{
	"id": "986a347e-648a-4632-af1f-b13a8ed933e3",
	"created_at": "2026-04-06T00:17:07.373937Z",
	"updated_at": "2026-04-10T03:24:24.488218Z",
	"deleted_at": null,
	"sha1_hash": "80a4cb656bb52216a7a59cdd6a570e5a86d1b454",
	"title": "When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73881,
	"plain_text": "When Threat Actors Fly Under the Radar: Vatet, PyXie and\r\nDefray777\r\nBy Ryan Tracey, Drew Schmitt\r\nPublished: 2020-11-07 · Archived: 2026-04-05 15:05:10 UTC\r\nLinking Vatet, PyXie and Defray777\r\nWhile researching these malware families, we found that there were several consistencies between Vatet, PyXie\r\nand Defray777 that strongly suggest that all three malware families were created, and are currently maintained by,\r\nthe same financially motivated threat group.\r\nPDB Path Reuse\r\nAs we saw with the Defray777 decryptors, there are numerous victims that have been impacted by Defray777.\r\nHowever, these decryptors also show some overlap with PyXie. One of the decryptors we analyzed shares a\r\ncommon path with earlier versions of PyXie and its Cobalt Mode downloader.\r\nDefray777 Decryptor Z:\\coding\\pyproject\\compiled\\ransom\\ransom.pdb\r\nPyXie z:\\coding\\pyproject\\python_static_2.7.15\\\r\nCobalt Mode Z:\\coding\\pyproject\\compiled\\cobalt_mode\\cobalt_mode.pdb\r\nTable 19. PDB paths shared between Defray777, PyXie and Cobalt Mode.\r\nAdditionally, some of the variants of Vatet we observed also have overlapping PDB paths.\r\nTetris C:\\Users\\1\\Downloads\\tetris-game-master\\Release\\TetrisGame_zjy.pdb\r\nNotepad C:\\Users\\1\\Downloads\\notepad-master\\Debug\\notepad.pdb\r\nRainmeter C:\\Users\\1\\Downloads\\rainmeter-master\\x32-Release\\Obj\\Library\\Rainmeter.pdb\r\nRainmeter C:\\Users\\1\\Downloads\\rainmeter-master\\x32-Release\\Obj\\Application\\Rainmeter.pdb\r\nNotepad++ C:\\Users\\1\\Downloads\\notepad-plus-plus-master\\PowerEditor\\bin\\npp.pdb\r\nTable 20. PDB paths shared between Vatet variants.\r\nString Encryption\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4\r\nPage 1 of 3\n\nDuring our research, we observed that the method of string encryption in each of the variants was consistent.\r\nDefray777 uses the same string encryption that was used in PyXie. Additionally, the same string encryption\r\nmethodology was observed in the Tetris variant of Vatet loader.\r\nFigure 26. Defray777 string decryption example.\r\nCreating Mutexes\r\nDefray777 uses the same Mutex routine as the updated PyXie sample we analyzed, including the\r\nDEFAULTCOMPNAME fallback. One thing Defray777 does differently is that it omits the step where the\r\ncomputed MD5 hash is XOR’d with 0x2.\r\nFigure 27. The Defray777 mutex creation process.\r\nConclusion\r\nSince 2018, a financially-motivated threat group has been using a combination of Vatet loader, PyXie RAT and\r\nDefray777 ransomware to target organizations in the healthcare, education, government and technology industries\r\nwithout drawing attention to themselves. They’ve only been a blip on the radar.\r\nWe have exposed this group’s desire to use open source tools as a means for the Vatet loader. We have shown how\r\nPyXie is used to conduct reconnaissance and find and exfiltrate data. We have also uncovered how this group uses\r\nCobalt Strike to deliver Defray777 into memory to encrypt files, causing catastrophic damage to their victims.\r\nWe hope that by shining more light on this group of threat actors, we can help disrupt their ability to conduct\r\nransomware operations. Now that they are on the radar, we must aim to keep them there.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAll samples in this report have a malicious verdict in WildFire.\r\nCortex XDR detects these threats.\r\nCommand and Control infrastructure has been classified as malicious in URL Filtering.\r\nAutoFocus tags are available for additional context:\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4\r\nPage 2 of 3\n\nPyXie\r\nRansomX (also known as Defray777)\r\nVatet\r\nContinue reading: Indicators of Compromise\r\nSource: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4"
	],
	"report_names": [
		"4"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80a4cb656bb52216a7a59cdd6a570e5a86d1b454.pdf",
		"text": "https://archive.orkl.eu/80a4cb656bb52216a7a59cdd6a570e5a86d1b454.txt",
		"img": "https://archive.orkl.eu/80a4cb656bb52216a7a59cdd6a570e5a86d1b454.jpg"
	}
}