{
	"id": "8f2e8eb9-8e9a-4f7a-8a02-3ddde8d42e64",
	"created_at": "2026-04-06T00:07:18.241576Z",
	"updated_at": "2026-04-10T03:21:42.204608Z",
	"deleted_at": null,
	"sha1_hash": "2d4bfcda5f2ea3151d5a042277d720887ba87145",
	"title": "Makop: The Toolkit of a Criminal Gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1426262,
	"plain_text": "Makop: The Toolkit of a Criminal Gang\r\nBy L M\r\nPublished: 2023-04-07 · Archived: 2026-04-05 20:36:25 UTC\r\n7 min read\r\nMar 12, 2023\r\nDissecting the malicious arsenal of the Makop ransomware gang.\r\nPress enter or click to view image in full size\r\nExecutive summary\r\nInsights from a recent intrusion authored by Makop ransomware operators show persistence capability\r\nthrough dedicated .NET tools.\r\nMakop toolkit includes both off-the-shelf tools and custom-developed ones, including tools from the\r\nChinese underground ecosystem.\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 1 of 9\n\nMakop gang did not conduct any significative retooling since 2020, which is a clear indicator of their\r\neffectiveness even after three years and hundreds of successful compromises.\r\nThe gang leverages exposed remote administration services and internet-facing vulnerabilities to gain and\r\nmaintain access to victim networks.\r\nIntroduction\r\nThe Makop ransomware operators started their infamous criminal business in 2020 leveraging a new variant of the\r\nnotorious Phobos ransomware. During the last years, the gang maintained a solid presence in the criminal\r\nunderground even if they did not join the double extortion practice.\r\nTheir operations are based on the human operator ransomware practice where most of the intrusion is handled by\r\nhands-on keyboard criminals, even in the encryption stage.\r\nMakop ransomware gang is classified as a tier-B ransomware actor, but despite this, they keep hitting companies\r\nin Europe and Italy. Technical details of the Makop ransomware encryption tool have been greatly deepened by\r\nthe Lifars security team (link), so, in this article, I am going to focus on other parts of the Makop gang arsenal\r\nleveraged to conduct digital extortions.\r\nTechnical Details\r\nMakop ransomware operator arsenal is a hybrid one: it contains both cust-developed tools and off-the-shelf\r\nsoftware taken from public repositories. In particular, recent investigations were able to identify four of them: the\r\nARestore escalation tool, the backdoor, and other publicly available toolkits such as Advanced_Port_Scanner and\r\na particular popular Chinese hack tool.\r\nCustom tools\r\nAfter the initial access, Makop criminals are still using an old tool dated back to their first operations in\r\ncyberspace. The “ARestore” tool is .NET executable built in 2020 and partially obfuscated. Also, the compilation\r\ntime in the PE header looks time stomped, but the metadata from the .NET assembly modules reveal a more\r\nplausible date matching the time scale of the Makop operations.\r\nfilename: ARestore.exe\r\nmd5: 7f86b67ac003eda9d2929c9317025013\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 2 of 9\n\nFigure. Tampered PE timestamp (left) and .NET assembly copyright year (right)\r\nThe obfuscated part of the code is based on a switch-case state-machine looping and jumping through labels in the\r\nMSIL code. Despite this, the tool does not contain any evasion or anti-debugging techniques and contains IL-only,\r\n32-bit code.\r\nFigure. .NET flags (left) and obfuscation pattern (right)\r\nThe tool is designed for two main purposes: generating comb lists of local windows user names and potential\r\npasswords, and testing them locally. The tool is able to automatically retrieve local users from groups, filter for\r\nadministration, and then test the password. The crooks currently use it after the initial access phase of their attack\r\nchain.\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 3 of 9\n\nFigure. View of the “ARestore” tool\r\nMakop operators also leverage other custom .NET assemblies to achieve further stages of the kill chain. For\r\ninstance, they are using a particular persistence tool we name “PuffedUp” designed to ensure persistence after the\r\ninitial access. Even this tool looks compiled and generated back in the early stage of the Makop operations and is\r\nstill in use in current intrusions. Even this time the executable has been built in 2020, but it is not obfuscated at all.\r\nfilename:data.exe\r\nmd5:e245f8d129e8eadb00e165c569a14b71\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 4 of 9\n\nFigure. Compilation timestamp (left), main routine (right)\r\nDuring recent Makop intrusions, the tool has been coupled with another executable named “c.exe”, but,\r\nunfortunately, it has been erased by the attackers during the disengagement phase. Anyway, a quick look at the\r\nPuffedUp code reveals a plain logic to keep its execution persistent through a RUN registry key.\r\nFigure. Run registry key setup in PuffedUp\r\nInterestingly, the tool relies on a textual configuration file placed in the same folder. This particular file contains\r\none or more 42 chars strings, that will be placed into the user clipboard. Apparently, a weird behavior that might\r\nmake sense only with a more complete view of the Makop arsenal.\r\nFigure. PuffedUp configuration reading loop\r\nOff-the-shelf tools\r\nMakop ransomware operators extensively use off-the-shelf open-source and freeware tools to conduct lateral\r\nmovement and system discovery. Along with the classical abuse of Microsoft SysInternal tools such as PsExec\r\nand other well-known open-source tools such as Putty and the never-missing Mimikatz, during recent operations,\r\nMakop abused even more peculiar software.\r\nGet L M’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 5 of 9\n\nRemember me for faster sign in\r\nFor instance “Advanced Port Scanner”, a freeware port scanning tool developed by the famous Radmin’s authors.\r\nThe Makop criminals were recently using version 2.5.3869 of the tool, which dates back to 2019.\r\nAdvanced_Port_Scanner_2.5.3869.exe\r\nmd5: 6A58B52B184715583CDA792B56A0A1ED\r\nThe date of this particular version of the free software is particularly meaningful because it perfectly fits the build\r\nand compilation time of the other custom tools of the Makop intrusion arsenal. In fact, Makop criminals are still\r\nusing tools built back in 2019 and 2020 to compromise small and medium enterprises around the world.\r\nPress enter or click to view image in full size\r\nFigure. Advanced Port Scanner part of the Makop arsenal\r\nAgain, another tool in the Makop arsenal still dates to 2019: the “Everything” tool. Everything is freeware\r\nsoftware maintained by Voidtools. As anticipated, the version abused by Makop ransomware operators in recent\r\n2023 intrusions is still version 1.4.1.932, released in January 2019.\r\nThe tool is basically a search engine for local and network shared files inside a Windows environment: unlike the\r\ndefault Windows search, it is designed to locate files and folders by filename instantly, speeding up system\r\ninformation discovery.\r\nFilename: Everything.exe\r\nmd5: b69d036d1dcfc5c0657f3a1748608148\r\nThe last tool interesting tool spotted in the Makop arsenal is a particular system administration tool rarely used in\r\nthe Russian criminal underground. Its name is YDArk and it is an open-source tool available even on GitHub\r\n(link).\r\nfilename: YDArk.exe\r\nmd5: 9fd28d2318f66e4fe37a9a5bc1637928\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 6 of 9\n\nFigure. YDArk GitHub page (source: GitHub)\r\nYDArk is a powerful kernel manipulation tool that appeared in the Chinese underground communities back in\r\n2020, where it was used to evade the memory scan of the anti-cheating program in gaming communities. The tool\r\nhas been previously analyzed by SangYun Shin (link). YDArk can hide processes the rootkit way: at the kernel\r\nlevel. It manipulates the EPROCESS kernel object of the target process by changing its PID to 0 and redirecting\r\nforward and backward ActiveProcessLinks to the self’s EPROCESS address.\r\nPress enter or click to view image in full size\r\nFigure. YDArk process hiding feature (source: GitHub)\r\nThe presence of this tool in the Makop arsenal is quite interesting because YDArk was previously found in other\r\nransomware compromises:\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 7 of 9\n\nIn April 2021 and December 2020, Sophos reported the abuse of YDArk in unspecified circumstances\r\n(link).\r\nIn July 2022, Dark Lab security firm (link) reported the abuse of YDArk within a SonicWall SMA100\r\nexploitation campaign aimed to leverage CVE-2019–7481 and CVE-2021–20028 on internet-exposed\r\nappliances to install Lockbit ransomware.\r\nConclusion\r\nThe Makop ransomware operators are conducting cyber extortion with a consistent cyber arsenal surviving\r\ndetection for years. The absence of significative retooling in the Makop operator practice tells us the way to stop\r\nransomware intrusion is still long.\r\nIf a tier-B human-operated ransomware gang targeting hundreds of companies worldwide does not need to update\r\nand change its arsenal after three years of operation it is a clear indication we are still lagging behind in enforcing\r\nan effective cyber attack deterrence strategy based on increasing the cost of attacks for cyber criminals and forcing\r\nthem to retool.\r\nThe disclosure of the Makop cyber arsenal tools shall enable defenders to correlate even more intrusion attempts\r\nto the gang, to reach early detection of the abuse of both legit and custom-made tools.\r\nIndicator of Compromise\r\nHash:\r\n7f86b67ac003eda9d2929c9317025013 arestore.exe\r\ne245f8d129e8eadb00e165c569a14b71 data.exe\r\n6A58B52B184715583CDA792B56A0A1ED Advanced_Port_Scanner_2.5.3869.exe\r\nb69d036d1dcfc5c0657f3a1748608148 Everything.exe\r\n9fd28d2318f66e4fe37a9a5bc1637928 YDArk.exe\r\nYara Rules\r\nimport \"pe\"\r\nrule PuffedUp{\r\nmeta:\r\nauthor= \"@luc4m\"\r\ndate= \"2023–03–12\"\r\nmodified= \"2023–03–12\"\r\nhash= \"e245f8d129e8eadb00e165c569a14b71\"\r\ndescription=\"puffedup tool in makop ransomware toolkit\"\r\ntlp=\"CLEAR\"\r\nstrings:\r\n$main_1 = { 00 72 [4] 28 [4] 00 72 [4] 0A 72 [4] 28 [4] 00 29 }\r\n$main_2 = { 0B 07 28 [4] 80 [4] 28 [4] 00 2A }\r\n$sash_3 = { 72 [4] 0C [4] 72 [4] 0D 28 [4] 13 08 2C 06 }\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 8 of 9\n\n$sash_4 = { 16 FE 01 13 0C 11 0C 2C 17 11 08 }\r\n$sash_5 = { 1c 0D 00 20 [4] 28 [4] 00 00 DE 00 }\r\ncondition:\r\nuint16(0) == 0x5a4d\r\nand pe.imports(\"mscoree.dll\")\r\nand ( 2 of ($sash_*) or 1 of ($main_*) )\r\n}\r\nrule ARestore{\r\nmeta:\r\nauthor= \"@luc4m\"\r\ndate= \"2023–03–12\"\r\nmodified= \"2023–03–12\"\r\nhash= \"7f86b67ac003eda9d2929c9317025013\"\r\ndescription=\"ARestore in makop ransomware toolkit\"\r\ntlp=\"CLEAR\"\r\nstrings:\r\n$junk_1= { 2B 09 28 [4] 14 16 9A 26 16 2D F9 14 2A }\r\n$obj_1= { 38 [4] 26 20 [4] 38 [4] FE [4] 38 [4] 20 [4] 20 [4] 59 9C 20 [4] FE [4] 28 [4] 38 }\r\n$obj_2= { FE [4] 20 [4] FE [4] 9C 20 [4] 38 [4] 12 }\r\n$string_1 = \"ADLogic\" nocase\r\n$string_2 = \"GetUserFromGroupAsync\" nocase\r\n$string_3 = \"WriteResultAsync\" nocase\r\n$string_4 = \"ParseLoginAsync\" nocase\r\n$string_5 = \"GenerateCredentials\" nocase\r\n$string_6 = \"GetUserAsync\" nocase\r\n$string_7 = \"IsAuthenticated\" nocase\r\ncondition:\r\nuint16(0) == 0x5a4d\r\nand pe.imports(\"mscoree.dll\")\r\nand ( (1 of ($junk_*) or 1 of ($obj_*)) and 3 of ($string_*) )\r\n}\r\nSource: https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nhttps://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11\r\nPage 9 of 9\n\ntlp=\"CLEAR\" strings:    \n$main_1 = { 00 72 [4] 28 [4] 00 72 [4] 0A 72 [4] 28 [4] 00 29 }\n$main_2 = { 0B 07 28 [4] 80 [4] 28 [4] 00 2A } \n$sash_3 = { 72 [4] 0C [4] 72 [4] 0D 28 [4] 13 08 2C 06 }\n   Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11"
	],
	"report_names": [
		"makop-the-toolkit-of-a-criminal-gang-53cd44563c11"
	],
	"threat_actors": [],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d4bfcda5f2ea3151d5a042277d720887ba87145.pdf",
		"text": "https://archive.orkl.eu/2d4bfcda5f2ea3151d5a042277d720887ba87145.txt",
		"img": "https://archive.orkl.eu/2d4bfcda5f2ea3151d5a042277d720887ba87145.jpg"
	}
}