{
	"id": "aed2775d-4c58-41d7-bbbf-b5df2bdf1fa8",
	"created_at": "2026-04-06T00:21:59.626628Z",
	"updated_at": "2026-04-10T13:13:08.898244Z",
	"deleted_at": null,
	"sha1_hash": "30ad6651ace290ebc521ef6732d1dae186eab3f3",
	"title": "Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2507165,
	"plain_text": "Microsoft Exchange vulnerabilities exploited once again for ransomware,\r\nthis time with Babuk\r\nBy Chetan Raghuprasad\r\nPublished: 2021-11-03 · Archived: 2026-04-02 11:05:56 UTC\r\nBy Chetan Raghuprasad and Vanja Svajcer, with contributions from Caitlin Huey.\r\nCisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly\r\naffecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras\r\nand Thailand.\r\nThe actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign.\r\nThis is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other\r\npayloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with\r\nunauthorized access to Windows machines.\r\nWe assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in\r\nMicrosoft Exchange Server through the deployment of China Chopper web shell.\r\nWhat's new?\r\nCisco Talos discovered a malicious campaign using Cisco Secure product telemetry on Oct. 12, 2021 targeting vulnerable\r\nMicrosoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the\r\nvictim's environment. The actor is using a somewhat unusual infection chain technique where an intermediate unpacking\r\nmodule is hosted on a pastebin.com clone pastebin.pl. The intermediate unpacking stage is downloaded and decoded in\r\nmemory before the final payload embedded within the original sample is decrypted and executed.\r\nHow did it work?\r\nInfection typically starts with a downloader module on a victim's server. We have observed downloaders in a standalone\r\nexecutable format and in a DLL format. The DLL downloader is run by the parent process w3wp.exe, which is the Exchange\r\nIIS worker process.\r\nThe initial downloader is a modified EfsPotato exploit to target proxyshell and PetitPotam vulnerabilities. The downloader\r\nruns an embedded obfuscated PowerShell command to connect and download a packed downloader module from the actor's\r\ninfrastructure. The PowerShell command also executes an AMSI bypass to circumvent endpoint protection. The download\r\nserver is hosted using the malicious domains fbi[.]fund and xxxs[.]info.\r\nThe initial packed loader module contains encrypted .NET resources as bitmap images. The decrypted content is the actual\r\nBabuk ransomware payload. To decrypt and unpack the payload, the loader connects to a URL on pastebin.pl containing the\r\nintermediate unpacker module. The unpacker module decrypts the embedded Babuk ransomware payload in memory and\r\ninjects it into a newly created process AddInProcess32.\r\nThe Babuk ransomware module, running within the process AddInProcess32, enumerates the processes running on the\r\nvictim's server and attempts to disable a number of processes related to backup products, such as Veeam backup service. It\r\nalso deletes volume shadow service (VSS) snapshots from the server using vssadmin utility to make sure the encrypted files\r\ncannot be restored from their VSS copies. The ransomware module encrypts the files in the victim's server and appends a\r\nfile extension .babyk to the encrypted files. The actor demands the victim pay $10,000 USD to obtain the decryption key to\r\nregain their files.\r\nSo what?\r\nBabuk is a ransomware that can be compiled for several hardware and software platforms. The compilation is configured\r\nthrough a ransomware builder. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32-bit, old\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 1 of 13\n\nPE executable were observed over time. However, in this particular campaign, we found evidence of actors specifically\r\ntargeting Windows.\r\nBabuk ransomware is nefarious by its nature and while it encrypts the victim's machine, it interrupts the system backup\r\nprocess and deletes the volume shadow copies. In early September 2021, Babuk source code and a binary builder were\r\nleaked, which may have encouraged new malicious actors to manipulate and deploy the malware. Recently, a Babuk\r\ndecryptor has been released. Unfortunately, it is only effective on files encrypted with a number of leaked keys and cannot\r\nbe used to decrypt files encrypted by the variant described in this blog post.\r\nOrganizations should regularly update their servers and applications with the latest available patches from the vendors\r\neliminating the vulnerabilities in their environment. Defenders should be constantly looking for suspicious events generated\r\nby detection systems for an abrupt service termination, abnormally high I/O rates for drives attached to their servers, the\r\ndeletion of shadow copies or system configuration changes.\r\nInfection chain summary\r\nCisco Talos discovered a malicious campaign that used either a DLL or .NET executable. One of the two types of files starts\r\nthe infection chain on the targeted system. The initial .NET executable module runs as a child process of w3wp.exe and\r\ninvokes the command shell to run an obfuscated PowerShell command.\r\nThe PowerShell command invokes a web request and downloads the payload loader module using certutil.exe from a URL\r\nhosted on the domains fbi[.]fund and xxxs[.]info, or the IP address 185[.]219[.]52[.]229.\r\nThe payload loader downloads an intermediate unpacking stage from the PasteBin clone site pastebin.pl. The unpacker\r\nconcatenates the bitmap images embedded in the resource section of the trojan and decrypts the payload into the memory.\r\nThe payload is injected into the process AddInProcess32 and is used to encrypt files on the victim's server and all mounted\r\ndrives.\r\nInfection flow-chart.\r\nStage 1: Downloaders\r\nWe've observed the initial executable or DLL targeting servers that use Intel and AMD architecture. Usually, if an executable\r\nhas w3wp (the IIS worker process in Exchange) as the parent process, this means the attacker has exploited a ProxyShell\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 2 of 13\n\nvulnerability. The observed infected systems also had the China Chopper web shell installed. We believe China Chopper\r\neventually ran the initial download command.\r\nOur telemetry also indicates that the actor's infrastructure was active in attempting to exploit a number of vulnerabilities in\r\nother products most commonly triggering the following Snort rules:\r\nMicrosoft Exchange autodiscover server side request forgery attempt (57907)\r\nAtlassian Confluence OGNL injection remote code execution attempt (58094)\r\nApache Struts remote code execution attempt (39190, 39191)\r\nWordPress wp-config.php access via directory traversal attempt (41420)\r\nSolarWinds Orion authentication bypass attempt (56916)\r\nOracle WebLogic Server remote command execution attempt (50020)\r\nLiferay arbitrary Java object deserialization attempt (56800)  \r\nDLL\r\nWe observed that the parent process w3wp.exe an IIS worker process that runs the .NET applications launches the\r\ndownloader DLL.. The DLL is a mixed mode assembly, whose functionality is included in the native entry point of the\r\nlibrary DllMainCRTStartup. The DllMainCRTStartup function calls the command shell to run an encoded PowerShell\r\ncommand to download the next stage's loader from hxxp://fbi[.]fund/dark.exe, which is the main packed module containing\r\nthe final payload.\r\nDllMainCRTStartup calls the function to download the next stage.\r\n.NET executable downloader module\r\nThe .NET executable version of the initial downloader is a slightly modified variant of the EfsPotato exploit with code to\r\ndownload and run the next stage. EfsPotato is an exploit that attempts to escalate the process privileges using a vulnerability\r\nin the Encrypted File System (CVE-2021-36942).\r\nThe PowerShell command invokes a web request to connect to the malicious repository hxxp://fbi[.]fund/tortillas/ using the\r\nInvoke-WebRequest commandlet and certutil.exe to download the main loader module and save it as tortilla.exe. Finally, the\r\ndownloader runs tortilla.exe.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 3 of 13\n\nModified EfsPotato exploit.\r\nDecoded PowerShell command.\r\nThe exploit enumerates the current user privileges and access the user token and modifies the token access level to\r\nMaximumAllowed thereby enhances the privileges and calls CreateProcessAsUser function to run the stage 2 loader as a\r\nnew process within the security context specified in the token of the victim's user account.\r\nThe actor executes an AMSI bypass and disables the Windows Defender real-time monitoring, script scanning and behavior\r\nmonitoring by executing the commandlet Set-MpPreference.\r\nThe Stage 1 downloaders associated with this campaign are signed with the same digital signature, the validity of which we\r\ncannot verify. The thumbprint of the signature is:21D354A27519DD62B328416BAB01767DA94786CB. The same\r\ncertificate is used by the actor to sign samples from previous campaigns executed from July 2021.\r\nStage 2: Main module loader\r\nThe second stage, the main ransomware loader contains the final payload. It's a 32-bin .NET executable masquerading as a\r\nlegitimate stock management system (SMS) application not to be confused with the SMS messaging protocol. The module is\r\npacked with ConfuserEx, a free, open-source protector for .NET applications. This stage is downloaded by a process\r\nlaunched by the Exchange IIS worker process.\r\nThe application contains the final payload in an encrypted format, split between the .NET resources.\r\nIt attempts to connect to the URL https://pastebin.pl/view/raw/a57be2ca and download the intermediate module required for\r\nunpacking the final payload.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 4 of 13\n\nThe URL is passed as an argument to the decrypting function which downloads the data stream from PasteBin and decrypts\r\nthe data stream in memory to generate the intermediate unpacking module.\r\nStage 3: Intermediate unpacker\r\nThe intermediate unpacker is a DLL, whose binary is stored as an encoded text in PasteBin. The library is associated with\r\nthe classes that check the existence of sandboxes and virtual machine environments by enumerating their services to identify\r\nif it is running in a virtualized environment.\r\nVirtual environments check.\r\nThe DLL contains several arrays with ASCII characters whose values such as the folder path and the directory locations are\r\ndecrypted using the Rijndael algorithm.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 5 of 13\n\nDecryption function for the data (decrypts resource bitmaps).\r\nThe unpacker creates a copy of the legitimate file AddInProcess32.exe in the user's temporary folder\r\nC:\\Users\\Username\\AppData\\Local\\Temp and launches the process in suspended mode. Microsoft has recommended this\r\napplication to be blocklisted as it can be used to bypass Windows Defender application control.\r\nThe intermediate unpacking module accesses the resources of stage 2 downloader, parses the stream of binary data\r\nembedded in the bitmap files into memory and based on the packer configuration injects the decrypted module into the\r\nvirtual memory of the previously launched AddInProcess32.exe. The unpacked module in the memory is the Babuk\r\nransomware payload.  The packer has the ability to inject the payload, based on its configuration into one of the following\r\nprocesses:\r\nAppLaunch.exe\r\nsvchost.exe\r\nRegAsm.exe\r\nInstallUtil.exe\r\nmscorsvw.exe\r\nAddInProcess32.exe To hide the fact that the module is downloaded from the internet, the unpacker deletes the zone\r\nidentifier alternate data stream of the main loader.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 6 of 13\n\nZone identifier is deleted.\r\nStage 4: Babuk ransomware payload\r\nThe Stage 2 loader creates a copy of the file AddinProcess32.exe in the user's temporary directory and invokes the process.\r\nThe unpacked Babuk ransomware payload is injected into the process and started. This particular variant is similar to\r\npreviously documented variants with only minor modifications.\r\nThe ransomware payload creates a mutex with the name \"DoYouWantToHaveSexWithCuongDong, referring to the name of\r\nthe researcher who analysed it at the beginning of the year.\r\nCreation of Babuk mutex. The payload launches the command shell in the background and executes the command to delete\r\nthe volume shadow copy of the victim's machine using vssadmin.exe.\r\nDeletion of VSS file copies.\r\nThe payload module then opens the service manager to enumerate running services with the intention to find backup\r\nservices listed in the below screenshot. If any of the backup services are found the trojan will stop them using the\r\nControlService API function call.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 7 of 13\n\nBackup related services from the list are terminated.\r\nThe payload module traverses the file system to find files to encrypt. After encryption, the files will have a new filename\r\nextension .babyk. However, Babuk also contains the list of filenames and directories which will be excluded from the\r\nencryption process to keep the affected system running and allow the attackers to communicate with the victim.\r\nBabuk file extension and the encryption exclusion list.\r\nRansom note The payload module creates a file called How To Restore your Files.txt, which contains a\r\nnotification to the victim that their network is compromised and their files are encrypted using AES-256-\r\nCTR with the ChaCha8 cipher.\r\nThe actor demands the victim to pay equivalent of 10000 USD paid in Monero (XMR) to the wallet\r\naddress\r\n46zdZVRjm9XJhdjpipwtYDY51NKbD74bfEffxmbqPjwH6efTYrtvbU5Et4AKCre9MeiqtiR51Lvg2X8dXv1tP7nxLaE\r\nThe actor has also disclosed their email IDs for the victims to contact them for the further instructions and\r\nthe decryption key after making the payment.\r\nBabuk ransom note.\r\nTortilla and their infrastructure Tortilla's infrastructure consists of a Unix-based download server and\r\nhosts their intermediate unpacker code on a site called pastebin.pl that seems to be unrelated to the\r\npopular pastebin.com. Although legitimate, we have observed several previous malicious campaigns,\r\nincluding variants of AgentTesla and Formbook hosting their additional content on the site. Access to the\r\nsite from a company's network may indicate a successful breach.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 8 of 13\n\nDownload server\r\nAccording to Shodan, the download server at the IP address 185[.]219[.]52[.]229 is located in Moscow, Russia and runs\r\nOpenSSH and Python version 3.9.7. There are two actor-controlled domains: fbi[.]fund and xxxs[.]info. Both of those\r\ndomains resolve to the IP address 185[.]219[.]52[.]229, the IP address hosting all malicious modules, with the exception of\r\nthe intermediate unpacker module hosted on pastebin.pl.\r\nThe domain xxxs[.]info was used in campaigns running until Oct. 13, 2021 when the actor switched to using fbi[.]fund.\r\nDNS request timeline for xxxs[.]info.\r\nDNS request timeline for fbi[.]fund.\r\nVictimology\r\nBased on the DNS request distribution to the malicious domains, we are seeing requests coming predominantly from the\r\nU.S., although the campaign has also affected a smaller number of users in the U.K., Germany, Ukraine, Finland, Brazil,\r\nHonduras and Thailand.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 9 of 13\n\nConclusion\r\nThe leak of the Babuk builder and its source code in July have contributed to its wide availability, even for the less\r\nexperienced ransomware operators, such as Tortilla. This actor has only been operating since early July this year and has\r\nbeen experimenting with different payloads, apparently in order to obtain and maintain remote access to the infected\r\nsystems. The actor displays low to medium skills with a decent understanding of the security concepts and the ability to\r\ncreate minor modifications to existing malware and offensive security tools.\r\nCisco Talos telemetry shows that the actor is using its infrastructure to host malicious modules and conduct internet-wide\r\nscanning to exploit vulnerable hosts hosting several popular applications, including Microsoft Exchange. This particular\r\nBabuk campaign seems to primarily rely on exploiting Exchange Server vulnerabilities.\r\nOrganizations and defenders should remain vigilant against such threats and should implement a layered defense security\r\nwith the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.\r\nAs always with ransomware, the staple of the defence are sound backup practices as well as deployment of centralised\r\nlogging and XDR tools to the most important resources within the organizational networks. In addition to that the defenders\r\nare urged to apply the latest security patches to all externally facing servers as well as the important assets in the internal\r\nnetwork.\r\nCoverage Ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 10 of 13\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in\r\nthis post. Try Secure Endpoint for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such asThreat Defense\r\nVirtual,Adaptive Security Appliance andMeraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nThe following ClamAV signatures have been released to detect this threat:\r\nWin.Ransomware.Packer-7473772-1\r\nWin.Trojan.Swrort-5710536-0\r\nWin.Trojan.Powercat-9840812-0\r\nWin.Trojan.Swrort-9902494-0\r\nWin.Exploit.PetitPotam-9902441-0\r\nWin.Trojan.MSILAgent-9904224-0\r\nWin.Malware.Agent-9904986-0\r\nWin.Malware.Agent-9904987-0\r\nWin.Malware.Agent-9904988-0\r\nWin.Malware.Agent-9904989-0\r\nWin.Malware.Agent-9904990-0\r\nWin.Downloader.DarkTortilla-9904993-0\r\nWin.Trojan.DarkTortilla-9904994-0\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase onSnort.org.\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click filepath and mutex.\r\nIOCs\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 11 of 13\n\nDomains\r\nfbi[.]fund\r\nxxxs[.]info\r\nIP addresses\r\n185[.]219[.]52[.]229\r\n168[.]119[.]93[.]163\r\n54[.]221[.]65[.]242\r\nURLs\r\nhxxp://fbi.fund/tortillas/tortilla.exe\r\nhxxp://fbi[.]fund/dark.exe\r\nhxxp://fbi[.]fund/tortillas/tore.exe\r\nhxxp://185[.]219[.]52[.]229/tortillas/tortilla.exe\r\nhxxp://185[.]219[.]52[.]229/tortillas/tore.exe\r\nhxxp://185[.]219[.]52[.]229/tortilla.exe\r\nhxxp://185[.]219[.]52[.]229:8080/vefEPjwOdNF9qNw.hta\r\nhxxps://pastebin[.]pl/view/raw/a57be2ca\r\nMutex\r\nDoYouWantToHaveSexWithCuongDong\r\nWallet\r\n46zdZVRjm9XJhdjpipwtYDY51NKbD74bfEffxmbqPjwH6efTYrtvbU5Et4AKCre9MeiqtiR51Lvg2X8dXv1tP7nxLaE\r\nEmail IDs\r\nmitnickd@ctemplar[.]com\r\nzar8b@tuta[.]io\r\nHashes  \r\nStage - 1 Downloader\r\n47033d071e1c79cc03f8b4081f5f6d470d45e32a90b06ee96bfe6c3df2f47d40 - DLL downloader\r\n56b7e6dd46e38a30ead82790947a425661ad893f54060381c9b76616c27d3b9f - DLL downloader\r\n752d66990097c8be7760d8d6011b1e91daa1d5518951d86f9fdf3d126d54872a - EfsPotato variant\r\nStage -2 Swrort variant containing the ransomware payload  \r\n08d799cc27063bc7969ae935ca171b518d0b41b1feaa9775bae06bd319291b41\r\n5f35dbf807c844c790b9cffc9f83eca05d32f58b737ba638c9567b8d22119f96\r\n1d28c4c85e241efbbe326051999b9a8e1d8eeb9a3322da5cb9a93c31c65bbb49\r\n0994c1fc7f66f88eead2091f31a2137f69d08c3cf9ee0f4a15a842f54253c9d9\r\nPayload  \r\nbd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49\r\nSamples from previous campaigns\r\n07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235\r\nMost notable MITRE ATT\u0026CK framework tactics and techniques of this campaign:\r\nExecution T1059 Command and Scripting Interpreter\r\nPrivilege Escalation T1055 Process Injection\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 12 of 13\n\nDefense Evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass\r\nT1564.004 Hide Artifacts: NTFS File Attributes\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nT1112 Modify Registry\r\nT1553.004 Subvert Trust Controls: Install Root Certificate\r\nT1027 Obfuscated Files or Information\r\nDiscovery T1518 Software Discovery\r\nCollection  T1185 Man in the Browser\r\nT1025 Data from Removable Media\r\nCommand and Control  T1092 Communication Through Removable Media\r\nT1105 Ingress Tool Transfer\r\nImpactT1490 Inhibit System Recovery\r\nSource: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nhttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html"
	],
	"report_names": [
		"babuk-exploits-exchange.html"
	],
	"threat_actors": [
		{
			"id": "8bd26575-9221-47d1-9d8b-5c18354dc1bd",
			"created_at": "2022-10-25T16:07:24.335Z",
			"updated_at": "2026-04-10T02:00:04.94173Z",
			"deleted_at": null,
			"main_name": "Tortilla",
			"aliases": [],
			"source_name": "ETDA:Tortilla",
			"tools": [
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper",
				"Vasa Locker"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434919,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30ad6651ace290ebc521ef6732d1dae186eab3f3.pdf",
		"text": "https://archive.orkl.eu/30ad6651ace290ebc521ef6732d1dae186eab3f3.txt",
		"img": "https://archive.orkl.eu/30ad6651ace290ebc521ef6732d1dae186eab3f3.jpg"
	}
}