{
	"id": "9e4ad9b2-9603-4564-9635-bd720a301dbb",
	"created_at": "2026-04-06T00:16:51.763004Z",
	"updated_at": "2026-04-10T03:24:29.988917Z",
	"deleted_at": null,
	"sha1_hash": "2374f3aa039fb8b4767b6388845f7649e570dc41",
	"title": "Embargo ransomware: Rock’n’Rust",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 584289,
	"plain_text": "Embargo ransomware: Rock’n’Rust\r\nBy Jan HolmanTomáš Zvara\r\nArchived: 2026-04-05 15:26:21 UTC\r\nESET researchers have discovered new Rust-based tooling leading to the deployment of Embargo ransomware.\r\nEmbargo is a relatively new player in the ransomware scene, first observed by ESET in June 2024. The new\r\ntoolkit consists of a loader and an EDR killer, named MDeployer and MS4Killer respectively by ESET.\r\nMS4Killer is particularly noteworthy as it is custom compiled for each victim’s environment, targeting only\r\nselected security solutions. Both tools are written in Rust, the Embargo group’s language of choice for developing\r\nits ransomware.\r\nKey points of this blogpost:\r\nEmbargo is developing and testing new Rust-based tooling.\r\nDifferences in deployed versions, bugs, and leftover artifacts suggest that these tools are under\r\nactive development.\r\nThe threat actor abuses Safe Mode to disable security solutions.\r\nEmbargo tailors its tools to each victim.\r\nOverview\r\nIn July 2024, we observed ransomware incidents targeting US companies, where the threat actor utilized its new\r\ntooling. The versions of MDeployer and MS4Killer observed in each intrusion differ slightly, suggesting that the\r\ntools are actively developed. Interestingly, we spotted two different versions of MDeployer in a single intrusion,\r\nprobably tweaked after a first, failed attempt.\r\nThis blogpost focuses on the analysis of MDeployer and MS4Killer and activity preceding the execution of the\r\nEmbargo ransomware. MDeployer is a malicious loader used for deployment of MS4Killer and Embargo\r\nransomware. MS4Killer is an EDR killer that abuses a vulnerable driver to disable the security products running\r\non the victim’s machine.\r\nEmbargo\r\nEmbargo, observed for the first time in ESET telemetry in June 2024, made its public appearance in May 2024.\r\nApart from successfully breaching high-profile targets, the group attracted attention because of its choice of\r\nprogramming language for ransomware payload. Embargo chose Rust, a cross-platform programming language,\r\nallowing development of more versatile ransomware targeting both Windows and Linux. Coming after BlackCat\r\nand Hive, Embargo is yet another group developing ransomware payloads in Rust.\r\nBased on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to\r\ncommunicate with victims (Figure 1), but also allows for communication via Tox. The group pressures victims\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 1 of 17\n\ninto paying by using double extortion and publishes the stolen data on its leak site. In an interview with an alleged\r\ngroup member, the group representative mentions a basic payout scheme for affiliates, suggesting that the group is\r\nproviding RaaS (ransomware as a service). Recent law enforcement disruptions, affecting notorious groups like\r\nBlackCat and LockBit, triggered some reorganization in the RaaS space. These changes in global RaaS\r\nenvironment support the emergence of a sophisticated new actor. Given the group’s sophistication, the existence\r\nof a typical leak site, and the group’s claims, we assume that Embargo indeed operates as RaaS provider.\r\nFigure 1. Embargo About page on leak site\r\nEmbargo ransomware payloads that we observed during the July 2024 incidents share these attributes:\r\nEmbargo ransomware drops its ransom note (Figure 2) named HOW_TO_RECOVER_FILES.txt in each\r\nencrypted directory.\r\nEncrypted files obtain a random six-letter extension consisting of hexadecimal characters, e.g., .b58eeb or\r\n.3d828a.\r\nPayloads create the mutex IntoTheFloodAgainSameOldTrip.\r\nIn a previous analysis from Cyble researchers, payloads created the mutex LoadUpOnGunsBringYourFriends.\r\nNoticeably, both mutex names are based on the lyrics of popular rock songs. Our analysis is consistent with that\r\nfound in the Cyble article.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 2 of 17\n\nFigure 2. Embargo ransom note\r\nMDeployer\r\nMDeployer is the main malicious loader Embargo tries to deploy onto machines in the compromised network – it\r\nfacilitates the rest of the attack, resulting in ransomware execution and file encryption.\r\nBased on the name field in the IMAGE_EXPORT_DIRECTORY section of its PE header, we can tell that\r\nEmbargo calls this tool Deployer. Thus, we decided to refer to it as MDeployer – EMbargo Deployer.\r\nIts main purpose is to decrypt two encrypted files a.cache and b.cache (dropped by an unknown previous stage)\r\nand execute two payloads: MS4Killer and Embargo ransomware.\r\nIt first attempts to decrypt the MS4Killer payload from the file b.cache, drops the decrypted file into\r\npraxisbackup.exe, and executes it.\r\nNext, it does the same for the ransomware payload, which is decrypted from a.cache, saved as pay.exe, and\r\nexecuted.\r\nWhen the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process,\r\ndeletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system.\r\nMS4Killer is expected to run indefinitely, and MDeployer verifies this by calling the API function\r\nWaitForSingleObject, expecting the return value WAIT_TIMEOUT. If it is not running as it should be,\r\nMDeployer logs the message sysmon exited early and exits without executing the second payload. We discuss\r\nlogging later in this blogpost.\r\nIn all MDeployer versions we’ve seen, both payloads were decrypted using the same hardcoded RC4 key –\r\nwlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB.\r\nDuring its execution, MDeployer interacts with multiple files. To ease understanding, Figure 3 demonstrates the\r\nrelationship between the files.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 3 of 17\n\nFigure 3. MDeployer execution diagram\r\nTable 1 lists their purposes.\r\nTable 1. Files manipulated by MDeployer\r\nPath Description\r\nC:\\Windows\\Debug\\b.cache RC4-encrypted MS4Killer.\r\nC:\\Windows\\Debug\\a.cache RC4-encrypted Embargo ransomware.\r\nC:\\Windows\\praxisbackup.exe Decrypted MS4Killer.\r\nC:\\Windows\\Debug\\pay.exe Decrypted Embargo ransomware.\r\nC:\\Windows\\Debug\\fail.txt Log file.\r\nC:\\Windows\\Debug\\stop.exe Dummy file used for control flow.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 4 of 17\n\nPath Description\r\nC:\\Windows\\Sysmon64.sys Legitimate vulnerable driver dropped by MS4Killer.\r\nSafe Mode abuse\r\nWith only one exception among the incidents we investigated, where we saw it deployed as a DLL, MDeployer\r\nwas compiled as an EXE file. The DLL variant contains the additional capability to disable security solutions.\r\nFor an overview of the DLL execution flow, refer to Figure 4.\r\nFigure 4. DLL MDeployer execution flow\r\nThe first difference happens right at the beginning of the DLL execution – this version actually checks whether the\r\nfile stop.exe exists. The existence of this file means that MDeployer was already executed in the past and either it\r\nsuccessfully deployed the ransomware payload or it exited with an error. So, if the file is found, the loader only\r\ndoes its cleanup routine and exits. Note that the EXE versions create the stop.exe file, but never check for its\r\nexistence.\r\nThe next thing the DLL version of MDeployer does is to check whether it was executed with admin privileges. If\r\nit wasn’t, it goes on exactly like the EXE version. In fact, the EXE versions were likely compiled using the source\r\ncode of this single execution branch.\r\nHowever, if it was executed with admin privileges, the loader attempts to reboot the victim’s system into Safe\r\nMode in order to disable selected security solutions.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 5 of 17\n\nSafe Mode, a diagnostic mode of the Windows OS, runs the system with only minimal functionality. Because of\r\nthis, most cybersecurity measures and protections are not in effect in Safe Mode, which provides an opportunity\r\nfor threat actors to exploit it to avoid detection. This technique is known among mature ransomware groups and\r\nhas been abused in the past, as reported by Forbes in 2022.\r\nThe security-disabling functionality happens in two steps.\r\nStep 1\r\nThe purpose of the first step is to reboot the system into Safe Mode. The loader achieves this using a combination\r\nof Windows command line tools bcdedit, sc, and reg to:\r\nset Safe Mode as the default boot mode,\r\ndisable Windows Defender in Safe Mode,\r\ncreate a service, irnagentd, that executes the loader after the system is rebooted into Safe Mode, and\r\nrestart the system.\r\nRefer to the Commands used by MDeployer section for the full list of commands executed by the loader.\r\nStep 2\r\nOnce in Safe Mode, the loader disables selected security tools by renaming their installation directories, then\r\nexecutes the Embargo ransomware payload.\r\nAfter that, it does a “Safe Mode cleanup” – it deletes the decrypted ransomware file pay.exe, creates the control\r\nflow file stop.exe to prevent double encryption, deletes the persistence service irnagentd, and reboots the system\r\nback into normal mode.\r\nBAT disabler\r\nIn one of the incidents, we also saw the extra functionality of the DLL loader implemented as a BAT script. This\r\nscript targets a single security solution – a theme you will encounter again, later in this article. It used the same\r\ntechnique of rebooting into Safe Mode with the help of a persistence service, irnagentd, and then renaming the\r\ninstalled security software’s installation directory. It even used the same stop.exe file for control flow and logged\r\nerror messages into fail.exe (fail.txt in MDeployer).\r\nThis again shows that Embargo modifies its tools to suit each victim’s environment.\r\nLogging\r\nIn case MDeployer encounters any errors, it logs error messages into the file fail.txt and then creates the file\r\nstop.exe.\r\nThere are four stages that the attacker distinguishes in their log messages – they use a different prefix for logging\r\nerrors in each of them:\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 6 of 17\n\n[dec] – payload decryption,\r\n[exec] – ransomware execution,\r\n[execk] – MS4Killer execution, and\r\n[kler] – MS4Killer run (this prefix is used when MS4Killer exits unexpectedly).\r\nIn the DLL version there are additional log message prefixes compared to the EXE versions:\r\n[sc], [sc delete] – creating or deleting the service irnagentd,\r\n[reg], [reg-del] – modifying Windows registry, and\r\n[setsb] – using the bcdedit.exe command line tool to set Safe Mode on next restart.\r\nCleanup\r\nMDeployer has several variants of a cleanup routine launched at different occasions. This happens after the loader\r\nsuccessfully executes the ransomware payload, and also if any errors are encountered during loader execution.\r\nDuring cleanup, the loader terminates the MS4Killer process, deletes the decrypted payloads and the vulnerable\r\ndriver dropped by MS4Killer, and creates the flow control file stop.exe.\r\nIn case the cleanup routine was prompted by the existence of stop.exe, MDeployer also deletes its own PE file.\r\nFinally, it reboots the system by calling shutdown -r -f -t 00.\r\nExecution\r\nIn all of the observed cases, the persistence of the loader was achieved by a scheduled task, Perf_sys (Figure 5),\r\ncreated by an already elevated system user BITCH\\Administrator.\r\nFigure 5. Scheduled task Perf_sys by BITCH\\Administrator executing the loader\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 7 of 17\n\nIn one of the cases, we also collected a PowerShell script leading to the execution of MDeployer. The script was\r\nnotably similar to the one used by WinRM-fs, so we assume with medium confidence that Embargo used that or a\r\nsimilar tool to deliver the loader from an unprotected machine.\r\nActive development\r\nThere are several inconsistencies and examples of “messy control flow” in the loader samples we’ve seen so far\r\nthat suggest the group’s tools are still in active development and not “production ready”.\r\nThe fact that MDeployer deletes the vulnerable driver dropped by MS4Killer is particularly interesting because it\r\nshows that the two tools are being developed together. And yet there is a partial overlap in functionality – both\r\nMS4Killer and the DLL version of MDeployer attempt to disable security solutions.\r\nIt is not uncommon to see the loader delete the payload files only to attempt to execute one of them immediately\r\nafter. See Figure 6, where MDeployer calls the cleanup function, during which pay.exe is deleted, but then tries to\r\nexecute that very same file.\r\nFigure 6. MDeployer in IDA Pro – the highlighted section shows attempted execution after deletion\r\nIn fact, the DLL version of the loader we’ve seen contains several bugs that prevent it from working altogether.\r\nThis could explain why we’ve seen multiple versions of the loader being used in a single incident – the threat\r\nactor likely finds out about these problems as they go and then has to adapt on the fly.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 8 of 17\n\nMS4Killer\r\nMS4Killer is a typical defense evasion tool that terminates security product processes using the technique known\r\nas Bring Your Own Vulnerable Driver (BYOVD). It is written, similar to the loader, in Rust. We believe that\r\nMS4Killer was heavily inspired by s4killer, a proof of concept (POC) published on GitHub, conveniently also\r\nwritten in Rust. Due to the resemblance with this existing POC, we refer to this tool as MS4Killer – short for\r\nEMbargo s4killer.\r\nExtending the functionality\r\ns4killer is designed to select a running process and terminate it from the kernel. It does so by installing and\r\nabusing a vulnerable driver that is stored in a global variable (.rdata section in the compiled code). The PID of the\r\nprocess to terminate is passed to s4killer as a program argument. The termination is performed via\r\nFilterConnectCommunicationPort and FilterSendMessage from the minifilter API.\r\nEmbargo extended the POC functionality with the following features:\r\nMS4Killer runs in an endless loop, constantly scanning for running processes.\r\nThe list of process names to kill is hardcoded in the binary.\r\nThe embedded driver blob is encrypted using RC4.\r\nBinary strings are encrypted using simple XOR, namely log messages, process names, and the RC4 key\r\nused for driver decryption.\r\nDuring the process termination phase, MS4Killer spawns itself as a child process, passing the PID of the\r\nprocess to kill as an argument.\r\nProcess scanning and process termination are split into multiple threads by utilizing Rayon, a data\r\nparallelism library for Rust.\r\nBYOVD\r\nBring your own vulnerable driver is a well-known technique where a threat actor abuses signed, vulnerable kernel\r\ndrivers to gain kernel-level code execution. Ransomware affiliates often incorporate BYOVD tooling in their\r\ncompromise chain to tamper with security solutions protecting the infrastructure being attacked. After disabling\r\nthe security tooling, affiliates can run the ransomware payload without worrying whether their payload gets\r\ndetected.\r\nIn this particular case, MS4Killer abuses an older, vulnerable minifilter driver: probmon.sys, version 3.0.0.4\r\n(Figure 7), signed by an already revoked certificate from ITM System Co.,LTD. The driver is embedded in the\r\nMS4Killer binary as an RC4-encrypted blob. We reported the ITW misuse of this driver to Microsoft.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 9 of 17\n\nFigure 7. Attributes of the exploited driver probmon.sys\r\nString decryption\r\nMS4Killer uses encryption to hide embedded strings in the binary from plain sight: specifically, it XORs log\r\nmessage strings, the RC4 key used to decrypt the embedded driver, and the list of process names to terminate.\r\nFigure 8 shows an example of log message decryption, where the Windows OpenProcessToken API is called. If\r\nthe function fails, a user-defined function (renamed to xor_str in Figure 8) decrypts the XORed string and stores\r\nthe result, [-] OpenProcessToken, into its first argument passed by reference. The decrypted string, appended with\r\nerror information, is then written to standard out.\r\nFigure 8. Decryption of log message after OpenProcessToken API call\r\nLoading probmon.sys\r\nAs mentioned previously, the legitimate vulnerable driver is embedded as an RC4-encrypted blob (using the key\r\nFGFOUDa87c21Vg+cxrr71boU6EG+QC1mwViTciNaTUBuW4gQbcKboN9THK4K35sL), which is also XOR\r\nencrypted, in the MS4Killer binary. We have observed two different file paths where MS4Killer drops the\r\nvulnerable driver:\r\nC:\\Windows\\System32\\drivers\\Sysprox.sys (Figure 9)\r\nC:\\Windows\\Sysmon64.sys\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 10 of 17\n\nFigure 9. Decryption and dropping of vulnerable driver probmon.sys\r\nDriver loading is consistent with s4killer:\r\n1. enabling the SeLoadDriverPrivilege necessary for loading and unloading device drivers,\r\n2. creating a service via CreateServiceW,\r\n3. creating additional registry keys, required for filter loading, in HKLM\\SYSTEM\\ControlSet001\\services\\\r\n\u003cservice_name\u003e, and\r\n4. loading a minifilter driver into the system via FilterLoad.\r\nWe have observed MS4Killer use three different service names so far: Sysprox, Proxmon, and Sysmon64.\r\nHidden process list\r\nMS4Killer constantly compares running processes against an embedded list of security software process names,\r\nwhich are also XOR-encrypted. Right after the driver loads, MS4Killer decrypts the list of process names (Figure\r\n10).\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 11 of 17\n\nFigure 10. Example of the encrypted, embedded security software process names from one\r\nMS4Killer sample\r\nThese process names reference processes from multiple security products (see also Appendix: Example of\r\nMS4Killer termination process list). The code snippet in Figure 10 shows that there are duplicates in the process\r\nnames (like ekrn.exe), some of the strings are decrypted to the same location (see the variables hHandle, Luid, and\r\nlpMem) and there is one dummy process name: firefox.exe. Furthermore, following the cross-references of\r\ndecrypted string variables leads to comparison logic, where only a subset of process names is utilized. Figure 11\r\nshows a code snippet, where, in that particular case, only process names ERAAgent.exe and ekrn.exe, which are\r\nfrom ESET products, are compared against the running processes. Close inspection of multiple MS4Killer\r\nsamples shows that, in each intrusion, only processes of a particular security solution are monitored, despite the\r\nembedded process list always containing process names from multiple security products.\r\nFigure 11. Decision logic determining which processes are terminated\r\nWe saw evidence suggesting that MS4Killer samples were compiled shortly before the actual attacks and targeted\r\nonly the security solution protecting the victim’s machine.\r\nConclusion\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 12 of 17\n\nIn this blogpost, we have provided an analysis of new Rust tools that we named MDeployer and MS4Killer, which\r\nare actively utilized by the new ransomware group – Embargo. Embargo is a new player in the ransomware space,\r\nwith the ambition to rise to the level of the seasoned gangs. We have provided arguments for why we believe that\r\nthe Embargo group offers RaaS.\r\nThe main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by\r\ndisabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the\r\nsame functionality at different stages of the attack (BAT script, MDeployer, and MS4Killer all contain security-solution-disabling functionality). We have also observed the attackers’ ability to adjust their tools on the fly,\r\nduring an active intrusion, for a particular security solution.\r\nBoth MDeployer and MS4Killer are written in Rust. The same is true for the ransomware payload, suggesting\r\nRust is the go-to language for the group’s developers. We have observed deployment of two different versions of\r\nMDeployer during one incident. The deployed loader also contained logical bugs that disrupted the proper\r\nfunctionality of the tool. Based on the way the tools are tweaked during intrusions and the closeness of the\r\ncompilation timestamps to the times of intrusions, we assume that the attacker deploying the tools has the ability\r\nto quickly modify the source code and recompile their tools during an intrusion.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\nA1B98B1FBF69AF79E5A3\r\nF27AA6256417488CC117\r\ndtest.dll Win64/Agent.ECY\r\nMDeployer - loader\r\ndeploying\r\nMS4Killer and\r\nEmbargo\r\nransomware.\r\nF0A25529B0D0AABCE9D7\r\n2BA46AAF1C78C5B48C31\r\nfxc.exe Win64/Agent.ECY\r\nMDeployer - loader\r\ndeploying\r\nMS4Killer and\r\nEmbargo\r\nransomware.\r\n2BA9BF8DD320990119F4\r\n2F6F68846D8FB14194D6\r\nfdasvc.exe Win64/Agent.ECY MDeployer - loader\r\ndeploying\r\nMS4Killer and\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 13 of 17\n\nSHA-1 Filename Detection Description\r\nEmbargo\r\nransomware.\r\n888F27DD2269119CF952\r\n4474A6A0B559D0D201A1\r\npraxisbackup.exe Win64/Agent.ECW\r\nMS4Killer -\r\nEmbargo EDR\r\nKiller.\r\nBA14C43031411240A083\r\n6BEDF8C8692B54698E05\r\npraxisbackup.exe Win64/Agent.ECW\r\nMS4Killer -\r\nEmbargo EDR\r\nKiller.\r\n8A85C1399A0E404C8285\r\nA723C4214942A45BBFF9\r\npay.exe Win32/Filecoder.Embargo.A\r\nEmbargo\r\nransomware.\r\n612EC1D41B2AA2518363\r\nB18381FD89C12315100F\r\nwin32.exe Win32/Filecoder.Embargo.A\r\nEmbargo\r\nransomware.\r\n7310D6399683BA3EB2F6\r\n95A2071E0E45891D743B\r\nSysmon64.sys Win64/ITMSystem.A\r\nLegitimate\r\nvulnerable driver,\r\nprobmon.sys,\r\n dropped and used\r\nby MS4Killer.\r\n7310D6399683BA3EB2F6\r\n95A2071E0E45891D743B\r\nSysprox.sys Win64/ITMSystem.A\r\nLegitimate\r\nvulnerable driver,\r\nprobmon.sys,\r\ndropped and used\r\nby MS4Killer.\r\nCertificate\r\nSerial number 010000000001306DE166BE\r\nThumbprint A88758892ED21DD1704E5528AD2D8036FEE4102C\r\nSubject CN ITM System Co.,LTD\r\nSubject O ITM System Co.,LTD\r\nSubject L Guro-gu\r\nSubject S N/A\r\nSubject C KR\r\nValid from 2011-06-08 06:01:39\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 14 of 17\n\nValid to 2014-06-07 08:32:23\r\nAdditional MDeployer file paths\r\nC:\\Windows\\Debug\\b.cache\r\nC:\\Windows\\Debug\\a.cache\r\nC:\\Windows\\Debug\\fail.txt\r\nC:\\Windows\\Debug\\stop.exe\r\nCommands used by MDeployer\r\nreg delete HKLM\\SYSTEM\\CurrentControlSet\\Control\\Safeboot\\Network\\WinDefend /f\r\nC:\\Windows\\System32\\cmd.exe /c takeown /R /A /F \"C:\\ProgramData\\[redacted]\" /D Y\r\nC:\\Windows\\System32\\cmd.exe /c takeown /R /A /F \"C:\\Program Files\\[redacted]\" /D Y\r\nsc create irnagentd binpath=\"C:\\Windows\\System32\\cmd.exe /c start /B rundll32.exe\r\nC:\\Windows\\Debug\\dtest.dll,Open\" start=auto\r\nsc delete irnagentd\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Safeboot\\Network\\irnagentd /t REG_SZ /d Service /f\r\nC:\\Windows\\System32\\cmd.exe /c bcdedit /set {default} safeboot Minimal\r\nC:\\Windows\\System32\\cmd.exe /c bcdedit /deletevalue {default} safeboot\r\nreg delete HKLM\\SYSTEM\\CurrentControlSet\\Control\\Safeboot\\Network\\WinDefend /f\r\nC:\\Windows\\System32\\cmd.exe /c ping localhost -n 5 \u003e nul \u0026 del C:\\Windows\\Debug\\dtest.dll\r\nshutdown -r -f -t 00\r\nC:\\Windows\\praxisbackup.exe\r\nC:\\Windows\\Debug\\pay.exe\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001 Develop Capabilities: Malware\r\nEmbargo group develops its custom\r\ntoolkit – MDeployer, MS4Killer, and\r\nEmbargo ransomware.\r\nExecution\r\nT1059.003\r\nCommand-Line Interface:\r\nWindows Command Shell\r\nEmbargo group executes a BAT\r\nscript that disables security\r\nsolutions.\r\nT1059.001\r\nCommand-Line Interface:\r\nPowerShell\r\nEmbargo group uses PowerShell to\r\ntransfer MDeployer to victims’\r\nmachines.\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 15 of 17\n\nTactic ID Name Description\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nEmbargo group uses scheduled tasks\r\nto run MDeployer on compromised\r\nendpoints.\r\nT1569.002\r\nSystem Services: Service\r\nExecution\r\nEmbargo group uses a Windows\r\nservice to execute MDeployer in\r\nSafe Mode.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nEmbargo group modifies the\r\nWindows registry to start a custom\r\nservice in Safe Mode.\r\nT1136.002 Create Account: Domain Account\r\nEmbargo group creates its own\r\ndomain accounts.\r\nDefense\r\nEvasion\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nMDeployer, MS4Killer, and a BAT\r\nscript disable security solutions.\r\nT1562.009 Impair Defenses: Safe Mode Boot\r\nMDeployer and a BAT script reboot\r\ninto Safe Mode.\r\nT1070.004 Indicator Removal: File Deletion\r\nMDeployer deletes dropped files\r\nduring cleanup.\r\nT1112 Modify Registry\r\nMS4Killer modifies the registry to\r\nload a legitimate vulnerable driver.\r\nT1027.013\r\nObfuscated Files or Information:\r\nEncrypted/Encoded File\r\nPayloads loaded by MDeployer are\r\nRC4 encrypted.\r\nDiscovery\r\nT1135 Network Share Discovery\r\nEmbargo ransomware performs\r\nnetwork share discovery.\r\nT1083 File and Directory Discovery\r\nEmbargo ransomware performs file\r\nand directory discovery.\r\nImpact\r\nT1490 Inhibit System Recovery\r\nEmbargo ransomware disables\r\nautomatic Windows recovery.\r\nT1486 Data Encrypted for Impact\r\nEmbargo ransomware encrypts files\r\non compromised machines.\r\nAppendix: Example of MS4Killer termination process list (in alphabetical order)\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 16 of 17\n\nSentinelAgent.exe\r\nSentinelAgentWorker.exe\r\nSentinelServiceHost.exe\r\nSentinelStaticEngine.exe\r\nLogProcessorService.exe\r\nSentinelStaticEngineScanner.exe\r\nSentinelHelperService.exe\r\nSentinelBrowserNativeHost.exe\r\nLogCollector.exe\r\nSentinelMemoryScanner.exe\r\nSentinelRanger.exe\r\nSentinelRemediation.exe\r\nSentinelRemoteShellHost.exe\r\nSentinelScanFromContextMenu.exe\r\nCylanceSvc.exe\r\nekrn.exe\r\nWRSA.exe\r\nWRSkyClient.x64.exe\r\nWRCoreService.x64.exe\r\nMsMpEng.exe\r\ndsa.exe\r\nds_monitor.exe\r\nNotifier.exe\r\ncoreServiceShell.exe\r\nfirefox.exe\r\nMsMpEng.exe\r\nEPProtectedService.exe\r\nEPIntegrationService.exe\r\nbdredline.exe\r\nEPSecurityService.exe\r\nEPUpdateService.exe\r\nERAAgent.exe\r\nekrn.exe\r\nSource: https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nhttps://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/"
	],
	"report_names": [
		"embargo-ransomware-rocknrust"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434611,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2374f3aa039fb8b4767b6388845f7649e570dc41.pdf",
		"text": "https://archive.orkl.eu/2374f3aa039fb8b4767b6388845f7649e570dc41.txt",
		"img": "https://archive.orkl.eu/2374f3aa039fb8b4767b6388845f7649e570dc41.jpg"
	}
}