{
	"id": "2c203ade-5670-47e7-b15a-657384a8d7d7",
	"created_at": "2026-04-06T00:12:29.915643Z",
	"updated_at": "2026-04-10T03:21:55.028674Z",
	"deleted_at": null,
	"sha1_hash": "5a7d98b9119964308d95c009911b51f3ca256fce",
	"title": "Xollam the Latest Face of TargetCompany",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1914795,
	"plain_text": "Xollam the Latest Face of TargetCompany\r\nPublished: 2023-06-06 · Archived: 2026-04-05 17:17:52 UTC\r\nRansomware\r\nThis blog talks about the latest TargetCompany ransomware variant, Xollam, and the new initial access technique\r\nit uses. We also investigate previous variants' behaviors and the ransomware family's extortion scheme.\r\nBy: Earle Maui Earnshaw, Nathaniel Morales, Katherine Casona, Don Ovid Ladores Jun 06, 2023 Read time: 5\r\nmin (1438 words)\r\nAfter first being detected in June 2021open on a new tab, the TargetCompany ransomware family underwent\r\nseveral name changes that signified major updates in the ransomware family, such as modifications in encryption\r\nalgorithm and different decryptor characteristics.\r\nThe earliest samples of the TargetCompany ransomware appended victims’ files with the extension “.tohnichi,”\r\nthe name of its victim enterprise at that time, signifying a targeted attack on the organization of the same name. As\r\na result, it was initially known as the Tohnichi ransomware.\r\nLater, the group continued appending encrypted files with names based on its victims, such as “.artis” for the Artis\r\nZoo in Amsterdam. Other extensions include “.herrco,” “.brg,” and “.carone.”\r\nIndustry experts then later identified the ransomware as TargetCompany from the pattern it adopted of appending\r\nencrypted files after the company it was targeting.\r\nThe variants Tohnichi (active in 2021), Mallox, and Fargo (both active in 2022) targeted vulnerabilities in\r\nMicrosoft SQL (MS SQL) Server for initial access. We elaborate on the behavior of these variants in our\r\nRansomware Spotlight: TargetCompanynews article.  \r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 1 of 7\n\nFigure 1. The infection chain of the earlier TargetCompany variants\r\nOur investigations show that its latest variant, Xollam, now deviates from the gang’s tried-and-tested initial access\r\nmethod. In this blog, we discuss this latest development in the TargetCompany ransomware’s behavior and look\r\ninto its previous infection chains. \r\nSimultaneously active: Xollam and Mallox variants\r\nIn 2023, Xollam was observed as following a technique similar to the one followed by phishing campaigns: using\r\nMicrosoft OneNote files as initial access to spread and deliver malware. This latest TargetCompany variant\r\nexecuted a spam campaign with malicious OneNote file attachments, a deviation from its roots of targeting\r\nvulnerable MS SQL databases.\r\nBased on our investigations, Xollam uses a pseudo-fileless technique through PowerShell, which executes\r\nreflective loading to download its payload.\r\nAs we discuss in later sections, we have also observed this technique in earlier variants of the TargetCompany\r\nransomware. \r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 2 of 7\n\nFigure 2. The attack flow of the latest TargetCompany variant, Xollam, which uses malicious\r\nOneNote files for initial access\r\nThe latest variant of the ransomware, Xollam, was detected in February this year.\r\nIn the same month, the older Mallox variant was also active, as it claimed the attack on the Federation of Indian\r\nChambers of Commerce and Industry (FICCI). The gang released 1.28 GB of compressed datasets that included\r\nfinancial balance sheets, employee reimbursement details, bank statements and internet banking credentials,\r\nindustry audit reports, and documents related to FICCI subcommittees. \r\nReflective loading, Mallox, and Fargo variants\r\nThe Mallox variant of the ransomware was first detected in the wild in October 2021. Later samples in January of\r\nthe following year showed that the ransomware group started to employ reflective loading as part of its defense\r\nevasion.\r\nThe Mallox variant connects to an IP address to load the encrypted ransomware, with its download URL only\r\navailable for approximately 24 hours. Notably, this made the dynamic analysis of old samples difficult.\r\nOur investigations revealed that the payload downloaded by the PowerShell script was a .NET downloader, which\r\nwould subsequently retrieve an encrypted payload from the command-and-control (C\u0026C) server.\r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 3 of 7\n\nThe downloaded file has a random file name and might have different extensions such as “.png,” “.bmp,” and\r\n“.jpg,” among others. \r\nFigure 3. A closer look at the reflective loading technique that TargetCompany threat actors\r\nincorporated; the IP address it connects to changes every 24 hours and deploys different payloads\r\nThe payload would then be decrypted through XOR or inversion and executed in memory. The specific payload\r\nthat is downloaded varies depending on the link on the .NET downloader.\r\nFigure 4. Both Mallox and Fargo variants use a set of tools via remote desktop for defense evasion.\r\nIt’s important to note that reflective loading enabled the Mallox variant to evade traditional antivirus solutions,\r\nmaking it challenging for organizations to protect themselves against these attacks.\r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 4 of 7\n\nMeanwhile, the Remcos backdoor payload is executed via WmiPrvSE.exe, and the payload most likely arrives by\r\nexploiting public-facing websites and domains.\r\nOur investigations showed that the gang used different sets of defense evasion and reconnaissance tools such as\r\nGMER and Advance Process Termination to manually uninstall antivirus products on the target system. We also\r\nobserved the presence of YDArk.exe (PCHunter64) for performing rootkit behaviors, and that TargetCompany\r\nattempts to terminate security-related processes and services by dropping KILLAV.\r\nIn addition, the ransomware drops a batch file named killer.bat that terminates various services and applications,\r\nincluding GPS-related services. Afterward, it proceeds to steal system information like machine details and other\r\nrelevant data.\r\nFigure 5. TargetCompany ransomware defense evasion routine\r\nThe ransomware encrypts the victim's files using the ChaCha20 encryption algorithm and generates the encryption\r\nkeys using a combination of Curve25519, an example of elliptic curve cryptography, and AES-128.\r\nIn June 2022, the gang targeted other victims with encrypted files appended with the extension “.fargo.” We also\r\nobserved that like Mallox, the Fargo variant employed reflective loading.\r\nIn the last two months of 2022, there was an increase in attacks launched by the TargetCompany ransomware\r\nusing its Mallox variant.\r\nExtortion\r\nWhile the Mallox and Fargo variants were operating simultaneously in 2022, TargetCompany initiated its double-extortion scheme by setting up a Telegram channel where it could publish stolen information.\r\nIn August 2022, just two months after the group launched its Fargo variant, Mallox created a Twitter account\r\nwhere it could announce its victims. Since this account was eventually suspended, the threat actors created a new\r\none. \r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 5 of 7\n\nFigure 6. The first Twitter account (eventually suspended) that Mallox created for announcing its\r\nvictims (top), and the new Twitter account that replaced it (bottom); the new account remains active\r\nas of this writing\r\nIn November of the same year, Mallox launched its data leak site where, as of writing, it has declared only 20\r\nvictims. However, our telemetry data revealed far more attacks at 269 attempts on Trend Micro customers from\r\nMarch 2022 to April 2023.\r\nIn a January 2023 interview, threat actors behind TargetCompany said that they choose only a small percentage of\r\ntheir victims to publish on their leak site. They also limit the amount of leaked data to what they deem particularly\r\ninteresting and claim to have no intention of publishing everything.\r\nWhile the group said that it remains small and closed, the actors behind it mentioned that they are “open to\r\nsuggestions.” Interestingly, a new member of the cybercrime forum RAMP under the name “Mallx” was observed\r\nrecruiting affiliates for the Mallox ransomware-as-a-service (RaaS) affiliate program.\r\nOur investigations also revealed that the ransomware might have connections with other groups such as the\r\nBlueSky ransomware, as well as the threat actors who perform brute-force attacks on MS SQL Servers.\r\nTargetCompany shares similarities with these groups in terms of threat actor profiles, targets, deployed remote\r\ncontrol, and encryption algorithm. We discuss other possible affiliations, as well as victim profiles and behaviors\r\nin our Spotlight featurenews article on the ransomware group.  \r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 6 of 7\n\nThe TargetCompany ransomware is making bolder ventures beyond its tried-and-tested techniques by joining the\r\nbandwagon of OneNote phishing campaigns, which allows it to cast a wider net for increased profitability. Within\r\njust two years of activity, the threat actors behind the ransomware are proving their hunger for prolificacy,\r\nexpanding their business model with a RaaS affiliate program and maintaining several platforms to announce\r\nvictims and expose stolen data.\r\nWe can expect TargetCompany to make even bigger moves in the future, especially since the threat actors behind\r\nit have admitted that they created TargetCompany to move away from the restrictions and inflexibility of their\r\nprevious groups. Now unhindered, the gang will naturally try to maximize profits from its victims. \r\nTo protect systems from ransomware attacks, we recommend that both individual users and organizations\r\nimplement best practices such as applying data protection and backup and recovery measures to secure data from\r\npossible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely\r\nmanner can also minimize the damage dealt by ransomware families that abuse exploits.\r\nWe advise users and organizations to update their systems with the latest patches and apply multilayered defense\r\nmechanisms. End users and enterprises alike can mitigate the risk of infection from new threats like the\r\nTargetCompany ransomware by following these security best practices: \r\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a\r\nnetwork.\r\nAdhere to the 3-2-1 rulenews article when backing up important files. This involves creating three backup\r\ncopies on two different file formats, with one of the copies stored in a separate location. \r\nPatch and update systemsnews article regularly. It’s important to keep operating systems and applications\r\nup to date and maintain patch management protocols that can deter malicious actors from exploiting any\r\nsoftware vulnerabilities.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nhttps://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html"
	],
	"report_names": [
		"xollam-the-latest-face-of-targetcompany.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a7d98b9119964308d95c009911b51f3ca256fce.pdf",
		"text": "https://archive.orkl.eu/5a7d98b9119964308d95c009911b51f3ca256fce.txt",
		"img": "https://archive.orkl.eu/5a7d98b9119964308d95c009911b51f3ca256fce.jpg"
	}
}