{
	"id": "7e30a311-3c38-4003-8053-d05dfce72ab6",
	"created_at": "2026-04-06T02:11:31.280405Z",
	"updated_at": "2026-04-10T03:20:01.339559Z",
	"deleted_at": null,
	"sha1_hash": "8b1c48badfca80b17b04f0e8e8812448c303387f",
	"title": "Hidden Tear Project: Forbidden Fruit Is the Sweetest | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58302,
	"plain_text": "Hidden Tear Project: Forbidden Fruit Is the Sweetest | Tripwire\r\nBy Guest Authors\r\nPublished: 2016-03-20 · Archived: 2026-04-06 01:33:49 UTC\r\nThe scourge of ransomware is by far today’s biggest computer security concern. By stepping into the crypto\r\nrealm, cybercrooks have thrown down the gantlet to antivirus labs around the globe that are still mostly helpless in\r\nthe face of this challenge. While many experts have been busy reverse-engineering obtained ransomware samples\r\nand posting complex flowcharts to demonstrate their modus operandi, a Turkish programmer named Utku Sen\r\nmade a very bold but questionable move. Not only did he write code for a viable ransomware as a proof-of-concept, but he also made it publicly available on his GitHub page in mid-August 2015. The project, dubbed\r\nHidden Tear, happens to be entirely open-source. To the author’s credit, he added a disclaimer emphasizing the\r\nstrictly educational goals of the initiative. This notice, predictably enough, didn’t stop threat actors from taking\r\nadvantage of the code in the worst way imaginable. Since anyone with basic programming skills can use it to\r\nlaunch an extortion campaign of their own, the initially benign project resulted in the emergence of numerous real-world crypto Trojans with minor tweaks.\r\nHIDDEN TEAR 101\r\nUtku Sen’s proof-of-concept uses AES encryption to encode files located inside ‘\\test’ directory on the infected\r\nsystem’s Desktop. The above acronym stands for Advanced Encryption Standard. Originally known as Rijndael,\r\nthis algorithm is symmetric, which means that the encryption and decryption keys are identical. The key can be\r\n128-, 192-, or 256-bits long. Ideally, either degree of entropy suffices to make brute-forcing virtually inefficient\r\nand keep a victim’s files hostage. The ransomware transmits the key to a remote server so that it’s only available\r\nto the operator. To recover data, the infected person needs to have a specially crafted decryption program and the\r\nsecret key at their disposal. These two prerequisites are the objects of negotiation, or rather, a bargain between the\r\nperpetrator and the user. The Trojan creates a document with detailed recovery instructions and relevant\r\nhyperlinks on the Desktop. Owing to a lightweight payload of only 12 KB, the infection is easy to distribute\r\nthrough phishing emails that contain a booby-trapped attachment. Furthermore, Hidden Tear boasts antivirus\r\nevasion techniques that allow it to fly under the radar of popular AV engines. Extensive flexibility of the code\r\nmakes it trivial for anybody interested to devise a custom variant of the program. The researcher also made a short\r\nvideo demonstrating his brainchild in action. In a post published on his blog in late November, Sen explained his\r\ngenuine motivations and responded to criticism regarding his project. In particular, he admitted that the abuse of\r\nHidden Tear by script kiddies or other parties was a foreseeable but undesirable consequence. This is why the\r\nauthor deliberately incorporated a security flaw into the code, effectively turning it into a honeypot for likely\r\noffenders. According to the researcher, the decryption key can be retrieved from the timestamp of an arbitrary\r\nciphered file and the amount of time elapsed since the operating system launched. Once these values have been\r\nobtained via GetLastWriteTime method and Environment.TickCount property, all that’s left to do is put two and\r\ntwo together. For the average computer expert, this shouldn’t pose a difficulty.\r\nREAL-WORLD ABUSE INCIDENTS\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/\r\nPage 1 of 3\n\nThe evolution of crypto malware gave birth to a new phenomenon known as Ransomware as a Service (RaaS). It\r\ndenotes an affiliate framework where some criminals do the programming part and others distribute the readily\r\navailable infection. Meanwhile, the latter have to share 20-25 percent of their revenue with the developer. No\r\nwonder the wannabe extortionists became interested in Utku Sen’s project, which was completely free to use.\r\nScoundrels reportedly ended up coining more than 20 standalone strains based on Hidden Tear. In particular, the\r\nsource code came in handy to the black hats responsible for the following notorious ransomware families:\r\n1. Encoder is the first-ever ransom Trojan that targets Linux-based web servers. It surfaced at the beginning\r\nof November 2015. Luckily, this edition had a critical flaw that allowed researchers from Bitdefender to\r\ncrack the crypto and obtain the AES key from the timestamp of any encoded file. And yet, this sample was\r\nrevolutionary because never before had Linux undergone ransomware attacks.\r\n2. Discovered by Trend Micro mid-January 2016, B turned out to be another incarnation of Hidden Tear. The\r\ndistributor of this ransomware appears to operate in Brazil. The ransom instructions are written in\r\nPortuguese, and the racketeer demands the Brazilian currency equivalent of US$500 for decryption.\r\nUltimately, Utku Sen was able to help the infected users since the sample was backdoored. Interestingly\r\nenough, the scammer never configured the Trojan to send the AES keys to a C\u0026C server or simply save\r\nthem anywhere. This means that victims had no chances to get their data back even if they paid the ransom.\r\n3. Magic Ransomware is the most recent spin-off first spotted in late January this year. Unlike the earlier\r\ncopycats, this one is based on EDA2, another POC created by Utku Sen. The malware appends .magic\r\nextension to filenames and extorts 1 Bitcoin for data restoration. For a number of reasons, which will be\r\nhighlighted in the next section of this article, the whole campaign turned out an epic fail.\r\n4. More than a dozen samples representing the Trojan-Ransom.MSIL.Tear family were found to also utilize\r\nHidden Tear code. As per the in-depth analysis, however, these are script kiddies’ experiments rather than\r\nprofessional ransomware plagues. Some of them, including Trojan-Ransom.MSIL.Tear.r and Trojan-Ransom.MSIL.Tear.t, sent AES keys to example.com domain, which the attackers configured as their\r\nCommand and Control server. Obviously, the victims’ data vanished for good.\r\nHIDDEN TEAR AUTHOR BLACKMAILED\r\nThe aforementioned Magic Ransomware case went terribly wrong. It was built with Sen’s open-source EDA2\r\ncode. The researcher expected he could harness vulnerabilities in the control script to access the database of\r\ndecryption keys. However, it turned out that the crooks behind the actual Trojan were using a C\u0026C server located\r\non a free hosting service. Someone submitted a complaint, which resulted in the takedown of the malicious\r\nCommand and Control. The programmer was, therefore, unable to retrieve the database even with his pre-injected\r\nbackdoor. What happened next was unexpected for everyone involved. Distributors of the Magic virus joined the\r\ndiscussion of their ransomware on a popular security forum. They asked Utku Sen to remove the source code for\r\nhis projects from GitHub and send them 3 Bitcoins. If these demands were met, the criminals promised they\r\nwould assist everyone infected in data recovery for free. At the end of the day, Sen abandoned Hidden Tear and\r\nEDA2, making both unavailable to the public. The hackers, in their turn, provided decryption details to the victims\r\nwho asked for help. It’s unclear why exactly the perpetrators did this, but the infected users got their files back,\r\nwhich is a win.\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/\r\nPage 2 of 3\n\nRECAP\r\nUtku Sen’s original motivations were to demonstrate researchers the ins and outs of how ransomware works. He\r\nalso adopted measures to mitigate possible damage by injecting backdoors into his code. However, the emergence\r\nof Hidden Tear caused a spike in ransomware incidents. Providing a fully functional free extortion tool and\r\nexpecting it to never go beyond the educational framework is wishful thinking. Now that Hidden Tear is no longer\r\navailable on official resources, there’s no guarantee that interested parties will discontinue using it in new rip-off\r\ncampaigns. It’s naive to believe that cybercriminals failed to make and distribute copies of the code. Meanwhile,\r\nsecurity professionals should think twice before publishing similar POCs. Even with backdoors under the hood,\r\nthey may get out of hand.  \r\nAbout the Author: David Balaban is a computer security researcher with over 10 years of experience in malware\r\nanalysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert\r\nopinions on the contemporary information security matters, including social engineering, penetration testing,\r\nthreat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has\r\ninterviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand\r\nperspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus\r\non ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely\r\nthose of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock  \r\nSource: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/"
	],
	"report_names": [
		"hidden-tear-project-forbidden-fruit-is-the-sweetest"
	],
	"threat_actors": [],
	"ts_created_at": 1775441491,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b1c48badfca80b17b04f0e8e8812448c303387f.pdf",
		"text": "https://archive.orkl.eu/8b1c48badfca80b17b04f0e8e8812448c303387f.txt",
		"img": "https://archive.orkl.eu/8b1c48badfca80b17b04f0e8e8812448c303387f.jpg"
	}
}