{
	"id": "a95a7b84-c880-407d-a738-4e32e7a0588c",
	"created_at": "2026-04-06T00:09:31.239157Z",
	"updated_at": "2026-04-10T13:12:23.704011Z",
	"deleted_at": null,
	"sha1_hash": "541027e28a89364bd51eff4b0bb460c497f51beb",
	"title": "More Russian language malspam pushing Shade (Troldesh) ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2547967,
	"plain_text": "More Russian language malspam pushing Shade (Troldesh)\r\nransomware\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:14:34 UTC\r\nIntroduction\r\nRussian language spam pushing Shade ransomware (also known as Troldesh ransomware) has remained active\r\nsince my previous ISC diary about it on 2018-11-29.  However, sometime in February 2019, this malicious spam\r\n(malspam) has altered its tactics slightly. Instead of a zip archive directly attached to the malspam, recent emails\r\nhave attached PDF files with links to download the zip archive.  Otherwise, this infection activity remains\r\nrelatively unchanged.\r\nDetails\r\nMalspam pushing Shade has a variety of subjects, spoofed sending addresses, and message text.  The common\r\ntheme is some sort of order or invoice.  The attached PDF files have links to download an alleged invoice, which\r\nwas saved as pic.zip when I checked.\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 1 of 6\n\nShown above:  From malspam to PDF to downloaded zip archive.\r\nPic.zip contained a JavaScript (.js) file designed to infect a vulnerable Windows host when double-clicked. \r\nInfection traffic remained similar to previous examples of Shade ransomware, and my infected Windows host\r\nexhibited the expected behavior.\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 2 of 6\n\nShown above:  Downloaded zip archive and extracted .js file.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 3 of 6\n\nShown above:  Desktop of an infected Windows host.\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 4 of 6\n\nShown above:  Decryption instructions from the Tor page.\r\nIndicators of compromise (IoCs)\r\nThe following are indicators associated with today's infection:\r\nSHA256 hash: 6950efbd9d6d10fdd8f644a71b30e53a8d1dbd64976279d8a192a0c9459d06e1\r\nFile name: pic.zakaz.pdf\r\nFile size: 18,831 bytes\r\nFile description: PDF attachment from malspam pushing Shade/Troldesh ransomware\r\nSHA256 hash: e76b93f6ab032e16f5f1d600cb061db49a10538b10a063561df95be94156ac0b\r\nFile name: pic.zip\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 5 of 6\n\nFile size: 3,493 bytes\r\nFile location: hxxp://simplerlife[.]pl/wp-content/themes/hueman/assets/admin/css/pic.zip\r\nFile description: Downloaded zip archive from link in PDF attachment\r\nSHA256 hash: 17539e1a0c33fe2f98fa1b8fa282f9f3786ba15419e30ae6c4171ccff65338c9\r\nFile size: 6,932 bytes\r\nFile description: .js file extracted from pic.zip\r\nSHA256 hash: 33dde2eed8ccb2b74c9d0feaf19c341354e54cb5d2c9e475507ff3fe22240381\r\nFile size: 1,254,664 bytes\r\nFile location: hxxp://sidneyyin[.]com/templates/joomlage0084-aravnik/css/msg.jpg\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8EEC7.tmp\r\nFile location: C:\\ProgramData\\Windows\\csrss.exe\r\nFile description: Downloaded zip archive from link in PDF attachment\r\nTraffic from an infected Windows host:\r\n62.212.69[.]227 port 80 - simplerlife[.]pl - GET /wp-content/themes/hueman/assets/admin/css/pic.zip\r\n74.220.207[.]61 port 80 - sidneyyin[.]com - GET /templates/joomlage0084-aravnik/css/msg.jpg\r\nVarious IP addresses over various TCP ports - Tor traffic\r\nport 80 - whatismyipaddress.com - GET /\r\nport 80 - whatsmyip.net - GET /\r\nEmail address and URLs from the decryption instructions:\r\npilotpilot088@gmail.com\r\nhxxp://cryptsen7fo43rr6[.]onion/\r\nhxxp://cryptsen7fo43rr6[.]onion.to/\r\nhxxp://cryptsen7fo43rr6[.]onion.cab/\r\nFinal words\r\nAs I stated last time, Russian language malspam pushing Shade/Troldesh ransomware is nothing new.  Since I first\r\nposted a diary about it back in 2016, it's never disappeared for long.  Nor is this malspam limited to Russian\r\nlanguage.  An example I documented in 2017 was from English malspam.  This diary is yet another reminder the\r\ncriminals behind this malware remain active.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nhttps://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/"
	],
	"report_names": [
		"24668"
	],
	"threat_actors": [],
	"ts_created_at": 1775434171,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/541027e28a89364bd51eff4b0bb460c497f51beb.pdf",
		"text": "https://archive.orkl.eu/541027e28a89364bd51eff4b0bb460c497f51beb.txt",
		"img": "https://archive.orkl.eu/541027e28a89364bd51eff4b0bb460c497f51beb.jpg"
	}
}