{
	"id": "7729c39f-37a5-42d9-ab44-369595e62769",
	"created_at": "2026-04-06T00:08:23.842932Z",
	"updated_at": "2026-04-10T03:21:06.021677Z",
	"deleted_at": null,
	"sha1_hash": "166974fe1d9843556b4ce2efffe5cda365f8602f",
	"title": "Hakbit Ransomware Campaign Against Germany, Austria, Switzerland | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1456405,
	"plain_text": "Hakbit Ransomware Campaign Against Germany, Austria,\r\nSwitzerland | Proofpoint US\r\nBy June 22, 2020 Sherrod DeGrippo and the Proofpoint Threat Research Team\r\nPublished: 2020-06-22 · Archived: 2026-04-05 22:34:47 UTC\r\nProofpoint researchers have been tracking a low-volume, email-based ransomware campaign targeting\r\norganizations in Austria, Switzerland, and Germany. The campaign leverages Hakbit, a variant of Thanos\r\nransomware as a service (RaaS). The attack employs malicious Microsoft Excel attachments delivered from a free\r\nemail provider (GMX) that primarily serves a European client base. The attachments contain false billing and tax\r\nrepayment subjects to entice users to enable macros that execute GuLoader, which downloads the ransomware to\r\nencrypt files and lock the system.\r\nTo help ensure success because Microsoft Office VBA macros do not execute on mobile devices, these emails\r\ndirect recipients to open attachments on their computer and not their mobile device.\r\nUsers targeted were employed in mid-level positions across the pharmaceutical, legal, financial, business service,\r\nretail, and healthcare sector. The largest volume of messages we observed were sent to the information technology,\r\nmanufacturing, insurance, and technology verticals. Proofpoint researchers have observed that the majority of\r\nroles targeted in the Hakbit campaigns are customer-facing with individuals’ business contact information\r\nrevealed publicly on company websites, and/or advertisements. These roles include attorneys, client advisors,\r\ndirectors, insurance advisors, managing directors, and project managers.\r\nBelow is an example of the lure, many messages arrived with subject lines such as “\"Fwd: Steuerrückzahlung\"\r\n(Translated: Tax Repayment)” and “Ihre Rechnung (Translated: Your Bill)”.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nPage 1 of 5\n\nFigure 1 Hakbit Lure Email Message in German\r\nThis lure is in German and abuses the logo and branding of 1\u00261, a German telecommunications company.\r\nAccording to Google Translate, the body of the message states:\r\nToday you will receive your invoice dated 12.05.2020. You will find it  in the attachment to this e-mail\r\nas an Excel file. We will debit the amount of EUR 480.19 from your account on May 17th, 2020.\r\nPlease note that due to technical reasons the Excel document is not displayed correctly on mobile\r\ndevices. We ask you to download the invoice on your computer and open it.\r\nBest regards,\r\nThe message contains a Microsoft Excel attachment named 379710.xlsm which leverages malicious macros.\r\nBecause the macros and malware won’t work on a mobile device, the message instructs the recipient to use a\r\ncomputer to read the attachment. Once opened, the spreadsheet directs the recipient in German and English to\r\nenable macros as shown in Figure 2.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nPage 2 of 5\n\nFigure 2 Microsoft Excel Attachment with Enable Macros Message\r\nOnce macros are enabled in the spreadsheet, it downloads and executes GuLoader, a relatively new downloader\r\nwritten in VB 6.0 that we wrote about in March 2020. When GuLoader runs, it downloads and executes Hakbit, a\r\nransomware that encrypts files using AES-256 encryption.\r\nBelow is the image that appears when Hakbit executes (Figure 3) and the ransom note in both English and\r\nGerman (Figure 4).\r\nFigure 3 Hakbit Ransom Screen\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nPage 3 of 5\n\nFigure 4 Hakbit Ransom Note\r\nThe note demands a payment of 250 Euros in bitcoin to unlock the encrypted files and provides instructions on\r\nhow to pay the ransom. As of June 16, 2020, our researchers have found no transactions showing payment of the\r\nransom to the bitcoin wallet in the examples here.\r\nConclusion\r\nProofpoint researchers have observed consistent low-volume and often boutique ransomware campaigns since\r\nJanuary 2020. Proofpoint researchers recently identified a shift in the threat landscape with a large-scale Avaddon\r\nransomware campaign consistent with recent open source vendor reporting. Hakbit exemplifies a people-centric\r\nransomware campaign tailored to a specific audience, role, organization, and in the user’s native language.\r\nIndicators of Compromise (IOCs)\r\nHakbit SHA256 34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nPage 4 of 5\n\nSource: https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland"
	],
	"report_names": [
		"hakbit-ransomware-campaign-against-germany-austria-switzerland"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/166974fe1d9843556b4ce2efffe5cda365f8602f.pdf",
		"text": "https://archive.orkl.eu/166974fe1d9843556b4ce2efffe5cda365f8602f.txt",
		"img": "https://archive.orkl.eu/166974fe1d9843556b4ce2efffe5cda365f8602f.jpg"
	}
}