{ "id": "8a24997a-b375-4ab8-af58-e45a69ebcdb3", "created_at": "2026-04-06T01:30:30.663481Z", "updated_at": "2026-04-10T03:24:23.906006Z", "deleted_at": null, "sha1_hash": "835bb3b271f714b2ea08ab956da4b9c9eaa6d050", "title": "Hive ransomware uses new 'IPfuscation' trick to hide payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4814756, "plain_text": "Hive ransomware uses new 'IPfuscation' trick to hide payload\r\nBy Bill Toulas\r\nPublished: 2022-03-30 · Archived: 2026-04-06 00:06:18 UTC\r\nThreat analysts have discovered a new obfuscation technique used by the Hive ransomware gang, which involves IPv4\r\naddresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.\r\nCode obfuscation is what helps threat actors hide the malicious nature of their code from human reviewers or security\r\nsoftware so that they can evade detection.\r\nThere are numerous ways to achieve obfuscation, each with its own set of pros and cons, but a novel one discovered in a an\r\nincident response involving Hive ransomware shows that adversaries are finding new, stealthier ways to achieve their goal.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSentinel Labs analysts report on the new obfuscation technique, that they call “IPfuscation”, and which is yet another\r\nexample of how effective simple but smart methods can be in real-world malware deployment.\r\nFrom IP to shellcode\r\nThe analysts discovered the new technique while analyzing 64-bit Windows executables, each containing a payload that\r\ndelivers Cobalt Strike.\r\nThe payload itself is obfuscated by taking the form of an array of ASCII IPv4 addresses, so it looks like an innocuous list of\r\nIP addresses.\r\nIn the context of malware analysis, the list may even be mistaken for hard-coded C2 communication information.\r\nThe list of IPv4 addresses that will assemble the payload\r\n(Sentinel Labs)\r\nWhen the file is passed to a converting function (ip2string.h) that translates the string to binary, a blob of shellcode appears.\r\nOnce this step has been completed, the malware executes the shellcode either via direct SYSCALLs or by proxying\r\nexecution via callback on the user interface language enumerator (winnls.h), resulting in a standard Cobalt Strike stager.\r\nHere’s an example from the Sentinel Labs report: \r\nThe first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of\r\n0xE48348FC (big endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of\r\n0xC8E8F0.\r\nDisassembling these “binary representations” shows the start of shellcode generated by common penetration testing\r\nframeworks.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nPage 3 of 5\n\nThe resulting shellcode from two IP addresses\r\n(Sentinel Labs)\r\nThe analysts have discovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC\r\naddresses, all operating in an almost identical manner as what we described above.\r\nDeobfuscated strings forming a Cobalt Strike stager\r\n(Sentinel Labs)\r\nThe takeaway from this is that relying solely on static signatures for malicious payload detection is not enough these days.\r\nBehavioral detection, AI-assisted analysis, and holistic endpoint security that aggregates suspicious elements from multiple\r\npoints would have a better chance at lifting the lid of IPfuscation, the researchers say.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/" ], "report_names": [ "hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439030, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/835bb3b271f714b2ea08ab956da4b9c9eaa6d050.pdf", "text": "https://archive.orkl.eu/835bb3b271f714b2ea08ab956da4b9c9eaa6d050.txt", "img": "https://archive.orkl.eu/835bb3b271f714b2ea08ab956da4b9c9eaa6d050.jpg" } }