{
	"id": "cbd50c1d-271c-425f-8a1c-291a7da4166f",
	"created_at": "2026-04-06T00:21:14.530696Z",
	"updated_at": "2026-04-10T13:11:35.515118Z",
	"deleted_at": null,
	"sha1_hash": "49a118a79e4db2c1ff01b814c27465993a68c38c",
	"title": "Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1957896,
	"plain_text": "Paradise Ransomware Distributed Through AweSun Vulnerability\r\nExploitation - ASEC\r\nBy ATCP\r\nPublished: 2023-02-01 · Archived: 2026-04-02 11:52:34 UTC\r\nThe ASEC analysis team has recently discovered the distribution of Paradise ransomware. The threat actors are\r\nsuspected to be utilizing a vulnerability exploitation of the Chinese remote control program AweSun. In the past,\r\nthe team also found and covered the distribution of Sliver C2 and BYOVD through a Sunlogin vulnerability, a\r\nremote control program developed in China.\r\nSliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations\r\n1. AweSun Vulnerability Exploitation\r\nThe installation of Sliver C2 through the AweSun remote control program developed by AweRay was also\r\ndiscovered to have been carried out by threat actors while the team was monitoring Sliver C2 attack cases. [1]\r\nFigure 1. Remote control program AweSun\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 1 of 9\n\nFigure 2. Sliver C2 installed by PowerShell that was generated by AweSun\r\nDetailed information about the AweSun vulnerability exploitation has yet to be confirmed. However, considering\r\nthat this is the same threat actor that exploited the Sunlogin vulnerability and the fact that Sliver C2 was installed\r\nby a PowerShell that was generated by a child process of AweSun, we can speculate that this attack was also a\r\nvulnerability exploitation. Compared to the latest version of AweSun.exe which now exceeds v2.0, the AweSun\r\nused for the attacks were v1.5 and v1.6, versions that were released several years ago.\r\nAdditionally, we can confirm through the command used in the attack that the attack command includes a ping\r\nthat’s similar to the PoC used in the Sunlogin vulnerability. Although it is currently impossible to download\r\nanything from this address, we can infer from the URL format that it is a command that installs Cobalt Strike.\r\nFigure 3. Command used to exploit AweSun vulnerability\r\nIt appears that the threat attacker is using the AweSun vulnerability exploitation at the same time as the Sunlogin\r\nvulnerability exploitation. The Sliver and BYOVD malware mentioned above have been found in both\r\nvulnerability exploitation cases along with a XMRig CoinMiner.\r\nThis post will focus on the Paradise attack case since it was the most recent case of this vulnerability exploitation.\r\nThe following is AhnLab’s ASD (AhnLab Smart Defense) log, which shows that the Paradise ransomware,\r\n“DP_Main.exe,” was installed by the cmd and PowerShell generated by AweSun.\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 2 of 9\n\nFigure 4. Paradise ransomware installation log\r\nParadise ransomware download URL: hxxps://upload.paradisenewgenshinimpact[.]top/DP_Main.exe\r\n2. Analysis of Paradise Ransomware\r\nParadise, which is installed through an AweSun vulnerability exploitation, was first discovered in 2017 as a RaaS\r\n(Ransomware as a Service) type ransomware developed in .NET. [2]\r\nFigure 5. The main function of Paradise ransomware\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 3 of 9\n\nOverview Description\r\nEncryption method RSA-1024 / RSA-1024\r\nPaths excluded from\r\nencryption\r\n“windows”, “firefox”, “chrome”, “google”, “opera”,\r\n“%APPDATA%\\DP\\” (installation paths)\r\nExtension [id-EaObwi8A].[main@paradisenewgenshinimpact.top].honkai\r\nRansom note DECRYPT MY FILES#.html\r\nOthers Registers RUN key. Deletes volume shadow service\r\nTable 1. Ransomware overview\r\nParadise utilizes various configuration files. After the completion of the encryption process, the\r\n“%APPDATA%DP\\welldone.dp” file is generated. If the file already exists, the encryption stage is skipped and\r\nthe ransom note is shown. Paradise will restart with admin privilege if it is executed without the authority as the\r\nransomware uses it to encrypt the system; at this stage the “%APPDATA%DP\\RunAsAdmin.dp” file is used.\r\nPCID is the value that represents the infected system and is saved in the “id.dp” file that is generated on the\r\ncurrent path. The value is also used later for the ransom note and sending the infection information to the C\u0026C\r\nserver.\r\nSettings File Description\r\n%APPDATA%DP\\welldone.dp Encryption behavior completion status\r\n%APPDATA%DP\\RunAsAdmin.dp Admin privilege execution status\r\nCurrent Path\\id.dp PCID\r\n%USERPROFILE%\\documents\\DecryptionInfo.auth\r\n%PROGRAMFILES%\\DP\\DecryptionInfo.auth\r\nRSA private key (encrypted through a\r\nmaster RSA public key),\r\nRSA public key\r\nTable 2. Settings file\r\nParadise generates a 1024-bit RSA key and uses it to encrypt files. The ransomware encrypts the RSA private key\r\nnecessary for file decryption by using the threat actor’s master RSA public key that’s saved in the settings data.\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 4 of 9\n\nFigure 6. Settings file where the master RSA public key is saved\r\nAmong the settings files, “DecryptionInfo.auth” has a RSA private key that has been encrypted by the generated\r\nRSA public key and the threat actor’s master RSA public key.\r\nFigure 7. DecryptionInfo.auth file\r\nThe paths excluded from encryption are based on folder paths, so “windows”, “firefox”, “chrome”, “google”,\r\n“opera” and “%APPDATA%\\DP\\.”. This means that all paths are targeted excluding the settings paths. A distinct\r\ncharacteristic of Paradise is the fact that it sets the “mysql,” “firebird,” “mssql,” “microsoft sql,” and “backup”\r\npaths as high priority encryption targets.\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 5 of 9\n\nFigure 8. Encrypted files\r\nFurthermore, this ransomware can create a copy of itself in %APPDATA%DP\\DP_Main.exe and register it to the\r\nrun key or delete the volume shadow service using the following command.\r\n“cmd.exe” /C sc delete VSS\r\nAfter the encryption process is finished, Paradise transfers basic information like the PCID and computer name\r\nalong with information such as the number of encrypted files and the time it took to finish encryption to the C\u0026C\r\nserver.\r\nItem Description\r\nv vector (hard-coded)\r\nfc Number of encrypted files\r\ncomputer_name Computer name\r\net Time taken for encryption\r\ndecryption_info RSA private key (encrypted through a master RSA public key)\r\nid PCID\r\nTable 3. Data delivered to C\u0026C server\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 6 of 9\n\nFigure 9. Data delivered to C\u0026C server\r\nUltimately, it executes a ransom note to notify the user that they have been infected by a ransomware. The note\r\nincludes an email address and Bitcoin wallet address as means of contact.\r\nBitcoin wallet address: 392vKrpVxMF7Ld55TXyXpJ1FUE8dgKhFiv\r\nThreat actor’s email address: main@paradisenewgenshinimpact.top\r\nFigure 10. Ransom note – 1\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 7 of 9\n\nFigure 11. Ransom note – 2\r\n3. Conclusion\r\nWe have found recent cases where various ransomware, including Paradise, were installed on vulnerable software\r\nthat did not have recent patches applied. Therefore, users must update their installed software to the latest version\r\nto preemptively prevent vulnerability exploitations. Also, V3 should be updated to the latest version so that\r\nmalware infection can be prevented.\r\nFile Detection\r\n– Trojan/Win.Agent.C4590824 (2021.08.15.00)\r\nBehavior Detection\r\n– Execution/MDP.Powershell.M1185\r\n– Execution/MDP.Powershell.M2514\r\n– Persistence/MDP.AutoRun.M224\r\n– Ransom/MDP.Decoy.M1171\r\nMD5\r\n5cbbc1adfd22f852a37a791a2415c92c\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 8 of 9\n\nhttp[:]//upload[.]paradisenewgenshinimpact[.]top[:]2095/api/Encrypted[.]php\r\nhttps[:]//upload[.]paradisenewgenshinimpact[.]top/DP_Main[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/47590/\r\nhttps://asec.ahnlab.com/en/47590/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/47590/"
	],
	"report_names": [
		"47590"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49a118a79e4db2c1ff01b814c27465993a68c38c.pdf",
		"text": "https://archive.orkl.eu/49a118a79e4db2c1ff01b814c27465993a68c38c.txt",
		"img": "https://archive.orkl.eu/49a118a79e4db2c1ff01b814c27465993a68c38c.jpg"
	}
}