu/140582da8fa2fe6fc3cb8bafe8a1b1923db3f191.jpg"
	}
}