{
	"id": "1b6ab2b7-0885-4f1d-92c8-af395a655077",
	"created_at": "2026-05-01T03:09:04.055831Z",
	"updated_at": "2026-05-01T03:10:50.572126Z",
	"deleted_at": null,
	"sha1_hash": "2f789bb1855a960b499b61714799f96605d842d1",
	"title": "Big Game Hunting: Now in Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 301993,
	"plain_text": "Big Game Hunting: Now in Russia\r\nBy Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB\r\nArchived: 2026-05-01 02:39:24 UTC\r\nThe email raised no suspicions. An employee of a Russian medical company boldly clicked on the link and\r\ndownloaded the attached ZIP archive. The message with the subject \"Bill due\" looked like it had been sent by the\r\nFinance Department of a large Russian media holding, the RBC Group. After the executable file was run for just\r\ntwenty seconds, Windows Defender detected and deleted the malware. Yet these twenty seconds were enough for\r\nthe Trojan to achieve persistence in the infected system. The victim failed to notice anything. Three weeks later,\r\nthe company's employees arrived at work and were greeted by an alarming message on their computer screens:\r\n\"Your files have been encrypted\". All work stopped. The attackers demanded $50,000 in cryptocurrency to decrypt\r\nthe files. A new cybercriminal group called OldGremlin was behind that attack.\r\nGroup-IB Threat Intelligence team recently tracked a successful attack conducted on a Russian medical\r\ncompany by OldGremlin, a new criminal group. The threat actor encrypted the company’s entire corporate\r\nnetwork and demanded a $50,000 ransom. It is common knowledge that Russian hackers have an unspoken rule\r\nabout not working within Russia and post-Soviet countries. Yet OldGremlin, made up of Russian speakers, is\r\nactively attacking Russian companies: banks, industrial enterprises, medical organizations, software developers…\r\nAccording to Group-IB expert estimations, since the spring OldGremlin has conducted at least seven phishing\r\ncampaigns. The hackers have impersonated the self-regulatory organization Mikrofinansirovaniye i Razvitiye\r\n(SRO MiR); a Russian metallurgical holding company; the Belarusian plant Minsk Tractor Works; a dental clinic;\r\nand the media holding company RBC.\r\nHere is your invoice\r\nIn August 2020, Group-IB uncovered the details of the first successful attack conducted by OldGremlin. The\r\nvictim was a large medical company with a network of regional branches. The initial compromise vector was a\r\nphishing email allegedly sent by the media holding company RBC.\r\nGroup-IB Threat Intelligence analysts established that, at the initial stage, the threat actors used a unique\r\ncustom malware called TinyNode ⎯ a backdoor that downloads and launches additional malware. After\r\ngaining remote access to the victim’s computer, the cybercriminals could easily perform network reconnaissance,\r\ncollect valuable data, and propagate across the organization’s network. Like many other groups, OldGremlin used\r\nthe Cobalt Strike framework to ensure that any post-exploitation activity was as effective as possible.\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 1 of 7\n\nAfter the attackers conducted reconnaissance and made sure that they were in the domain that interested them,\r\nthey continued to move laterally across the network, eventually obtaining domain administrator credentials. They\r\neven created an additional account with the same privileges in case the main one was blocked.\r\nIn this particular case, backing up did not save the victim. A few weeks after the attack began, the cybercriminals\r\nwiped the organization’s backups. In just a few hours on weekend, they spread their ransomware TinyCryptor\r\nacross hundreds of computers on the corporate network .\r\nWhen the employees arrived at work the next day, they were greeted by an alarming message on their computer\r\nscreens: “Your files are encrypted. To decrypt them, contact us at…” The phrase was followed by a mailbox hosted\r\non ProtonMail. Interestingly, the criminals create a new email address for each new campaign. As a result of the\r\nattack, the company’s regional branches were paralyzed and unable to operate. The attackers demanded 50,000\r\ndollars in cryptocurrency for decryption.\r\nOldGremlin is the only Russian-speaking ransomware operator that violates the unspoken rule about not working\r\nwithin Russia and post-Soviet countries. They carry out multistage targeted attacks on Russian companies and\r\nbanks using sophisticated tactics and techniques similar to those employed by APT groups. As with similar groups\r\nthat target foreign entities, OldGremlin can be classed as part of Big Game Hunting, which brings together\r\nransomware operators targeting large corporate networks.\r\nRiding the COVID-19 wave: The first campaigns\r\nGroup-IB Threat Intelligence experts first detected OldGremlin’s attack between late March and early April 2020.\r\nThe criminals took advantage of COVID-19 and sent financial institutions fake recommendations on how to\r\norganize a safe working environment during a pandemic, impersonating the self-regulatory organization\r\nMikrofinansirovaniye i Razvitiye (SRO MiR). It was the first time that the threat actors used TinyPosh, a custom\r\nTrojan they developed themselves. The second attack occurred on April 24. The scheme was more or less the\r\nsame, but this time the hackers impersonated Novadent, a dental clinic.\r\nTwo weeks later, Old Gremlin changed tactics. They prepared a fake email allegedly sent by a Russian RBC\r\njournalist who invited recipients to take part in the “Nationwide survey of the banking and financial sectors during\r\nthe coronavirus pandemic.” Unlike with emails used in earlier incidents, the message from the “RBC reporter”\r\nwas meticulously drafted in correct Russian and accurately imitated the media holding’s style.\r\nThe “journalist” offered the potential victim (a bank employee) a 30-minute interview and promised to schedule\r\nthe meeting through Calendly. For the attack, the hackers created a calendar using this software, in which they\r\nmade an appointment for the victim.\r\nThe criminals then sent the victim a second email in which the “journalist” explained that she had “uploaded the\r\nquestions to the cloud” and was awaiting answers. The email was designed to spark the victim’s interest and\r\nencourage them to click on the link. To make the email look more convincing, each message contained the name\r\nof a major foreign cybersecurity vendor that had allegedly verified it.\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 2 of 7\n\nAs in the first campaigns, opening the link in the email resulted in the TinyPosh Trojan being downloaded to\r\nthe victim’s computer. The malware achieved persistence in the system, obtained privileges of the account from\r\nwhich the Trojan was launched, and could download and launch the Cobalt Strike Beacon upon command. To hide\r\nthe real C\u0026C address, the hackers used the Cloudflare Workers server.\r\nOldGremlin spreads across Russia\r\nAfter a short “vacation”, the group resumed its activity. On August 13 and 14, 2020, CERT-GIB (Group-IB’s\r\nComputer Emergency Response Team) tracked two large-scale malicious campaigns as part of which the hackers\r\nimpersonated RBC (Russian media holding company) and a mining and metallurgical company. Within two days,\r\nthe criminals sent around 250 malicious emails targeting Russian companies in the financial and industrial\r\nsectors. Unlike the case with the “journalist” (the name used was the same as an actual RBC reporter’s), the\r\nsenders impersonated non-existent employees.\r\nWithin a few days, the cybercriminals edited the decoy email to take advantage of the key topic in Russian-language media: the protests in Belarus. On the morning of August 19, CERT-GIB team detected malicious\r\ncampaigns targeting Russian financial organizations. The emails were allegedly from Minsk Tractor Works\r\n(MTZ). In total, more than 50 malicious emails were identified and blocked by Group-IB Threat Detection System\r\n(TDS).\r\nThe email’s sender was “Alesya Vladimirovna” (or “A.V. Volokhina” in some cases), allegedly MTZ’s CEO,\r\nalthough the company is in fact headed by a different person: Vitaly Vovk. The cybercriminals used the protests\r\nand strikes in Belarus as a theme for their emails: “Unfortunately, about a week ago the prosecutor’s office\r\ninspected MTZ. It is clear that this happened because of a strike we organized to protest against Lukashenko.”\r\nFurther down, the recipients were asked to follow a link, download an archive, and send the missing documents\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 3 of 7\n\nfor verification. In fact, CERT-GIB analysts established that after victims opened the attachment, the TinyPosh\r\nbackdoor was downloaded and installed on their computer.\r\nOldGremlin adopted creative approach to their spearphishing emails. On August 19, Group-IB Managed XDR\r\ndetected and blocked emails, containing links to malicious ZIP-files. These well-crafted emails exploited current\r\nnews as a lure. The cybercriminals also used public URL shortening service (e.g. bit.ly) to mask the links to\r\nmalicious files. OldGremlin’s campaigns were successfully detected and their emails were blocked at the\r\ncompanies equipped with Group-IB Managed XDR.\r\nManaged Extended Detection and Response Polygon is designed to conduct behavior analysis of files extracted\r\nfrom emails, network traffic, file storage systems, personal computers, and automated systems, as well as\r\nmanually uploaded files and those extracted through API integration.\r\nThe lack of a strong channel of communication between organizations that counter cybercrime and the context of\r\npolitical instability have led to the emergence of new criminal groups who think that they can get away with their\r\ncrimes. Another factor that help cybercriminals make money on ransoms include businesses underestimating\r\nthreats and the lack of security controls that identify and block ransomware on time.\r\nRustam Mirkasymov, Head of Dynamic Malware Analysis Department at Group-IB\r\nMITRE ATT\u0026CK Mapping\r\nTactic Technique Procedure\r\nInitial\r\nAccess\r\nPhishing: Spearphishing\r\nLink\r\nOldGremlin used spearphishing links to archives with malicious\r\nLNK files or SFX-archives.\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 4 of 7\n\nTactic Technique Procedure\r\nExecution\r\nUser Execution:\r\nMalicious File\r\nA user must run a malicious file to start code execution.\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nOldGremlin used obfuscated PowerShell scripts.\r\nCommand and Scripting\r\nInterpreter:\r\nJavaScript/JScript\r\nOldGremlin used obfuscated JS-scripts.\r\nPersistence\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nOldGremlin used\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run for TinyPosh\r\nand TinyNode persistence.\r\nDefense\r\nEvasion\r\nSigned Binary Proxy\r\nExecution: Mshta\r\nOldGremlin used mshta.exe to run obfuscated JS-scripts.\r\nSigned Binary Proxy\r\nExecution: Rundll32\r\nOldGremlin used rundll32.exe to open a decoy document.\r\nProcess Injection:\r\nAsynchronous Procedure\r\nCall\r\nOldGremlin injected Cobalt Strike into legitimate processes\r\n(e.g., svchost.exe and rundll32.exe) via asynchronous procedure\r\ncall (APC) queue.\r\nObfuscated Files or\r\nInformation\r\nOldGremlin obfuscated scripts and commands they used during\r\nthe attack lifecycle.\r\nCredential\r\nAccess\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nOldGremlin extracted passwords from web-browsers via\r\nNirSoft WebBrowserPassView.\r\nUnsecured Credentials:\r\nCredentials In Files\r\nOldGremlin extracted email passwords via NirSoft Mail\r\nPassView.\r\nDiscovery Software Discovery\r\nOldGremlin collected information about programs installed on\r\nthe compromised host.\r\nRemote System\r\nDiscovery\r\nOldGremlin collected information about the hosts in the\r\nnetwork to move laterally and deploy TinyCryptor.\r\nLateral\r\nMovement\r\nLateral Tool Transfer OldGremlin moved laterally with help of Cobalt Strike Beacon.\r\nRemote Services: Remote\r\nDesktop Protocol\r\nOldGremlin used RDP for lateral movement.\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 5 of 7\n\nTactic Technique Procedure\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nOldGremlin deployed TinyCryptor with PsExec module of\r\nCobalt Strike.\r\nCollection Screen Capture OldGremlin created screenshots from the compromised host.\r\nCommand\r\nand Control\r\nProxy: Multi-hop Proxy\r\nOldGremlin used Tor to communicate with the compromised\r\nhost.\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nOldGremlin used RC4 to encrypt transmitted data.\r\nImpact\r\nData Encrypted for\r\nImpact\r\nOldGremlin encrypted data on computers in the network with\r\nhelp of TinyCryptor ransomware.\r\nIndicators of compromise\r\nMD5\r\narrow_drop_down\r\ne47a296bac49284371ac396a053a8488\r\n2c6a9a38ace198ab62e50ab69920bf42\r\n306978669ead832f1355468574df1680\r\n94293275fcc53ad5aca5392f3a5ff87b\r\n1e54c8bc19dab21e4bd9cfb01a4f5aa5\r\nfc30e902d1098b7efd85bd2651b2293f\r\ne0fe009b0b1ae72ba7a5d2127285d086\r\nf30e4d741018ef81da580ed971048707\r\nac27db95366f4e7a7cf77f2988e119c2\r\n30fdbf2335a9565186689c12090ea2cf\r\ne1692cc732f52450879a86cb7dcfbccd\r\nRegistry paths\r\narrow_drop_down\r\nHKCU:\\Software\\Classes\\Registered\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 6 of 7\n\nHKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\Security\r\nIPs and Domains\r\narrow_drop_down\r\n136.244.67[.]59\r\n95.179.252[.]217\r\n45.61.138[.]170\r\n5.181.156[.]84\r\nrbcholding[.]press\r\nbroken-poetry-de86.nscimupf.workers[.]dev\r\ncalm-night-6067.bhrcaoqf.workers[.]dev\r\nrough-grass-45e9.poecdjusb.workers[.]dev’\r\nksdkpwprtyvbxdobr0.tyvbxdobr0.workers[.]dev’)\r\nksdkpwpfrtyvbxdobr1.tiyvbxdobr1.workers[.]dev\r\nwispy-surf-fabd.bhrcaoqf.workers[.]dev\r\nnoisy-cell-7d07.poecdjusb.workers[.]dev\r\nwispy-fire-1da3.nscimupf.workers[.]dev\r\nhello.tyvbxdobr0.workers[.]dev\r\ncurly-sound-d93e.ygrhxogxiogc.workers[.]dev\r\nold-mud-23cb.tkbizulvc.workers[.]dev\r\nIn most cases, access to data found on a ransomware-infected device cannot be restored without decryption\r\nkeys, which attackers hold for ransom. It is never advisable to pay a single cent. What Group-IB experts do\r\nrecommend and consider extremely important is responding to ransomware attacks appropriately.\r\nGet the help of our skilled global Incident Response team to ensure rapid and thorough containment of the most\r\ndamaging cyberattacks, as well as remediation and recovery.\r\nSource: https://www.group-ib.com/blog/oldgremlin\r\nhttps://www.group-ib.com/blog/oldgremlin\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/oldgremlin"
	],
	"report_names": [
		"oldgremlin"
	],
	"threat_actors": [],
	"ts_created_at": 1777604944,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f789bb1855a960b499b61714799f96605d842d1.pdf",
		"text": "https://archive.orkl.eu/2f789bb1855a960b499b61714799f96605d842d1.txt",
		"img": "https://archive.orkl.eu/2f789bb1855a960b499b61714799f96605d842d1.jpg"
	}
}