{
	"id": "a7b6628f-fbab-4a48-870c-83f8d71609e3",
	"created_at": "2026-04-06T00:08:34.088858Z",
	"updated_at": "2026-04-10T13:11:21.419819Z",
	"deleted_at": null,
	"sha1_hash": "4b1f494889ed4cd6a51ca0d9f3939ea8655d55bb",
	"title": "Cyble - Mallox Ransomware showing signs of Increased Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1784262,
	"plain_text": "Cyble - Mallox Ransomware showing signs of Increased Activity\r\nBy cybleinc\r\nPublished: 2022-12-08 · Archived: 2026-04-05 23:43:29 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes a surge in activity from the Mallox Ransomware group and details how\r\nit operates in this analysis.\r\nRansomware potentially targeting organizations dealing in Critical Infrastructure\r\n“TargetCompany” is a type of ransomware that was first identified in June 2021. The researchers named it\r\nTargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In\r\nSeptember 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and\r\nadding the “Fargo” extension to the encrypted files. TargetCompany ransomware is also known to add a “Mallox”\r\nextension after encrypting the files.\r\nCyble Research and Intelligence Labs (CRIL) recently observed a spike in Mallox ransomware samples. The figure\r\nbelow shows the statistics of Mallox Ransomware samples in the wild, indicating that the ransomware is active,\r\nspreading rapidly, and infecting users in recent weeks.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 1 of 13\n\nFigure 1 – Timeline of Samples Count Observed In The Wild\r\nThese Mallox ransomware samples are downloaded and loaded by an unknown loader. The loader further downloads\r\nMallox ransomware from the remote server and encrypts files in the victim’s machine. Additionally, the ransomware\r\ngroup maintains a leak site with information related to the victims of the ransomware attacks. The figure below\r\nshows the leak site of Mallox Ransomware.\r\nFigure 2 – Mallox Ransomware Leak Site\r\nTechnical Analysis\r\nLoader analysis:\r\nAn unknown .NET-based loader downloads Mallox ransomware. Our research indicates that the loader is known to\r\nbe downloading other malware families such as Agentesla, Remcos, Snake keylogger, etc. This loader usually arrives\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 2 of 13\n\nvia spam email with different flavors to lure the users into downloading and executing the email attachment.\r\nThe loader acts as a downloader that downloads encrypted malicious content from the remote server, decrypts it in\r\nthe loader memory, and executes it. The loader executes the malicious content in the memory without saving the\r\nactual payload in the disk to evade anti-virus detection. The loader downloads encrypted payloads with a file\r\nextension such as png, jpeg, or bmp.\r\nThe loader is 32-bit .Net executable file with the file name “Cqasdqtamip.exe” and sha265 as\r\ne3a0bbd623db2b865fc3520c8d05e8b92016af2e535f0808460295cb8435836a. Additional details are shown in the\r\nfigure below.\r\nFigure 3 – File Details of Mallox Loader\r\nUpon execution, the loader downloads the encrypted malicious content from the URL\r\nhxxp://80[.]66[.]75[.]98/Chseiyk.jpeg.\r\nThe figure below shows the hardcoded URL and code to download the file.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 3 of 13\n\nFigure 4 – Malicious URL and Code to Download the Encrypted Payload\r\nAfter downloading, the loader keeps the encrypted content in the memory to decrypt it. The malicious content is\r\nencrypted with the AES encryption algorithm using the key “Cwgoawrnxz”, which is hardcoded in the loader’s\r\nbinary.\r\nThe figure below shows the encrypted payload in the memory and decryption key.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 4 of 13\n\nFigure 5 – Loader Code to Decrypt the Malicious Content\r\nThe loader now decrypts the payload to get the actual ransomware binary in the memory and further executes this\r\nbinary to perform ransomware activities. The below Figure shows the Decrypted ransomware DLL file in the\r\nmemory.\r\nFigure 6 – Routine to Decrypt Downloaded Payload\r\nMallox Ransomware Payload Analysis:\r\nThe downloaded and decrypted file is a 32-bit .NET-based DLL with the name “Wwxjdcapjnmuq.dll” and sha256 as\r\nb64606198c158f79287b215343d286adf959e89acb054f8f3db706f3c06f48aa.\r\nThe following figure shows additional details.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 5 of 13\n\nFigure 7 – Details of Malicious DLL Payload\r\nThe DLL file is further obfuscated with an IntelliLock obfuscator to make malware reversal more difficult. The\r\nloader now loads the decrypted ransomware DLL as assembly using the Assembly.Load() function.\r\nAfter loading DLL, the loader enumerates methods from the DLL file and creates a list of method names and objects\r\nfrom the loaded assembly. The loader now creates a thread pool of the methods for executing the ransomware code.\r\nThe figure below shows the code to load the DLL as assembly, creating the list of methods and thread pool for\r\nexecuting the ransomware code.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 6 of 13\n\nFigure 8 – Code to Dynamically Load the Methods from the Ransomware\r\nAfter creating the thread pool, the loader then uses the InvokeMember() function to execute the threads for a list of\r\npreviously created methods. The following figure shows the code to execute threads for the methods created from the\r\nloaded assembly.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 7 of 13\n\nFigure 9 – Code to Execute the Methods for Ransomware Operation\r\nAfter execution, the ransomware drops a batch file “Axfiysgodhtrlqmrgpchkiller.bat” into the temp folder and\r\nexecutes it. This batch file stops numerous services and programs so that associated files are encrypted without any\r\ninterruption during the encryption process.\r\nThe following figure shows the contents of the batch file.\r\nFigure 10 – Contents of the Batch File\r\nInterestingly, the ransomware also stops GPS-related programs, indicating that the ransomware could be targeting\r\norganizations dealing in the critical infrastructure sector.\r\nThe figure below shows the commands to stop running GPS-related programs.\r\nFigure 11 – Batch File Containing GPS-Related Program\r\nThe ransomware disables several services and stops running programs in the system. Some important services and\r\nprograms are:\r\nDatabase Related Services: MSSQL, MSSQL Server, PostgreSQL, Oracle, etc.\r\nBackup Related Services: VSS, Veeam, etc.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 8 of 13\n\nWindows Related Programs: OneDrive, Excel, Outlook, WinWord, etc.\r\nFile Sharing and Servers Related programs: FileZilla FTP Server, Apache Tomcat Server, Microsoft\r\nExchange Server, OpenSSH, WAMP Server, Nginx, etc.\r\nBusiness Management Software: SAP Business One, Jenkins, Redis, SVN Server, Turbo CRM, Kingdee,\r\netc.\r\nVirtualization Programs and Services: VirtualBox, VMware. Etc.\r\nGPS Related Commands: GPSDaemon, GPSUserSvr, GPSDownSvr, GPSStorageSvr, GPSDataProcSvr,\r\nGPSGatewaySvr, etc.\r\nBefore encrypting the files, the ransomware exfiltrates system information such as Operating system version,\r\nDesktop name, etc., and sends it to the Command \u0026 Control (C\u0026C) server using a POST request as shown below.\r\nFigure 12 – Victim information being exfiltrated to Ransomware’s C\u0026C\r\nThe ransomware then encrypts the files, appends “.Mallox” as a file extension, and drops a ransom note in the\r\nfolders, as shown below.\r\nFigure 13 – Encrypted Files and Ransom Note\r\nThe figure below shows the ransom note dropped on the victim system.\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 9 of 13\n\nFigure 14 – Contents of the Mallox Ransomware Note\r\nThe ransom note also contains a private chat link for the victims to connect with the Threat Actor. The Chat page\r\ncontains information such as TargetID, hard disk size, Payment Details, etc.\r\nThe TA has also provided features in their Chat page to their victims for uploading encrypted samples to test the\r\ndecryption.\r\nFigure 15 – Victim’s chat page\r\nConclusion\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 10 of 13\n\nOver the last few days, we have observed increased levels of activity from the Mallox ransomware group. The\r\nransomware group is using an unknown loader which is used for downloading and executing the ransomware.\r\nAdditionally, Mallox ransomware stopped GPS-related services, indicating their targets could be organizations\r\ndealing in Operation Technology and Critical Infrastructure.\r\nOur Recommendations \r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against attackers.\r\nWe recommend that our readers follow the best practices given below: \r\nSafety Measures Needed to Prevent Ransomware Attacks \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nUsers Should Take the Following Steps After the Ransomware Attack \r\nDetach infected devices on the same network. \r\nDisconnect external storage devices if connected. \r\nInspect system logs for suspicious events. \r\nImpact And Cruciality of Ransomware \r\nLoss of valuable data. \r\nLoss of the organization’s reputation and integrity. \r\nLoss of the organization’s sensitive business information. \r\nDisruption in organization operation. \r\nMonetary loss. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nExecution  T1204    User Execution \r\nDefense Evasion \r\nT1140\r\nT1562\r\nDeobfuscate/Decode Files or Information\r\nImpair Defences\r\nDiscovery \r\nT1082 \r\nT1083 \r\nSystem Information Discovery \r\nFile and Directory Discovery \r\nImpact  T1486  Data Encrypted for Impact \r\nCommand and Control  T1071  Application Layer Protocol \r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 11 of 13\n\nExfiltration  T1020  Automated Exfiltration \r\nIoCs\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n2456c01f5348e5c08f7e818d51862c1a\r\n625be3e4dbfb0bd35c9cda216a9bca7232dbec07\r\n34da973f1d154672b245f7a13e6268b4ffc88dea1ca608206b32759ec5be040c\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\nb739be28cb9a30868112d4786bc11d37\r\n296e19773f6fb7190d914ac556abe0125e5d7aa5\r\nb3ccec8ca26bc3b6597ddb0424a455eb7809e7608f5d62f6c7f5d757d4d32253\r\nMD5\r\nSHA1\r\nSHA256\r\nChseiyk.jpeg\r\nEncrypted\r\nPayload\r\n86344d7e6e5b371717313032632cbbe1\r\n3921694be80b2fd5d8007c8155bee018c32fecbb\r\nb64606198c158f79287b215343d286adf959e89acb054f8f3db706f3c06f48aa\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nPayload\r\n688e0b37794395cfecaf9cc519e3c26a\r\nd215d4166dfa07be393459c99067319036eb80ba\r\n77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\n6080b540d975b7a4f66cd54ee83ed600\r\n62324b38a5a5a2533f3bd401d7afd1c6c4235b08\r\n89c9c14af6ab4f3f93705325dbc32bde6c232d26d22e8f835db24efc18007ea4\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\n2ffae162e07ba8debdf25694e8fd8325\r\na1289c3e585e091a7c8f89869a76e40f7e3880fd\r\nd691f44b587c6ed47c2d57b2bf99323877821a318cb0d5aa9899c40a44e81ef3\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\ncacbed12b83529ebb99b0297d52b0749\r\ndb6d67f55bce0425baef2348e70f1478d022820e\r\n58726aac2652bedfe47b7e1c73ba39d028e2e6ad188f4ed735d614097be4a23b\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\nda3f02b82e982f5ce5a71d769a067f3b\r\ne165cac5ab2b2312f7ed8569c69a75bae48b8316\r\n7164ba41639c8edcd9ff1cf41a806c9a23de566b56a7f34a0205ba1f84575a48\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\n38454291f7b871d71a512b5dd5100d9e\r\n9e9c04f00822aacaa15d0bcc4749f8e6920d4550\r\n45391bfbb06263f421ac739e1e4b438fb99a0757dcecc68de79b2dbe02c1641e\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\n7be2a76577f6ee05ec08c77c41cd9dd4\r\nf3cfca7a2160559aa62b4cf42cd15870a4abcae7\r\n87a923319c6ea74a9cef5ed7528afdbd4a05e7600ce7f4359e5990ff8769a2ff\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 12 of 13\n\n6e542eda455e8c8600df96874c8deceb\r\n670530d36967c5927955d31052dff165a187c1f2\r\nd755cd96077cebbed84a86e69d1fd84b95e3e5763abc8ac8ec0a7f1df30e9585\r\nMD5\r\nSHA1\r\nSHA256\r\nMallox\r\nLoader\r\nhxxp://80[.]66[.]75[.]98/Chseiyk.jpeg URL\r\nMalicious\r\nURL\r\nhxxp://193[.]106[.]191[.]141/QWEwqdsvsf/ap.php URL\r\nConnected\r\nURL\r\nSource: https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nhttps://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/"
	],
	"report_names": [
		"mallox-ransomware-showing-signs-of-increased-activity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b1f494889ed4cd6a51ca0d9f3939ea8655d55bb.pdf",
		"text": "https://archive.orkl.eu/4b1f494889ed4cd6a51ca0d9f3939ea8655d55bb.txt",
		"img": "https://archive.orkl.eu/4b1f494889ed4cd6a51ca0d9f3939ea8655d55bb.jpg"
	}
}