{
	"id": "e3fe34ff-6c70-4421-ae8c-452395f823b8",
	"created_at": "2026-04-06T00:10:26.116176Z",
	"updated_at": "2026-04-10T13:13:04.855192Z",
	"deleted_at": null,
	"sha1_hash": "6208d70c169f893ee373fac63c4021c3d6b3b597",
	"title": "The New Threat: Mallox Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 25979325,
	"plain_text": "The New Threat: Mallox Ransomware\r\nBy Meet the Author\r\nArchived: 2026-04-02 11:34:45 UTC\r\n1. Mallox Ransomware Description\r\nIn October 2021 Mallox, a new type of ransomware, began attacking enterprises in Asia. This new ransomware is\r\nidentified by encrypted files being given the suffix “. mallox”.\r\nAfter Sangfor FarSight Labs Endpoint Security Team captured samples of this new malware strain, analysis found\r\nthat Mallox was even more destructive than currently active ransomware. \r\n1. Mallox adds a C# shell layer using common DLL hijacking technology to bypass security software.\r\n2. Mallox spread like a worm through file sharing and uses the same file retrieval technology as Search\r\nArtifact to attain rapid file retrieval and encryption.\r\nMallox can encrypt many files in a very short period of time, resulting in irreparable losses once it is installed on a\r\ncompany's computers.\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 1 of 16\n\n2. Technical Analysis\r\nTo bypass anti-virus software, Mallox adds a C# shell layer to hide its malicious behavior, and uses\r\nSmartAssembly to obfuscate the C# shell, as seen below:\r\nAdvancedRun.exe is installed and run in the temp directory:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 2 of 16\n\nAdvancedRun.exe presents a configuration window when started:\r\nWindows Defender is turned off:\r\nThe Windows Defender directory is deleted:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 3 of 16\n\nThe AdvancedRun.exe file is then deleted:\r\nThe script file Yubhigusnhbrkitykwictqkill$.bat is created in the temp directory:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 4 of 16\n\nThe operation of the script file Yubhigusnhbrkitykwictqkill$.bat is as follows, with the main functions being:\r\n1. Restoring the CMD default association by deleting the registry\r\n\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun\".\r\n2. Setting security permissions for specified files and folders to prevent them from becoming inaccessible:\r\ncmd.exe, net.exe, net1.exe, mshta.exe, FTP.exe, wscript.exe, cscript.exe, powershell.exe, C: \\ProgramData,\r\nC:\\Users\\Public.\r\n3. Deleting the shadow disk.\r\n4. Stopping and deleting specific programs and services, including security software and any related to line-of-business.\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 5 of 16\n\nThe Visual Basic script Blffpekna.vbs is created in the temp directory to run Yubhigusnhbrkitykwictqkill$.bat:\r\nThe Yubhigusnhbrkitykwictqkill$.bat script is run:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 6 of 16\n\nMSBuild.exe in the .NET installation directory is copied into the temp directory:\r\nThe running MSBuild.exe process is identified, and the ransomware main module is injected into the\r\nMSBuild.exe process to bypass the security software:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 7 of 16\n\nThe main Mallox module is an exe file that implements the encryption functions. The following prepared is done\r\nbefore encryption:\r\n1. Excludes hosts in Russia, Kazakhstan, Russia, Ukraine and Qatar \r\n2. Elevates permissions\r\n3. Deletes the registration form for Raccine\r\n4. Deletes the disk shadow\r\n5. Cancels the automatic startup repair mode\r\n6. Terminates the following program process:\r\nIf a program is running under the debugger, an exception will be thrown when trying to use CloseHandle to close\r\nthe handle returned by the FindFirstFile function which prevents the malware from being closed. The malware\r\nwill prevent debugging from starting again:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 8 of 16\n\nThe number of encryption threads created are 2 times the number of existing processors with an upper limit of 64\r\nthreads:\r\nThe encryption threads are synchronized using IOCP and encrypts target files found using the file traversal\r\nthread: \r\nThe Chacha20 algorithm (a variant of the Salsa20 stream cipher) is used to encrypt files with the encryption suffix\r\n\".mallox\".\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 9 of 16\n\nRansom information:\r\nRetrieve IP addresses from the ARP table to create a virus propagation thread:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 10 of 16\n\nName the malware file mall.exe and copy it through file sharing to the IP hosts from the ARP table, then create a\r\ncorresponding service on the target systems. If the virus is run without a shell, it can be spread automatically:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 11 of 16\n\nObtain system disk information of all network disks, removable disks, and local disks. Create a thread for each\r\ndisk that needs to be encrypted by traversing to find files:\r\nUse this method of reading USN logs to quickly retrieve disk files:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 12 of 16\n\nFilter out the ransomware files and the files of the program itself:\r\nThen filter out the following suffix files:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 13 of 16\n\nGet the full path of the files and filter the following directories:\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 14 of 16\n\nSend eligible files to the encryption thread for file encryption:\r\n3. Protection Recommendations\r\n1. Set up access permissions for important files and turn off unnecessary file sharing features.\r\n2. Perform regular non-local (offline) backups. \r\n3. Use a highly secure host password and avoid multiple devices using the same password.\r\n4. Do not map ports like 3389 directly to the internet or an external network to prevent brute-force cracking.\r\n5. Avoid opening emails, links, and URL attachments of unknown origin.\r\n6. Do not download non-genuine software from unofficial sites.\r\n7. If you find that the file type does not match the original icon, you should scan the file using endpoint\r\ndetection software to detect any malicious code within the file. \r\n8. Regularly scan the system for vulnerabilities and install patches in a timely manner.\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 15 of 16\n\n4. Using Sangfor Products:\r\n \r\n1. Run anti-virus and vulnerability scans using Endpoint Secure.\r\n2. For users of Sangfor Cyber Command, NGAF, and Endpoint Secure, it is recommended that the system\r\nengines and signature databases are upgraded regularly. \r\n3. Connect to Neural-X and use Cloud Sandbox to detect and defend against new threats.\r\n4. Sangfor provides free bot and virus removal tools to users. You can download the virus detection and\r\nprotection tools here: https://page.sangfor.com/anti-bot-tool\r\n5. Sangfor Engine Zero malware detection engine is integrated into most Sangfor security products to provide\r\nprecision defense against unknown viruses and malware.\r\n6. Sangfor has a suite of Security Assessment Services to help users quickly find gaps in their security\r\narchitecture and develop remediation plans.\r\n7. Sangfor Security Assessment Services provide security device policy inspection, threat hunting \u0026\r\ndetection, and vulnerability inspections to ensure that risks are immediately identified, and remediation\r\nstrategies developed to prevent successful attacks in the future.\r\nContact Us for Business Inquiry\r\nSource: https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nhttps://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware"
	],
	"report_names": [
		"new-threat-mallox-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6208d70c169f893ee373fac63c4021c3d6b3b597.pdf",
		"text": "https://archive.orkl.eu/6208d70c169f893ee373fac63c4021c3d6b3b597.txt",
		"img": "https://archive.orkl.eu/6208d70c169f893ee373fac63c4021c3d6b3b597.jpg"
	}
}