{
	"id": "d91d0ad5-381d-4fcc-8d46-78e9868ba86c",
	"created_at": "2026-04-06T02:12:12.854734Z",
	"updated_at": "2026-04-10T03:36:17.32974Z",
	"deleted_at": null,
	"sha1_hash": "2910a11a2efbd057665917bd8c7b848c4c38ce3d",
	"title": "Yanluowang ransomware operation matures with experienced affiliates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1375586,
	"plain_text": "Yanluowang ransomware operation matures with experienced affiliates\r\nBy Ionut Ilascu\r\nPublished: 2021-11-30 · Archived: 2026-04-06 01:29:45 UTC\r\nAn affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the\r\nfinancial sector using BazarLoader malware in the reconnaissance stage.\r\nBased on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS)\r\noperations and may be linked with the Fivehands group.\r\nFivehands ransomware connection\r\nResearchers at Symantec, a division of Broadcom Software, note that the actor has been hitting higher-profile targets in the\r\nU.S. since at least August.\r\nhttps://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile its interest is in financial institutions, the Yanluowang ransomware affiliate has also targeted companies in the\r\nmanufacturing, IT services, consultancy, and engineering sectors.\r\nLooking at the tactics, techniques, and procedures (TTPs), the researchers noticed a possible connection to older attacks with\r\nthe Thieflock, a ransomware operation developed by the Fivehands group.\r\nFivehands ransomware itself is relatively new on the scene, becoming known in April - first in a report from Mandiant, who\r\nis tracking its developer as UNC2447, and then in an alert from CISA.\r\nAt the time, Mandiant said that UNC2447 showed “advanced capabilities to evade detection and minimize post-intrusion\r\nforensics,” and that its affiliates had been deploying RagnarLocker ransomware.\r\nSymantec notes that the link found between recent Yanluowang attacks and older ones with Thieflock is tentative, as it relies\r\non several TTPs found in Fivehands ransomware attacks, such as:\r\nthe use of custom password recovery tools and open-source ones (e.g. GrabFF)\r\nusing open-source network scanning tools (e.g. SoftPerfect Network Scanner)\r\nusing the S3 Browser and Cent browser to upload and download data\r\n“This link begs the question of whether Yanluowang was developed by Canthroid [a.k.a. Fivehands]. However, analysis of\r\nYanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that\r\nthese Yanluowang attacks may be carried out by a former Thieflock affiliate,” the researchers say.\r\nTools of the trade\r\nAfter gaining access to the target network, the attacker uses PowerShell to download tools, such as the BazarLoader\r\nmalware to help with moving laterally.\r\nBazarLoader is delivered to corporate targets by the TrickBot botnet, which also spreads Conti ransomware. More recently,\r\nTrickBot operators started to help rebuilding the Emotet botnet.\r\nThe Yanluowang threat actor enables the remote desktop service (RDP) from the registry and installs the ConnectWise tool\r\nfor remote access.\r\nThe researchers say that the affiliate discovers systems of interest with the AdFind tool - to query the Active Directory, and\r\nSoftPerfect Network Scanner - to find hostnames and network services.\r\nSeveral tools are used to steal credentials from the browsers (Firefox, Chrome, Internet Explorer) of compromised machines:\r\nGrabFF, GrabChrome, BrowserPassView.\r\nSymantec’s researchers also noticed that the attacker used KeeThief to steal the master key for the KeePass password\r\nmanager, a screen capture tool, and the data exfiltration utility Filegrab.\r\nIn a previous report about Yanluowang attacks, the company said that the hackers threatened with distributed denial-of-service (DDoS) and data wiping attacks if the victim did not comply with the demands.\r\nToday's report on the Yanluowang affiliate includes indicators of compromise for the tools and malware used in the attack.\r\nhttps://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/\r\nhttps://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/"
	],
	"report_names": [
		"yanluowang-ransomware-operation-matures-with-experienced-affiliates"
	],
	"threat_actors": [
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441532,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2910a11a2efbd057665917bd8c7b848c4c38ce3d.pdf",
		"text": "https://archive.orkl.eu/2910a11a2efbd057665917bd8c7b848c4c38ce3d.txt",
		"img": "https://archive.orkl.eu/2910a11a2efbd057665917bd8c7b848c4c38ce3d.jpg"
	}
}