{
	"id": "c7ae78f9-730d-4eb3-a5c1-fe0b682fc110",
	"created_at": "2026-04-06T00:19:52.563419Z",
	"updated_at": "2026-04-10T03:20:16.472668Z",
	"deleted_at": null,
	"sha1_hash": "513e71d6cdfdc6df7fc05049f5fed43368dcbf16",
	"title": "Threat actor believed to be spreading new MedusaLocker variant since 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 646803,
	"plain_text": "Threat actor believed to be spreading new MedusaLocker variant\r\nsince 2022\r\nBy Tiago Pereira\r\nPublished: 2024-10-03 · Archived: 2026-04-05 21:53:21 UTC\r\nCisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed\r\ndelivering a MedusaLocker ransomware variant. \r\nIntelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate\r\nof the amount and countries of origin of this group’s victims. This actor has been active since at least late\r\n2022 and targets organizations worldwide, although the number of victims was higher than average in EU\r\ncountries until mid-2023 and, since then, in Latin American countries.\r\nThis threat actor was observed distributing a MedusaLocker ransomware variant known as\r\n“BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid_memes” which is\r\nalso present in other tools observed during the attacks, presumably by the same author.\r\nTalos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to\r\nassist in detecting and preventing further attacks.\r\nTalos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as\r\n“BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the\r\nsame location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,”\r\nand the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to\r\nunderstand more about this threat actor. \r\nThis attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools\r\nbuilt by the same developer (possibly the attacker) to assist in credential theft and lateral movement in\r\ncompromised organizations. These tools are mostly wrappers around publicly available tools that include\r\nadditional functionality to streamline the attack process and provide graphical or command-line interfaces. \r\nThe same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat\r\nand leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different\r\nautorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the\r\nattackers call this variant “BabyLockerKZ.” \r\nWe assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate\r\nof a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor\r\nopportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European\r\ncountries, but since the first quarter of 2023, the group’s focus shifted toward Latin American countries and, as a\r\nresult, the number of victims per month almost doubled.\r\nTracking BabyLockerKZ across the globe\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 1 of 10\n\nIntelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of,\r\nand the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it\r\nstill provides a look at a specific window of activity.\r\nThe actor has been active since at least October 2022. At that time, the targets were mostly located in European\r\ncountries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per\r\nmonth almost doubled, and the group shifted its focus toward Latin American countries such as Brazil, Mexico,\r\nArgentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs\r\ncompromised per month until the first quarter of 2024 when the attacks decreased.\r\nThe actor has consistently compromised a large number of organizations, often more than 100 per month, since at\r\nleast 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the\r\nactivity we would expect from an IAB or ransomware affiliate.\r\nAttacker TTPs and tools\r\nDuring the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known\r\nattack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or\r\nDocuments user folders of compromised systems to store attack tools. For example, the following paths were used\r\nto store tools during this attack:\r\nc:\\users\\\u003cuser\u003e\\music\\advanced_port_scanner_2.5.3869.exe\r\nc:\\users\\\u003cuser\u003e\\music\\hrsword\\hrsword install.bat\r\nc:\\users\\\u003cuser\u003e\\music\\killav\\build.004\\disabler.exe\r\nc:/users/\u003cuser\u003e/music/checker/checker(222).exe\r\nc:/users/\u003cuser\u003e/music/checker/invoke-thehash.ps1\r\nc:/users/\u003cuser\u003e/music/checker/checker (222).exe\r\nc:/users/\u003cuser\u003e/music/checker/invoke-smbexec.ps1\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 2 of 10\n\nc:/users/\u003cuser\u003e/music/checker/invoke-wmiexec.ps1\r\nc:/users/\u003cuser\u003e/appdata/roaming/ntsystem/ntlhost.exe.exe\r\nc:/users/\u003cuser\u003e/appdata/local/temp/advanced port scanner 2/advanced_port_scanner.exe\r\nc:/users/\u003cuser\u003e/appdata/local/temp/is-juad3.tmp/advanced_port_scanner_2.5.3869.tmp\r\nThese are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February\r\n2023, which our telemetry suggests was a more active period for this threat actor.\r\nSome of the publicly known tools used by the attacker are:\r\nHRSword_v5.0.1.1.rar: A tool used to disable AV and EDR software.\r\nAdvanced_Port_Scanner_2.5.3869.exe: A network-scanning tool with several additional features to map\r\ninternal networks and devices.\r\nNetscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.\r\nProcesshacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control\r\nprocesses running on the infected endpoint.\r\nPCHunter64.exe: A tool similar to processhacker.\r\nMimikatz: A tool to dump Windows user credentials from memory.\r\nWhile most of the tools the attacker uses are publicly available, they also use some tools that are not widely\r\ndistributed that streamline the attack process by automating the interaction between popular attack tools (e.g.,\r\nMimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these\r\ntools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of\r\nBabyLockerKZ, the “Checker” tool has a PDB path containing the string “paid_memes”. Pivoting off this string,\r\nwe identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other\r\ntools, which we’ll outline below.\r\nChecker tool\r\nChecker (E:\\paid_memes\\wmi_smb_rdp_checker\\Release\\checker.pdb) is an app that bundles several other freely\r\navailable apps and provides a GUI for management of credentials as the attackers proceed with lateral movement.\r\nIn particular it contains a set of tools:\r\nRemote Desktop Plus\r\nPSEXEC\r\nMIMIKATZ\r\nAnd a set of scripts based on the Invoke-TheHash tool.\r\nThe tool also contains a GUI, as shown below, and a database to store the credentials.\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 3 of 10\n\nAs the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques\r\n(PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the\r\nattacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and\r\noffers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained\r\nor verified.\r\nPTH project\r\nThe PTH (D:\\Projects\\paid_memes\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use\r\nNTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:\r\nInvoke-SMBClient.ps1\r\nInvoke-SMBEnum.ps1\r\nInvoke-SMBExec.ps1\r\nInvoke-TheHash.ps1\r\nInvoke-WMIExec.ps1\r\nThese were also used in the checker tool and are part of Invoke-TheHash. According to the author: \r\n“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and\r\nSMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM\r\nhash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”\r\nMIMIK tool\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 4 of 10\n\nMIMIK (D:\\Projects\\paid_memes\\mimik\\Release\\stub_mimik.pdb) is a wrapper around Mimikatz and rclone that\r\ncan be used to steal credentials and automatically upload them to an attacker-controlled server. The following\r\nimage shows the terminal output for the tool.\r\nThe following command lines are examples of commands executed via the tool:\r\n64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit \r\nC:\\Users\\user\\Desktop\\64.exe 64.exe \"privilege::debug\" \"sekurlsa::logonPasswords\" \"token::elevate\"\r\n\"lsadump::sam full\" exit \r\n64.exe \"privilege::debug\" \"sekurlsa::logonPasswords\" \"token::elevate\" \"lsadump::sam full\" exit\r\nC:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M\r\nC:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat\r\nBabyLockerKZ\r\nBabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed\r\nby other researchers, although not specifically called out as a MedusaLocker variant with this name. \r\nA Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension\r\nused for encrypted files) and mentions the existence of the BabyLockerKZ registry key. \r\nAnother post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a\r\nMedusaLocker sample. \r\nThis variant has not been given much attention outside of that, though, possibly because it’s highly similar to\r\nMedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable\r\ndifferences between BabyLockerKZ and MedusaLocker, such as:\r\nNo {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.\r\nNo MDSLK reg key.\r\nThe PAIDMEMES Public and private keys.\r\nThe BabyLockerKZ run key.\r\nThe use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they\r\nbelieve the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further\r\nresearch into the use of these keys might be a topic for another blog post.\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 5 of 10\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 6 of 10\n\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0,\r\n1:63929:1:0\r\nClamAV detections are also available for this threat:\r\nWin.Ransomware.MedusaLocker-10035000-1\r\nWin.Tool.PassTheHash-10034996-0\r\nWin.Ransomware.MedusaLocker-10035000-0\r\nIndicators of Compromise\r\nIOCs for this research can be found at our Github repository here\r\nBabylockerKZ:\r\n33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a\r\nb8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f\r\n63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499\r\n270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e\r\n759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906\r\ndc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6\r\n48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 7 of 10\n\nc0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801\r\n012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe\r\n8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625\r\n364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca\r\n5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2\r\nPTH:\r\n9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7\r\n8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f\r\nChecker:\r\nd00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0\r\n1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be\r\n1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651\r\n6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c\r\n2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac\r\nPDB list:\r\nd:/projects/paid_memes/virus/release/stub.pdb\r\ne:/locker/bin/stub_win_x64_encrypter.pdb\r\ni:/locker/bin/stub_win_x64_encrypter.pdb\r\nd:/education/locker/bin/stub_win_x64_encrypter.pdb\r\nd:/education/locker/bin/stub_win_x86_encrypter.pdb\r\nd:/projects/paid_memes/wmi_smb_rdp_checker/release/checker.pdb\r\nd:/projects/paid_memes/mimik/release/stub_mimik.pdb\r\ni:/locker/x64/release/phantom.pdb\r\nd:/projects/paid_memes/pth/release/pth.pdb\r\nRegistry keys:\r\nHKEY_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 8 of 10\n\nHKEY_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC\r\nHKEY_CURRENT_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC\r\nHKEY_CURRENT_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE\r\nHKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC\r\nHKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ\r\nHKEY_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ\r\nExtension names observed being used by BabyLockerKZ samples:\r\ncrypto125\r\ncrypto1317\r\ncrypto165\r\ncrypto41\r\ncrypto76\r\nencrypted1\r\nhazard11\r\nhazard21\r\nhazard23\r\nhazard24\r\nhazard25\r\nhazard27\r\nhazard31\r\nhazard38\r\nhazard49\r\nhazard55\r\nhazard56\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 9 of 10\n\nhazard7\r\ninfected\r\nlock2\r\nlock3\r\nlock5\r\nlocked9\r\nlockfiles\r\nmeduza210\r\nrapid1\r\nrapid10\r\nreadtext13\r\nreadtext47\r\nreadtext49\r\nrecovery29\r\nrecovery70\r\nvirus2\r\nvirus3\r\nvirus57\r\nEncryption key BabyLockerKZ:\r\nPUTINHUILO1337\r\nMUTEX BabyLockerKZ:\r\nHOHOL1488\r\nSource: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nhttps://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/"
	],
	"report_names": [
		"threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022"
	],
	"threat_actors": [],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/513e71d6cdfdc6df7fc05049f5fed43368dcbf16.pdf",
		"text": "https://archive.orkl.eu/513e71d6cdfdc6df7fc05049f5fed43368dcbf16.txt",
		"img": "https://archive.orkl.eu/513e71d6cdfdc6df7fc05049f5fed43368dcbf16.jpg"
	}
}