{
	"id": "44086bfa-92d4-4272-86de-8e37e87b6992",
	"created_at": "2026-04-06T00:10:50.9165Z",
	"updated_at": "2026-04-10T13:12:35.95866Z",
	"deleted_at": null,
	"sha1_hash": "2307d65f674a8481340e4927d7739957b044d710",
	"title": "FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1454577,
	"plain_text": "FARGO Ransomware (Mallox) Being Distributed to Unsecured\r\nMS-SQL Servers - ASEC\r\nBy ATCP\r\nPublished: 2022-09-18 · Archived: 2026-04-05 14:18:14 UTC\r\nThe ASEC analysis team is constantly monitoring malware distributed to unsecured MS-SQL servers. The\r\nanalysis team has recently discovered the distribution of FARGO ransomware that is targeting unsecured MS-SQL\r\nservers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets unsecured MS-SQL\r\nservers. In the past, it was also called the Mallox because it used the file extension .mallox.\r\n– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers\r\n– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2)\r\n– [ASEC Blog] Coin Miner Being Distributed to Unsecured MS-SQL Servers\r\n– [ASEC Blog] AsyncRAT Malware Being Distributed to Unsecured MS-SQL Servers\r\nhttps://asec.ahnlab.com/en/39152/\r\nPage 1 of 5\n\nAs shown in the process tree in Figure 1, the file downloaded by the MS-SQL process through cmd.exe and\r\npowershell.exe is a file built on .Net (see Figure 2), downloads and loads additional malware from a particular\r\naddress. The loaded malware generates and executes a BAT file which shuts down certain processes and services,\r\nin the %temp% directory.\r\nThe ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts\r\nto delete a registry key on a certain path (see Figure 5), and executes the recovery deactivation command, and\r\ncloses certain processes (see Figure 6). As shown in the figures below, the closed processes are SQL programs.\r\nhttps://asec.ahnlab.com/en/39152/\r\nPage 2 of 5\n\nWhen the ransomware encrypts files, files with file extensions shown in Table 1 are excluded from infection. The\r\ncharacteristic aspect is that it does not infect files with a file extension associated with Globeimposter and this\r\nexclusion list does not only include the same type of extensions of .FARGO .FARGO2 and .FARGO3 but also\r\nincludes .FARGO4, which is thought to be a future version of the ransomware.\r\nFigure 7 shows a screen capture of the ransom note and the infected file on the top right in the same screen. As\r\nshown in the figure, the encrypted file gets a file name of OriginalFileName.FileExtension.Fargo3 and the ransom\r\nnote is generated with the filename ‘RECOVERY FILES.txt’.\r\nhttps://asec.ahnlab.com/en/39152/\r\nPage 3 of 5\n\nTypical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary\r\nattacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks\r\non systems that do not have a vulnerability patch applied.\r\nAdministrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change\r\nthem periodically to protect the database server from brute force attacks and dictionary attacks, and update to the\r\nlatest patch to prevent any potential vulnerability attacks.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:\r\n[File Detection]\r\n– Ransomware/Win.Ransom.C5153317(2022.06.02.01)\r\n– Dropper/Win.DotNet.C5237010(2022.09.14.03)\r\n– Downloader/Win.Agent.R519342(2022.09.15.03)\r\n– Trojan/BAT.Disabler (2022.09.16.00)\r\nBehavior Detection]\r\n– Malware/MDP.Download.M1197\r\nMD5\r\n41bcad545aaf08d4617c7241fe36267c\r\n4d54af1bbf7357964db5d5be67523a7c\r\nb4fde4fb829dd69940a0368f44fca285\r\nc54daefe372efa4ee4b205502141d360\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//49[.]235[.]255[.]219[:]8080/Pruloh_Matsifkq[.]png\r\nhttps://asec.ahnlab.com/en/39152/\r\nPage 4 of 5\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/39152/\r\nhttps://asec.ahnlab.com/en/39152/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/39152/"
	],
	"report_names": [
		"39152"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2307d65f674a8481340e4927d7739957b044d710.pdf",
		"text": "https://archive.orkl.eu/2307d65f674a8481340e4927d7739957b044d710.txt",
		"img": "https://archive.orkl.eu/2307d65f674a8481340e4927d7739957b044d710.jpg"
	}
}